案例章节:华为防⽕墙NAT策略配置前⾔
上⼀章说过了NAT的管理⽅式,现在主要针对NAT No-PAT,NAPT,Easy_ip进⾏配置。
NAT No - PAT
⽹络拓扑如下:
(1)配置⽹络参数及路由
<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info en
Info: Information center is disabled.
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip add 192.168.1.254 24
[USG6000V1-GigabitEthernet1/0/1]undo shu
Info: Interface GigabitEthernet1/0/1 is not shutdown.
[USG6000V1-GigabitEthernet1/0/1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip add 202.96.1.1 24
[USG6000V1-GigabitEthernet1/0/0]undo shu
Info: Interface GigabitEthernet1/0/0 is not shutdown.
[USG6000V1-GigabitEthernet1/0/0]quit
[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 202.96.1.2
(2)配置安全策略
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface g1/0/1 //内⽹接⼝加⼊ trust区域
[USG6000V1-zone-trust]quit
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add int g1/0/0 //外⽹接⼝加⼊ untrust区域
[USG6000V1-zone-untrust]quit
[USG6000V1]security-policy  //配置安全策略
[USG6000V1-policy-security]rule name sec_1 //配置第⼀个规则并指定规则名sec_1
[USG6000V1-policy-security-rule-sec_1]source-zone trust //指定条件
[USG6000V1-policy-security-rule-sec_1]destination-zone untrust
[USG6000V1-policy-security-rule-sec_1]source-address 192.168.1.0 24
[USG6000V1-policy-security-rule-sec_1]action permit //指定动作
[USG6000V1-policy-security-rule-sec_1]quit
郑爽结婚了吗[USG6000V1-policy-security]quit
[USG6000V1]
(3)配置NAT地址组,地址组中的地址对应的是公⽹地址
[USG6000V1]nat address-group natgroup //配置NAT地址组,指定名称 natgroup
[USG6000V1-address-group-natgroup]section 0 202.96.1.10 202.96.1.11 //通过 section关键字指定地址组的起始地址和结束地址,该地址应该为公⽹地址[USG6000V1-address-group-natgroup]mode no-pat local  //指定地址组的模式为no-pat,即为 NAT No-PAT模式。local关键字表⽰对本区域有效[USG6000V1-address-group-natgroup]quit
[USG6000V1]
(4)配置NAT策略
[USG6000V1]nat-policy              //配置NAT策略
[USG6000V1-policy-nat]rule name natpolicy        //配置名称为 natpolicy的NAT规则
[USG6000V1-policy-nat-rule-natpolicy]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-natpolicy]source-zone trust
[USG6000V1-policy-nat-rule-natpolicy]destination-zone untrust
[USG6000V1-policy-nat-rule-natpolicy]action nat address-group natgroup //指定动作,满⾜条件的数据包将依据地址组做 NAT No-PAT⽅式的源地址转换[USG6000V1-policy-nat-rule-natpolicy]quit神兽开学了妈妈的心情
[USG6000V1-policy-nat]quit
[USG6000V1]
注:
NAT策略不同于安全策略,安全策略是针对经过的数据流常规则检查,匹配的数据包或者转发,或者丢弃,安全策略决定了流量能否通过防⽕墙。⽽NAT策略对经过的数据流做规则检查,匹配的数据包或者做地址转换,或者不做地址转换,NAT策略决定了哪些流量需要NAT转换。
(5)针对转换后的全局地址(NAT地址组中的地址)配置⿊洞路由
[USG6000V1]ip route-static 202.96.1.10 32 NULL 0
[USG6000V1]ip route-static 202.96.1.11 32 NULL 0
(6) 将其他设备配置完成:
R1的配置:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info en
Info: Information center is disabled.
[Huawei]sys R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 202.96.1.2 24
[R1-GigabitEthernet0/0/0]undo shu
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 202.96.2.1 24
[R1-GigabitEthernet0/0/1]undo shu
Info: Interface GigabitEthernet0/0/1 is not shutdown.
