实验拓扑

华为USG防火墙NAT配置_第1张图片

实验环境


FW1模拟公司的出口防火墙,R1R2模拟公司内网设备,R1trust区域、R2dmz区域。R3模拟运营商网络。


实验需求


R1loopback 0 接口做动态NAT转换

R1G0/0/0接口做静态PAT转换

R2loopback 0 接口做静态NAT转换

R2G0/0/0接口做静态端口映射


网络地址规划

 

R1  G0/0/0  IP11.0.0.2/24

R1 loopback 0 IP192.168.10.1/24

R2 loopback 0 IP192.168.20.1/24

R2  G0/0/0  IP12.0.0.2/24

R3  G0/0/0  IP13.0.0.2/24

FW1 G0/0/0  IP11.0.0.1/24

FW1 G0/0/1  IP12.0.0.1/24

FW1 G0/0/2  IP13.0.0.1/24


设备配置

 

--------------以下为一些基础配置---------

R1配置

[Huawei]sy R1

[R1]int g0/0/0

[R1-GigabitEthernet0/0/0]ip add 11.0.0.2 24

[R1-GigabitEthernet0/0/0]q

[R1]int loo 0

[R1-LoopBack0]ip add 192.168.10.1 24

[R1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1

 

R2配置

[Huawei]sy R2

[R2]int g0/0/0

[R2-GigabitEthernet0/0/0]ip add 12.0.0.2 24

[R2-GigabitEthernet0/0/0]int loo 0

[R2-LoopBack0] ip add 192.168.20.1 24

[R2]ip route-s 0.0.0.0 0.0.0.0 12.0.0.1

 

R3配置

[Huawei]sy R3

[R3-GigabitEthernet0/0/0]ip add 13.0.0.2 24


-----------------防火墙配置------------------------------

 

[SRG]int g0/0/0

[SRG-GigabitEthernet0/0/0]ip add 11.0.0.1 24

[SRG-GigabitEthernet0/0/0]int g0/0/1

[SRG-GigabitEthernet0/0/1]ip add 12.0.0.1 24

[SRG-GigabitEthernet0/0/1]int g0/0/2

[SRG-GigabitEthernet0/0/2]ip add 13.0.0.1 24

[SRG-GigabitEthernet0/0/2]q

[SRG]firewall zone trust             //进入trust区域

[SRG-zone-trust]add interface g0/0/0    //将接口加入trust区域

[SRG-zone-trust]q

[SRG]firewall zone untrust

[SRG-zone-untrust]add int g0/0/2

[SRG-zone-untrust]q

[SRG]firewall zone dmz

[SRG-zone-dmz]add int g0/0/1

[SRG-zone-dmz]q

[SRG]ip route-static 192.168.20.0 24 12.0.0.2

[SRG]ip route-static 192.168.10.0 24 11.0.0.2

----------------动态NAT配置--------------------------

[SRG]nat address-group 1 200.200.200.100200.200.200.200

//创建一个NAT地址池

[SRG]nat-policy interzone trust untrust outbound

//进入trustuntrust出方向的NAT策略视图

[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1   //创建一个策略

[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255

//配置源IP

[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat

//配置动作为源IP进行NAT

[SRG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1 no-pat

//关联NAT地址池,华为默认是经行地址复用的所以要no-pat

[SRG-nat-policy-interzone-trust-untrust-outbound-1]quit

[SRG-nat-policy-interzone-trust-untrust-outbound]quit

[SRG]policy interzone trust untrust outbound

//进入trustuntrust的出方向策略视图

[SRG-policy-interzone-trust-untrust-outbound]policy 1       //创建一个策略

[SRG-policy-interzone-trust-untrust-outbound-1]policy service service-set icmp

[SRG-policy-interzone-trust-untrust-outbound-1]action permit

//允许所有trustuntrusticmp流量

R3上做到200.200.200.0/24的路由

[R3]ip route-static 200.200.200.0 24 13.0.0.1

 

R1ping R3,并在R3上抓包验证是否转换

华为USG防火墙NAT配置_第2张图片

通过抓包发现地址经过了NAT转换,是从地址池中拿的地址


--------------------静态PAT的配置----------------------------

 

[SRG]nat-policy interzone trust untrust outbound

//进入trustuntrust区域的出方向的NAT策略视图

[SRG-nat-policy-interzone-trust-untrust-outbound]policy 2      // 创建一个策略

[SRG-nat-policy-interzone-trust-untrust-outbound-2]policy source 11.0.0.0 0.0.0.255

//配置源地址

[SRG-nat-policy-interzone-trust-untrust-outbound-2]action source-nat

//配置动作为源地址NAT

[SRG-nat-policy-interzone-trust-untrust-outbound-2]easy-ip GigabitEthernet 0/0/2

//配置转换要使用的端口地址为G0/0/2

 

R1 ping R3,并在R3上抓包验证

华为USG防火墙NAT配置_第3张图片

通过抓包发现地址经过了NAT的转换,转换用的地址FW1 G0/0/0接口


---------------------静态NAT配置-----------------------------

[SRG]nat server global 111.111.111.111 inside 192.168.20.1

//配置将内网的192.168.20.1 地址映射到111.111.111.111地址

[SRG]policy interzone dmz untrust outbound

//进入dmzuntrust的出方向策略视图

[SRG-policy-interzone-dmz-untrust-outbound]policy 1   //创建一个策略

[SRG-policy-interzone-dmz-untrust-outbound-1]policy service service-set icmp

//服务为ICMP协议

[SRG-policy-interzone-dmz-untrust-outbound-1]action permit   //配置为允许所有

 

R3配置到111.111.111.111/32的路由

[R3]ip route-static111.111.111.111 32 13.0.0.1

 

 

R2 ping R3,并在R3抓包验证

华为USG防火墙NAT配置_第4张图片

通过抓包发现地址经过了NAT转换


----------------------配置静态端口映射----------------------------

 

R2上开启telnet功能

[R2]user-interface vty 0 4

[R2-ui-vty0-4]set authentication password cipher abc123

 

FW1配置

[SRG]nat server protocol tcp global interface g0/0/2 telnet inside 12.0.0.2 telnet 

//配置PAT,将全局地址为接口G0/0/2telnet23)映射到内网的12.0.0.2telnet

[SRG]policy interzone dmz untrust inbound

//进入untrustdmzinbound方向策略视图

[SRG-policy-interzone-dmz-untrust-inbound]policy 1    //创建一个策略

[SRG-policy-interzone-dmz-untrust-inbound-1]policy service service-set telnet

//配置策略服务为telnet

[SRG-policy-interzone-dmz-untrust-inbound-1]policy destination 12.0.0.2 0

//配置目标地址为12.0.0.2

[SRG-policy-interzone-dmz-untrust-inbound-1]action permit      //配置允许所有

 

//以上策略为允许任意源访问目标为12.0.0.2telnet

 

 

R3 telnetFW1G0/0/2接口

华为USG防火墙NAT配置_第5张图片