简单的NAT实验

2020-04-14 16:29:02 浏览数 (1)

实验拓扑

最近有在学习华为安全,无奈R/S的基础太差了,但是还是要慢慢的补回来的。 这个实验简单的用到了vlan划分,ospf和源NAT和目的NAT技术,也只是很基础很基础的。

代码语言:javascript复制
VLAN划分
SW1连接PC          vlan  10
SW2连接PC          vlan  20
核心交换机连接SW    vlan  30

IP
VLAN10               192.168.10.0/24
VLAN20               192.168.20.0/24
核心交换机G0/0/1      101.1.1.2
防火墙G1/0/0          101.1.1.1
防火墙G1/0/1          172.16.21.254
防火墙G1/0/3          202.1.1.1
ISPG0/0/1            202.1.1.23
ISPG0/0/2            43.38.12.1
服务器防火墙G1/0/0    43.38.12.8
服务器防火墙G1/0/1    192.168.1.254

核心交换机配置

代码语言:javascript复制
[Huawei]sysname SWC
[SWC]dhcp enable    ##开启DHCP服务
[SWC]vlan batch 10 20 30
[SWC]interface  Vlanif 30
[SWC-Vlanif30]ip address 101.1.1.2 24
[SWC]interface GigabitEthernet 0/0/1
[SWC-GigabitEthernet0/0/1]port link-type trunk
[SWC-GigabitEthernet0/0/1]port trunk allow-pass vlan  all
[SWC]interface GigabitEthernet 0/0/2
[SWC-GigabitEthernet0/0/2]port link-type trunk
[SWC-GigabitEthernet0/0/2]port trunk allow-pass vlan  all
[SWC]interface GigabitEthernet 0/0/3
[SWC-GigabitEthernet0/0/3]port link-type  access
[SWC-GigabitEthernet0/0/3]port default vlan 30
[SWC]ip route-static  0.0.0.0 0 101.1.1.1   ##设置静态路由通向防火墙
配置三层交换机的DHCP服务
###配置vlan10 DHCP
[SWC]ip pool  vlan10
[SWC-ip-pool-vlan10]network 192.168.10.0 mask 24
[SWC-ip-pool-vlan10]gateway-list 192.168.10.254
[SWC-ip-pool-vlan10]dns-list 8.8.8.8   ##设置DNS
[SWC-ip-pool-vlan20]lease  day  3  ##设置租约时间
[SWC]interface Vlanif 10
[SWC-Vlanif10]ip add 192.168.10.254 24
[SWC-Vlanif10]dhcp select global
###配置vlan20 DHCP
[SWC]ip pool vlan20
[SWC-ip-pool-vlan20]network 192.168.20.0 mask 24
[SWC-ip-pool-vlan20]gateway-list 192.168.20.254
[SWC-ip-pool-vlan20]dns-list 8.8.8.8
[SWC-ip-pool-vlan20]lease  day  3
[SWC]interface Vlanif 20
[SWC-Vlanif20]ip add 192.168.20.254 24
[SWC-Vlanif20]dhcp select  global

交换机1配置

代码语言:javascript复制
[Huawei]sysname SW1
[SW1]vlan 10
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type trunk
[SW1-GigabitEthernet0/0/1]port trunk allow-pass  vlan all
[SW1-GigabitEthernet0/0/1]q
[SW1]interface Eth 0/0/1
[SW1-Ethernet0/0/1]port link-type  access
[SW1-Ethernet0/0/1]port default  vlan 10
[SW1-Ethernet0/0/1]q
[SW1]interface Eth 0/0/2
[SW1-Ethernet0/0/2]port link-type  access
[SW1-Ethernet0/0/2]port default  vlan 10
[SW1-Ethernet0/0/2]q

交换机2配置

代码语言:javascript复制
[Huawei]sysname  SW2
[SW2]vlan 20
[SW2]interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1]port link-type trunk
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[SW2]interface Eth 0/0/1
[SW2-Ethernet0/0/1]port link-type access
[SW2-Ethernet0/0/1]q
[SW2]interface Eth 0/0/2
[SW2-Ethernet0/0/2]port link-type access
[SW2-Ethernet0/0/2]port default vlan 20
[SW2]interface Eth0/0/1
[SW2-Ethernet0/0/1]port link-type access
[SW2-Ethernet0/0/1]port default  vlan 20

这个时候已经把内部网络配置好了,不同vlan间能够通信,能够使用DHCP获取IP地址和DNS

防火墙配置

代码语言:javascript复制
[USG6000V1]sysname NGFW
[NGFW]interface GigabitEthernet 1/0/0
[NGFW-GigabitEthernet1/0/0]ip add 101.1.1.1 24
[NGFW]interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1]ip add 202.1.1.1 24
[NGFW]firewall zone trust
[NGFW-zone-trust]add interface GigabitEthernet 1/0/0  ##把1/0/0划分进入trust区域
[NGFW]firewall zone untrust
[NGFW-zone-untrust]add interface GigabitEthernet 1/0/1  ##把1/0/1划分进入untrust区域
[NGFW]firewall zone  dmz
[NGFW-zone-dmz]add interface GigabitEthernet 1/0/2  ##把1/0/2划分进入DMZ区域
[NGFW]interface GigabitEthernet 1/0/2  ##配置DMZ接口
[NGFW-GigabitEthernet1/0/2]ip add 172.16.21.254 24
##配置OSPF
[NGFW]ospf 1 router-id  1.1.1.1
[NGFW-ospf-1]area 0
[NGFW-ospf-1-area-0.0.0.0]network  101.1.1.1 0.0.0.0
[NGFW-ospf-1-area-0.0.0.0]network  202.1.1.1 0.0.0.0
###回程路由给回三层交换机
[NGFW]ip route-static  0.0.0.0 0 101.1.1.2
为了测速联通性,先把防火墙的默认策略放通
[NGFW]security-policy
[NGFW-policy-security]default  action  permit  ##放通策略
[NGFW-policy-security]default  action deny    #关闭策略

