实验拓扑
实验环境
FW1模拟公司的出口防火墙,R1和R2模拟公司内网设备,R1在trust区域、R2在dmz区域。R3模拟运营商网络。
实验需求
对R1的loopback 0 接口做动态NAT转换
对R1的G0/0/0接口做静态PAT转换
对R2的loopback 0 接口做静态NAT转换
对R2的G0/0/0接口做静态端口映射
网络地址规划
R1 G0/0/0 IP:11.0.0.2/24
R1 loopback 0 IP:192.168.10.1/24
R2 loopback 0 IP:192.168.20.1/24
R2 G0/0/0 IP:12.0.0.2/24
R3 G0/0/0 IP:13.0.0.2/24
FW1 G0/0/0 IP:11.0.0.1/24
FW1 G0/0/1 IP:12.0.0.1/24
FW1 G0/0/2 IP:13.0.0.1/24
设备配置
--------------以下为一些基础配置---------
R1配置
[Huawei]sy R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 11.0.0.2 24
[R1-GigabitEthernet0/0/0]q
[R1]int loo 0
[R1-LoopBack0]ip add 192.168.10.1 24
[R1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1
R2配置
[Huawei]sy R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 12.0.0.2 24
[R2-GigabitEthernet0/0/0]int loo 0
[R2-LoopBack0] ip add 192.168.20.1 24
[R2]ip route-s 0.0.0.0 0.0.0.0 12.0.0.1
R3配置
[Huawei]sy R3
[R3-GigabitEthernet0/0/0]ip add 13.0.0.2 24
-----------------防火墙配置------------------------------
[SRG]int g0/0/0
[SRG-GigabitEthernet0/0/0]ip add 11.0.0.1 24
[SRG-GigabitEthernet0/0/0]int g0/0/1
[SRG-GigabitEthernet0/0/1]ip add 12.0.0.1 24
[SRG-GigabitEthernet0/0/1]int g0/0/2
[SRG-GigabitEthernet0/0/2]ip add 13.0.0.1 24
[SRG-GigabitEthernet0/0/2]q
[SRG]firewall zone trust //进入trust区域
[SRG-zone-trust]add interface g0/0/0 //将接口加入trust区域
[SRG-zone-trust]q
[SRG]firewall zone untrust
[SRG-zone-untrust]add int g0/0/2
[SRG-zone-untrust]q
[SRG]firewall zone dmz
[SRG-zone-dmz]add int g0/0/1
[SRG-zone-dmz]q
[SRG]ip route-static 192.168.20.0 24 12.0.0.2
[SRG]ip route-static 192.168.10.0 24 11.0.0.2
----------------动态NAT配置--------------------------
[SRG]nat address-group 1 200.200.200.100200.200.200.200
//创建一个NAT地址池
[SRG]nat-policy interzone trust untrust outbound
//进入trust到untrust出方向的NAT策略视图
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1 //创建一个策略
[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255
//配置源IP
[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat
//配置动作为源IP进行NAT
[SRG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1 no-pat
//关联NAT地址池,华为默认是经行地址复用的所以要no-pat
[SRG-nat-policy-interzone-trust-untrust-outbound-1]quit
[SRG-nat-policy-interzone-trust-untrust-outbound]quit
[SRG]policy interzone trust untrust outbound
//进入trust到untrust的出方向策略视图
[SRG-policy-interzone-trust-untrust-outbound]policy 1 //创建一个策略
[SRG-policy-interzone-trust-untrust-outbound-1]policy service service-set icmp
[SRG-policy-interzone-trust-untrust-outbound-1]action permit
//允许所有trust到untrust的icmp流量
在R3上做到200.200.200.0/24的路由
[R3]ip route-static 200.200.200.0 24 13.0.0.1
在R1上ping R3,并在R3上抓包验证是否转换
通过抓包发现地址经过了NAT转换,是从地址池中拿的地址
--------------------静态PAT的配置----------------------------
[SRG]nat-policy interzone trust untrust outbound
//进入trust到untrust区域的出方向的NAT策略视图
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 2 // 创建一个策略
[SRG-nat-policy-interzone-trust-untrust-outbound-2]policy source 11.0.0.0 0.0.0.255
//配置源地址
[SRG-nat-policy-interzone-trust-untrust-outbound-2]action source-nat
//配置动作为源地址NAT
[SRG-nat-policy-interzone-trust-untrust-outbound-2]easy-ip GigabitEthernet 0/0/2
//配置转换要使用的端口地址为G0/0/2
R1 ping R3,并在R3上抓包验证
通过抓包发现地址经过了NAT的转换,转换用的地址FW1 G0/0/0接口
---------------------静态NAT配置-----------------------------
[SRG]nat server global 111.111.111.111 inside 192.168.20.1
//配置将内网的192.168.20.1 地址映射到111.111.111.111地址
[SRG]policy interzone dmz untrust outbound
//进入dmz到untrust的出方向策略视图
[SRG-policy-interzone-dmz-untrust-outbound]policy 1 //创建一个策略
[SRG-policy-interzone-dmz-untrust-outbound-1]policy service service-set icmp
//服务为ICMP协议
[SRG-policy-interzone-dmz-untrust-outbound-1]action permit //配置为允许所有
在R3配置到111.111.111.111/32的路由
[R3]ip route-static111.111.111.111 32 13.0.0.1
R2 ping R3,并在R3抓包验证
通过抓包发现地址经过了NAT转换
----------------------配置静态端口映射----------------------------
在R2上开启telnet功能
[R2]user-interface vty 0 4
[R2-ui-vty0-4]set authentication password cipher abc123
FW1配置
[SRG]nat server protocol tcp global interface g0/0/2 telnet inside 12.0.0.2 telnet
//配置PAT,将全局地址为接口G0/0/2的telnet(23)映射到内网的12.0.0.2的telnet上
[SRG]policy interzone dmz untrust inbound
//进入untrust到dmz的inbound方向策略视图
[SRG-policy-interzone-dmz-untrust-inbound]policy 1 //创建一个策略
[SRG-policy-interzone-dmz-untrust-inbound-1]policy service service-set telnet
//配置策略服务为telnet
[SRG-policy-interzone-dmz-untrust-inbound-1]policy destination 12.0.0.2 0
//配置目标地址为12.0.0.2
[SRG-policy-interzone-dmz-untrust-inbound-1]action permit //配置允许所有
//以上策略为允许任意源访问目标为12.0.0.2的telnet
在R3 telnetFW1的G0/0/2接口