本例给出一个常见的企业的NAT场景的配置过程。这个企业在对外Web服务和FTP服务的同时,还有部分员工需要通过NAT访问Internet。由于该企业公网IP资源较多,所以使用地址池方式来划定公网IP范围。
组网:
Trust(192.168.1.0/24)----(1)usg(3)--------untrust
|
Dmz(10.1.1.0/24;ftp的ip是10.1.1.2/24;web的是10.1.1.3/24)
组网需求
如图1所示,某公司内部网络通过USG与Internet进行连接,将内网用户划分到Trust区域,两台服务器划分到DMZ区域,将Internet划分到Untrust区域。
∙需求1
该公司Trust区域的192.168.1.0/24网段的用户可以访问Internet,该安全区域其它网段的用户不能访问。提供的访问外部网络的合法IP地址范围为1.1.1.3~1.1.1.6。由于公有地址不多,需要使用NAPT(Network Address Port Translation)功能进行地址复用。
∙需求2
提供FTP和Web服务器供外部网络用户访问。其中FTP Server的内部IP地址为10.1.1.2,端口号为缺省值21,Web Server的内部IP地址为10.1.1.3,端口为8080。两者对外公布的地址均为1.1.1.2,对外使用的端口号均为缺省值,即21和80。
图1 配置NAPT和内部服务器组网图
| 项目 | 数据 | 备注 |
| (1) | 接口号:GigabitEthernet 0/0/1 IP地址:192.168.1.1/24 安全区域:Trust | - |
| (2) | 接口号:GigabitEthernet 0/0/2 IP地址:10.1.1.1/24 安全区域:DMZ | - |
| (3) | 接口号:GigabitEthernet 0/0/3 IP地址:1.1.1.1/24 安全区域:Untrust | - |
| FTP Server | IP地址:10.1.1.2/24 | - |
| Web Server | IP地址:10.1.1.3/24 | - |
1.配置各接口的IP地址,并将其加入安全区域。
2. 3.[USG] interface GigabitEthernet 0/0/1 4.[USG-GigabitEthernet0/0/1] ip address 192.168.1.1 24 5.[USG-GigabitEthernet0/0/1] quit 6.[USG] interface GigabitEthernet 0/0/2 7.[USG-GigabitEthernet0/0/2] ip address 10.1.1.1 24 8.[USG-GigabitEthernet0/0/2] quit 9.[USG] interface GigabitEthernet 0/0/3 10.[USG-GigabitEthernet0/0/3] ip address 1.1.1.1 24 11.[USG-GigabitEthernet0/0/3] quit 12.[USG] firewall zone trust 13.[USG-zone-trust] add interface GigabitEthernet 0/0/1 14.[USG-zone-trust] quit 15.[USG] firewall zone dmz 16.[USG-zone-dmz] add interface GigabitEthernet 0/0/2 17.[USG-zone-dmz] quit 18.[USG] firewall zone untrust 19.[USG-zone-untrust] add interface GigabitEthernet 0/0/3 [USG-zone-untrust] quit 20.对于USG系列,配置域间包过滤,以保证网络基本通信正常。对于USG BSR/HSR系列,不需要执行此步骤。使192.168.1.0/24网段用户可以访问Untrust区域,使Untrust区域用户可以访问DMZ区域中的10.1.1.2和10.1.1.3两台服务器。 21.[USG] policy interzone trust untrust outbound 22.[USG-policy-interzone-trust-untrust-outbound] policy 0 23.[USG-policy-interzone-trust-untrust-outbound-0] policy source 192.168.1.0 0.0.0.255 24.[USG-policy-interzone-trust-untrust-outbound-0] action permit 25.[USG-policy-interzone-trust-untrust-outbound-0] quit 26.[USG-policy-interzone-trust-untrust-outbound] quit 27.[USG] policy interzone dmz untrust inbound 28.[USG-policy-interzone-dmz-untrust-inbound] policy 0 29.[USG-policy-interzone-dmz-untrust-inbound-0] policy destination 10.1.1.2 0 30.[USG-policy-interzone-dmz-untrust-inbound-0] policy service service-set ftp 31.[USG-policy-interzone-dmz-untrust-inbound-0] action permit 32.[USG-policy-interzone-dmz-untrust-inbound-0] quit 33.[USG-policy-interzone-dmz-untrust-inbound] policy 1 34.[USG-policy-interzone-dmz-untrust-inbound-1] policy destination 10.1.1.3 0 35.[USG-policy-interzone-dmz-untrust-inbound-1] policy service service-set http 36.[USG-policy-interzone-dmz-untrust-inbound-1] action permit 37.[USG-policy-interzone-dmz-untrust-inbound-1] quit [USG-policy-interzone-dmz-untrust-inbound] quit 38.配置NAPT,完成需求1。 a.创建NAT地址池。 [USG] nat address-group 1 1.1.1.3 1.1.1.6 b.创建Trust区域和Untrust区域之间的NAT策略,确定进行NAT转换的源地址范围,并且将其与NAT地址池1进行绑定。 c.[USG] nat-policy interzone trust untrust outbound d.[USG-nat-policy-interzone-trust-untrust-outbound] policy 0 e.[USG-nat-policy-interzone-trust-untrust-outbound-0] policy source 192.168.1.0 0.0.0.255 f.[USG-nat-policy-interzone-trust-untrust-outbound-0] action source-nat g.[USG-nat-policy-interzone-trust-untrust-outbound-0] address-group 1 h.[USG-nat-policy-interzone-trust-untrust-outbound-0] quit [USG-nat-policy-interzone-trust-untrust-outbound] quit 39.配置内部服务器,完成需求2。 a.创建两台内网服务器的公网IP与私网IP的映射关系。 b.[USG] nat server protocol tcp global 1.1.1.2 ftp inside 10.1.1.2 ftp [USG] nat server protocol tcp global 1.1.1.2 www inside 10.1.1.3 8080 c.在DMZ和Untrust域间配置NAT ALG,使服务器可以正常对外提供FTP服务。 d.[USG] firewall interzone dmz untrust e.[USG-interzone-dmz-untrust] detect ftp [USG-interzone-dmz-untrust] quit 40.在USG以及与USG相连的网络设备上正确配置路由协议,使设备可以正确生成达到内部服务器的路由信息,使设备上可以正确生成的路由信息。 