这里三层交换机可以联通防火墙,然后再关闭防火墙策略。

防火墙这可以与外界通信。前期配置完成。

对端防火墙的联通性

ISP配置

代码语言:javascript复制
[Huawei]sysname ISP
[ISP]interface GigabitEthernet 0/0/2
[ISP-GigabitEthernet0/0/2]ip add 43.38.12.1 24
[ISP]interface GigabitEthernet 0/0/1
[ISP-GigabitEthernet0/0/1]ip add 202.1.1.23 24
##配置OSPF
[ISP]ospf 1 router-id 2.2.2.2
[ISP-ospf-1]area 0
[ISP-ospf-1-area-0.0.0.0]network 202.1.1.23 0.0.0.0
[ISP-ospf-1]area 1
[ISP-ospf-1-area-0.0.0.1]network 43.38.12.1 0.0.0.0

防火墙配置NAT

这里使用pat来进行NAT转换

代码语言:javascript复制
##定义转换IP
[NGFW]nat address-group tru_untru_pat
[NGFW-address-group-tru_untru_pat]section 202.1.1.1
[NGFW-address-group-tru_untru_pat]mode pat
[NGFW-address-group-tru_untru_pat]route enable  ##防止路由环路
##定义NAT策略,放通http服务和icmp服务
[NGFW]nat-policy
[NGFW-policy-nat]rule name  permit_http_ping_tru_untru
[NGFW-policy-nat-rule-permit_http_ping_tru_untru]source-zone  trust
[NGFW-policy-nat-rule-permit_http_ping_tru_untru]destination-zone untrust
[NGFW-policy-nat-rule-permit_http_ping_tru_untru]service http
[NGFW-policy-nat-rule-permit_http_ping_tru_untru]service icmp
[NGFW-policy-nat-rule-permit_http_ping_tru_untru]service tcp
[NGFW-policy-nat-rule-permit_http_ping_tru_untru]action  source-nat address-group tru_untru_pat
##配置安全策略
[NGFW]security-policy
[NGFW-policy-security]rule name  trs_untrs_http_icmp
[NGFW-policy-security-rule-trs_untrs_http_icmp]source-zone trust
[NGFW-policy-security-rule-trs_untrs_http_icmp]destination-zone untrust
[NGFW-policy-security-rule-trs_untrs_http_icmp]source-address 192.168.0.0 16
[NGFW-policy-security-rule-trs_untrs_http_icmp]service http
[NGFW-policy-security-rule-trs_untrs_http_icmp]service icmp
[NGFW-policy-security-rule-trs_untrs_http_icmp]action  permit

服务器端防火墙配置

代码语言:javascript复制
[USG6000V1]sysname FWserverNAT
[FWserverNAT]interface GigabitEthernet 1/0/0
[FWserverNAT-GigabitEthernet1/0/0]ip add 43.38.12.8 24
[FWserverNAT]interface GigabitEthernet 1/0/1
[FWserverNAT-GigabitEthernet1/0/1]ip add 192.168.1.254 24
[FWserverNAT]firewall zone  trust
[FWserverNAT-zone-trust]add interface GigabitEthernet 1/0/1
[FWserverNAT]firewall zone  untrust
[FWserverNAT-zone-untrust]add interface GigabitEthernet 1/0/0
###服务端防火墙是使用nat-server把内网服务器映射到外网。把内网192.168.1.2服务器的80端口映射到外网8088
[FWserverNAT]nat server HTTP protocol tcp  global interface GigabitEthernet 1/0/0 8088 inside 192.168.1.2 80 no-reverse
 ##设置策略
 [FWserverNAT]security-policy
 [FWserverNAT-policy-security]rule name  WWW
 [FWserverNAT-policy-security-rule-WWW]source-zone  untrust
 [FWserverNAT-policy-security-rule-WWW]destination-zone trust
 [FWserverNAT-policy-security-rule-WWW]destination-address 192.168.1.0 24
 [FWserverNAT-policy-security-rule-WWW]service http
 [FWserverNAT-policy-security-rule-WWW]service icmp
 [FWserverNAT-policy-security-rule-WWW]action  permit

这个时候都配置好了,我们查看一些PC3的IP地址。

由于使用pat转换技术,所有会把内网IP转为外网IP202.1.1.1。现在我们使用PC3 ping一些对端服务器防火墙(对端防火墙已经开启PING服务)

我们在我们这端的防火墙查看防火墙的会话表,可以看到我们的内网地址已经进行了转换,对应了外网的地址和端口。我们这个时候访问一些对端的服务器,由于对端的服务器80端口映射到了他们外网的8088端口。我们直接访问对端外网【IP:8088】就可以访问到对端的内网里面的服务器80端了!

这里访问成功了,我看一下抓取的数据包

可以看到这个时候使用的是我们这边的外网IP访问对端外网IP8088端口的HTTP。在看一下防火墙的会话表 自端防火墙:

对端防火墙:

网络安全 tcp/ip nat NAT网关

0 人点赞