[R1-GigabitEthernet0/0/1]quit
[R1]
(7)验证NAT配置
通过验证发现,PC1可以ping外⽹PC2,在会话表到达最⼤⽼化时间之前更换PC1的IP地址为192.168.1.5,再次访问PC2依然可以通信。当继续将PC1的IP地址更换为192.168.1.6时,⽆法通信。这是因为NAT地址组中只有2个可⽤于转换的地址,只能2个⽤户同时上⽹,在防⽕墙上查看会话表及 Server-map表,输出结果如下:
<USG6000V1>display firewall session table
Current Total Sessions : 9
icmp  VPN: public --> public  192.168.1.5:5762[202.96.1.11:5762] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.4:2690[202.96.1.10:2690] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.5:6274[202.96.1.11:6274] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.5:6018[202.96.1.11:6018] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.4:2434[202.96.1.10:2434] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.5:5506[202.96.1.11:5506] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.4:1666[202.96.1.10:1666] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.4:2946[202.96.1.10:2946] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.4:2178[202.96.1.10:2178] --> 202.96.2.2:2048
<USG6000V1>display firewall server-map
Current Total Server-map : 4
Type: No-Pat Reverse, ANY -> 202.96.1.10[192.168.1.4],  Zone: untrust
Protocol: ANY, TTL:---, Left-Time:---,  Pool: 0, Section: 0
Vpn: public
Type: No-Pat Reverse, ANY -> 202.96.1.11[192.168.1.5],  Zone: untrust
Protocol: ANY, TTL:---, Left-Time:---,  Pool: 0, Section: 0
Vpn: public
Type: No-Pat,  192.168.1.5[202.96.1.11] -> ANY,  Zone: untrust
Protocol: ANY, TTL:360, Left-Time:27,  Pool: 0, Section: 0
Vpn: public
Type: No-Pat,  192.168.1.4[202.96.1.10] -> ANY,  Zone: untrust
Protocol: ANY, TTL:360, Left-Time:13,  Pool: 0, Section: 0
Vpn: public
NAPT
(1)配置⽹络参数及路由。
<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info en
Info: Information center is disabled.
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip add 192.168.1.254 24
[USG6000V1-GigabitEthernet1/0/1]undo shu
Info: Interface GigabitEthernet1/0/1 is not shutdown.
[USG6000V1-GigabitEthernet1/0/1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip add 202.96.1.1 24
[USG6000V1-GigabitEthernet1/0/0]undo shu
Info: Interface GigabitEthernet1/0/0 is not shutdown.
[USG6000V1-GigabitEthernet1/0/0]quit
[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 202.96.1.2
(2)配置安全策略
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add int g1/0/1
[USG6000V1-zone-trust]quit
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add int g1/0/0
[USG6000V1-zone-untrust]quit
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name sec_1
[USG6000V1-policy-security-rule-sec_1]source-zone trust
[USG6000V1-policy-security-rule-sec_1]destination-zone untrust
[USG6000V1-policy-security-rule-sec_1]source-address 192.168.1.0 24
[USG6000V1-policy-security-rule-sec_1]action permit
[USG6000V1-policy-security-rule-sec_1]quit
[USG6000V1-policy-security]quit
(3)配置NAT地址组,地址组中的地址对应的是公⽹地址
[USG6000V1]nat address-group natgroup
[USG6000V1-address-group-natgroup]section 0 202.96.1.10 202.96.1.11
[USG6000V1-address-group-natgroup]mode pat
[USG6000V1-address-group-natgroup]quit
(4)配置NAT策路
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name natpolicy
[USG6000V1-policy-nat-rule-natpolicy]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-natpolicy]source-zone trust
[USG6000V1-policy-nat-rule-natpolicy]destination-zone untrust
[USG6000V1-policy-nat-rule-natpolicy]action nat  address-group natgroup
[USG6000V1-policy-nat-rule-natpolicy]quit
[USG6000V1-policy-nat]quit
[USG6000V1]
(5)针对转换后的全局地址(NAT地址组中的地址)配置⿊洞路由。如何下载电影到手机
[USG6000V1]ip route-static 202.96.1.10 32 NULL 0
[USG6000V1]ip route-static 202.96.1.11 32 NULL 0
(6)验证NAT配置
通过验证发现,PC1可以ping外⽹PC2,在会话表到达最⼤⽼化时间之前更换PC1的IP地址为192.168.1.5,再次访问PC2依然可以通信。当继续将PC1的IP地址更换为192.168.1.6时,依然可以通信,这是因为虽然NAT地址组中只有2个可⽤于转换的地址,但是NAPT模式,可以基于端⼝复⽤,⼀个地址理论上可以允许65535(最⼤端⼝数量)个⽤户上⽹。在防⽕墙上查看会话表及Server-magp 表
[USG6000V1]display firewall session table
Current Total Sessions : 4
icmp  VPN: public --> public  192.168.1.6:5059[202.96.1.11:2059] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.5:64194[202.96.1.11:2057] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.5:63682[202.96.1.11:2055] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.6:4547[202.96.1.11:2058] --> 202.96.2.2:2048
[USG6000V1]display firewall server-map
Current Total Server-map : 0
通过上⾯的输出结果可以看到,在会话表中,源地址和源端⼝同时被转换⽽且默认情况下,防⽕墙从地址组中的最⼤地址开始转换。同
时,NAPT⽅式NAT转换中,默认不⽣成 Server-map表项内容。
出接⼝地址(Easy-IP)
(1)配置⽹络参数及路由。
<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info en
Info: Information center is disabled.
