华为防火墙地址转换

华为防火墙地址转换_第1张图片
配置要求:

1、允许外部区域Untrust访问dmz区域 HTTP和FTP服务器;通过Untrust区域访问HTTP和FTP服务器分别采用

202.100.1.100 80、202.100.1.100 2121;(设置允许服务器访问外部,和不允许访问外部资源);

2、允许trust 访问Untrust区域资源,(使用AR2 telnet,pingAR1测试),使用基于源IP地址NO-pat,NAPt,
    以及基于端口的地址转换easy-Ip

一、基本配置:

1、配置路由器

AR1

interface GigabitEthernet0/0/0

Ip address 202.100.1.1 24

quit

interface loopback 0

ip address 1.1.1.1 32

quit

ip route-static 0.0.0.0 0 202.100.1.10

配置telnet 用户名:huawei 密码:huawei123

user-interface vty 0 4

 authentication-mode aaa

quit

aaa

 local-user huawei password cipher huawei123

 local-user huawei privilege level 3

 local-user huawei service-type telnet

quit

AR2

interface GigabitEthernet0/0/0

Ip address 192.168.1.1 24

quit

interface loopback 0

ip address 2.2.2.2 32

quit

ip route-static 0.0.0.0 0 192.168.1.10

2、配置ip及区域

FW1

interface GigabitEthernet0/0/0

 ip address 202.100.1.10 255.255.255.0

quit

interface GigabitEthernet0/0/1

 ip address 172.16.1.10 255.255.255.0

quit

interface GigabitEthernet0/0/2

 ip address 192.168.1.10 255.255.255.0

quit

firewall zone trust

 add interface GigabitEthernet0/0/2

quit

firewall zone untrust

 add interface GigabitEthernet0/0/0

quit

firewall zone dmz

 add interface GigabitEthernet0/0/1

quit

firewall session link-state check  ==启动会话链路状态检查

firewall packet-filter default deny all  ==拒接所有流量

配置访问策略

(允许192.168.1.0/24 telnet 和ping Untrust区域 )

policy interzone trust untrust outbound

 policy 1

  action permit

  policy source 192.168.1.0 mask 255.255.255.0

  policy service service-set icmp

  policy service service-set telnet

(允许untrust区域访问HTTP,和FTP服务器)

policy interzone dmz untrust inbound

 policy 1

  action permit

  policy service service-set http

  policy service service-set ftp

  policy destination 172.16.1.1 0

  policy destination 172.16.1.2 0

启动FTP流量监控:

firewall interzone dmz untrust

 detect ftp

client可以访问FTP

华为防火墙地址转换_第2张图片
client可以访问HTTP

华为防火墙地址转换_第3张图片
查看策略应用:

华为防火墙地址转换_第4张图片

二、 配置地址转换;

1、trust到untrust地址转换 

nat address-group 0 202.100.1.100 202.100.1.200   配置地址池

配置nat策略

nat-policy interzone trust untrust outbound

 policy 1                                 

  action source-nat

  policy source 192.168.1.0 0.0.0.255

  address-group 

配置一对一地址转换

nat-policy interzone trust untrust outbound

 policy 1

  action cource-nat

  policy source 192.168.1.0 0.0.0.255

  address-group 0 n0-pat 

转换为接口IP地址

nat-policy interzone trust untrust outbound

 policy 1

  action source-nat

  policy source 192.168.1.0 0.0.0.255

  easy-ip gigabitethernet0/0/1

查看配置

华为防火墙地址转换_第5张图片
华为防火墙地址转换_第6张图片

通过Untrust区域访问HTTP和FTP服务器分别采用

202.100.1.100 80、202.100.1.100 2121;(设置允许服务器访问外部,和不允许访问外部资源);

 nat server 0 protocol tcp global 202.100.1.100 2121 inside 172.16.1.2 ftp

 nat server 1 protocol tcp global 202.100.1.100 www inside 172.16.1.1 www

{不允许服务器访问外部资源

 nat server 0 protocol tcp global 202.100.1.100 2121 inside 172.16.1.2 ftp no-reverse

 nat server 1 protocol tcp global 202.100.1.100 www inside 172.16.1.1 www no-reverse

华为防火墙地址转换_第7张图片
配置查看[huaweiFW]display current-configuration 

12:47:36  2015/02/05

#

stp region-configuration

 region-name b05fe31530c0

 active region-configuration

#

interface GigabitEthernet0/0/0

 alias GE0/MGMT

 ip address 202.100.1.10 255.255.255.0

#

interface GigabitEthernet0/0/1

 ip address 172.16.1.10 255.255.255.0

#

interface GigabitEthernet0/0/2

 ip address 192.168.1.10 255.255.255.0

#

interface GigabitEthernet0/0/3

#

interface GigabitEthernet0/0/4

#

interface GigabitEthernet0/0/5

#

interface GigabitEthernet0/0/6

#

interface GigabitEthernet0/0/7            

#

interface GigabitEthernet0/0/8

#

interface NULL0

 alias NULL0

#

firewall zone local

 set priority 100

#

firewall zone trust

 set priority 85

 add interface GigabitEthernet0/0/2

#

firewall zone untrust

 set priority 5

 add interface GigabitEthernet0/0/0

#

firewall zone dmz

 set priority 50

 add interface GigabitEthernet0/0/1

#

firewall interzone dmz untrust

 detect ftp                               

#

#

aaa

 local-user admin password cipher %$%$G`cqF,rt$@9cWbN#7uXWzypg%$%$

 local-user admin service-type web terminal telnet

 local-user admin level 15

 authentication-scheme default

 #

 authorization-scheme default

 #

 accounting-scheme default

 #

 domain default

 #

#

nqa-jitter tag-version 1

#

 banner enable

#

user-interface con 0

 authentication-mode none

user-interface vty 0 4                    

 authentication-mode none

 protocol inbound all

#

 slb

#

right-manager server-group

#

 sysname huaweiFW

#

  domain suffix-separator @

#

 nat address-group 0 202.100.1.100 202.100.1.200

 nat server 0 protocol tcp global 202.100.1.100 2121 inside 172.16.1.2 ftp

 nat server 1 protocol tcp global 202.100.1.100 www inside 172.16.1.1 www

#

 ip df-unreachables enable

#

 firewall ipv6 session link-state check

 firewall ipv6 statistic system enable

#

 dns resolve

#

 firewall statistic system enable         

#

 pki ocsp response cache refresh interval 0

 pki ocsp response cache number 0

#

 undo dns proxy

#

 license-server domain lic.huawei.com

#

 web-manager enable

#

policy interzone trust untrust outbound

 policy 1

  action permit

  policy source 192.168.1.0 mask 255.255.255.0

#

policy interzone dmz untrust inbound

 policy 1

  action permit

  policy service service-set http

  policy service service-set ftp

  policy destination 172.16.1.1 0

  policy destination 172.16.1.2 0

#                                         

nat-policy interzone trust untrust outbound

 policy 1

  action source-nat

  policy source 192.168.1.0 0.0.0.255

  address-group 0 no-pat

#

return

[huaweiFW]   :