操作结果 ∙需求1结果验证。 1. 配置完成后,从内部网络的主机192.168.1.2 Ping公网地址(如2.2.2.2),可以Ping通。 C:\\Documents and Settings\\Administrator>ping 2.2.2.2 PING 2.2.2.2: 56 data bytes, press CTRL_C to break Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=254 time=20 ms Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=254 time=10 ms Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=254 time=10 ms Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=254 time=10 ms Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=254 time=10 ms --- 2.2.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 10/12/20 ms 2. 在USG上查看相应会话表,会话表项建立成功。 [USG] display firewall session table verbose icmp VPN: public --> public Zone: trust --> untrust TTL: 00:00:20 Left: 00:00:15 Interface: GigabitEthernet0/0/3 Nexthop: 2.2.2.2 <--packets: 0 bytes: 0 -->packets: 5 bytes: 420 192.168.1.2:44012[1.1.1.3:6103] --> 2.2.2.2:2048 3. 在USG上查看NAT相关配置。 [USG] display nat all NAT address-group information: number : 1 name : --- startaddr : 1.1.1.3 endaddr : 1.1.1.6 reference : 1 vrrp : --- instance : public Total 1 address-groups Server in private network information: id : 0 zone : --- interface : --- globaladdr : 1.1.1.2 inside-start-addr : 10.1.1.2 inside-end-addr : 10.1.1.2 global-start-port : 21(ftp) global-end-port : 21(ftp) insideport : 21(ftp) global : public inside : public protocol : tcp vrrp : --- no-reverse : no id : 1 zone : --- interface : --- globaladdr : 1.1.1.2 inside-start-addr : 10.1.1.3 inside-end-addr : 10.1.1.3 global-start-port : 80(www) global-end-port : 80(www) insideport : 8080 global : public inside : public protocol : tcp vrrp : --- no-reverse : no Total 2 NAT servers ∙需求2结果验证(以FTP业务为例)。 1. NAT Server配置成功后,在USG上查看Server-map表项,建立成功。 [USG] display firewall server-map server-map item(s) ------------------------------------------------------------------------------ Nat Server, ANY -> 1.1.1.2:21[10.1.1.2:21], Zone: --- Protocol: tcp(Appro: ftp), Left-Time: --:--:--, Addr-Pool: --- VPN: public -> public Nat Server Reverse, 10.1.1.2[1.1.1.2] -> ANY, Zone: --- Protocol: ANY(Appro: ---), Left-Time: --:--:--, Addr-Pool: --- VPN: public -> public Nat Server, ANY -> 1.1.1.2:80[10.1.1.3:8080], Zone: --- Protocol: tcp(Appro: http), Left-Time: --:--:--, Addr-Pool: --- VPN: public -> public Nat Server Reverse, 10.1.1.3[1.1.1.2] -> ANY, Zone: --- Protocol: ANY(Appro: ---), Left-Time: --:--:--, Addr-Pool: --- VPN: public -> public 2. 当用户(2.2.2.2)访问FTP服务器时,USG上建立相应会话表项。 [USG] display firewall session table verbose ftp VPN: public --> public Zone: untrust --> dmz TTL: 00:00:10 Left: 00:00:08 Interface: GigabitEthernet0/0/2 Nexthop: 10.1.1.2 <--packets: 8 bytes: 369 -->packets: 9 bytes: 3 2.2.2.2:49995 --> 1.1.1.2:21[10.1.1.2:21] tcp VPN: public --> public Zone: dmz --> untrust TTL: 00:10:00 Left: 00:09:59 Interface: GigabitEthernet0/0/3 Nexthop: 2.2.2.2 <--packets: 4 bytes: 238 -->packets: 4 bytes: 1 10.1.1.2:20[1.1.1.2:20] --> 2.2.2.2:52486 配置脚本 以下仅给出与本案例有关的脚本。 # sysname USG # nat address-group 1 1.1.1.3 1.1.1.6 nat server 1 protocol tcp global 1.1.1.2 ftp inside 10.1.1.2 ftp nat server 2 protocol tcp global 1.1.1.2 www inside 10.1.1.3 8080 # interface GigabitEthernet0/0/1 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/3 ip address 1.1.1.1 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/3 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/2 # firewall interzone dmz untrust detect ftp # policy interzone trust untrust outbound policy 0 action permit policy source 192.168.1.0 0.0.0.255 # policy interzone dmz untrust inbound policy 0 action permit policy service service-set ftp policy destination 10.1.1.2 0 policy 1 action permit policy service service-set http policy destination 10.1.1.3 0 # nat-policy interzone trust untrust outbound policy 0 action source-nat policy source 192.168.1.0 0.0.0.255 address-group 1 # return 父主题: 配置举例 华为赛门铁克专有和保密信息 版权所有 © 成都市华为赛门铁克科技有限公司下载本文