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip add 192.168.1.254 24
[USG6000V1-GigabitEthernet1/0/1]undo shu
Info: Interface GigabitEthernet1/0/1 is not shutdown.
[USG6000V1-GigabitEthernet1/0/1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip add 202.96.1.1 24
[USG6000V1-GigabitEthernet1/0/0]undo shu
Info: Interface GigabitEthernet1/0/0 is not shutdown.
[USG6000V1-GigabitEthernet1/0/0]quit
[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 202.96.1.2
(2)配置安全策略
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add int g1/0/1
[USG6000V1-zone-trust]quit
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add int g1/0/0
[USG6000V1-zone-untrust]quit
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name sec_1
[USG6000V1-policy-security-rule-sec_1]source-zone trust
[USG6000V1-policy-security-rule-sec_1]destination-zone untrust
[USG6000V1-policy-security-rule-sec_1]source-address 192.168.1.0 24
皇后大道东是什么意思
[USG6000V1-policy-security-rule-sec_1]action permit
腾达路由器怎么设置
[USG6000V1-policy-security-rule-sec_1]quit
[USG6000V1-policy-security]quit
[USG6000V1]
(3)配置NAT策路
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name natpolicy
[USG6000V1-policy-nat-rule-natpolicy]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-natpolicy]source-zone trust
[USG6000V1-policy-nat-rule-natpolicy]destination-zone untrust
//指定动作,满⾜条件的数据包将依据地址组做出接⼝⽅式转换
[USG6000V1-policy-nat-rule-natpolicy]action nat easy-ip      //配置出接⼝⽅式
[USG6000V1-policy-nat-rule-natpolicy]quit
[USG6000V1-policy-nat]quit
[USG6000V1]
(4)验证NAT配置
通过验证发现,PC1可以ping外⽹PC2,在会话表到达最⼤⽼化时间之前更换PCI的IP地址为192.168.1.5,再次访问PC2依然可以通信。当继续将PCI的IP地址更换为192.168.1.6时,依然可以通信,这是因为出接⼝⽅式将内⽹所有地址转换为外⽹接⼝地
址202.96.1.1,可以基于端⼝复⽤。⼀个地址理论上可以允许65535最⼤端⼝数量)个⽤户上⽹。在防⽕墙上查看会话表及Server -map表
[USG6000V1]display firewall session table
Current Total Sessions : 6
icmp  VPN: public --> public  192.168.1.5:202[202.96.1.1:2117] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.5:65481[202.96.1.1:2116] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.5:714[202.96.1.1:2119] --> 202.96.2.2:2048
好看的电影吧icmp  VPN: public --> public  192.168.1.5:458[202.96.1.1:2118] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.5:65225[202.96.1.1:2115] --> 202.96.2.2:2048
icmp  VPN: public --> public  192.168.1.6:59849[202.96.1.1:2114] --> 202.96.2.2:2048
[USG6000V1]display firewall server-map
Current Total Server-map : 0