USG5500 配置地址池和easy-ip双出口NAT

一、组网需求:

1、某公司购买了两个运营商的公网IP,使公司内部用户能够通过NAT访问互联网。但是向A运营商只购买一个公网IP,所以想配置为easy-ip的NAT模式。向B运营商购买了6公网IP(202.202.202.1-202.202.202.6),所有想配置为NAT地址池模式。

另外,同一个网段的内网,指定IP的机器不能访问互联网,其他IP可以访问互联网。

2、网络拓扑

USG5500 配置地址池和easy-ip双出口NAT_第1张图片

3、数据规划

VLAN:vlan172(172.16.1.1/24),vlan192(192.168.1.1/24),vlan100(100.100.100.1/24)

SW1:G0/0/1:(vlan100),G0/0/2:(vlan192),G0/0/3:(vlan172),G0/0/4:(vlan192)

FW1:G0/0/1(100.100.100.2),G0/0/2(201.201.201.1/24),G0/0/3(202.202.202.1/24)

ISP1:G0/0/2(201.201.201.2/24),G0/0/0(203.203.203.2/24)

ISP2:G0/0/2(202.202.202.6/24),G0/0/0(203.203.203.3/24)

4、配置思路

汇聚层划分vlan,并配置IP,对应接口应用vlan

防火墙配置IP,域间安全策略,NAT

二、操作步骤

SW1交换机

1、配置vlan和接口

system-view 
[Huawei]sysname SW1
[SW1]vlan batch 172 192 100
[SW1]interface  Vlanif  172
[SW1-Vlanif172]ip address  172.16.1.1 24
[SW1-Vlanif172]q	
[SW1]interface  Vlanif  192
[SW1-Vlanif192]ip address  192.168.1.1 24
[SW1-Vlanif192]q
[SW1]interface  Vlanif  100
[SW1-Vlanif100]ip address  100.100.100.1 24
[SW1-Vlanif100]q
[SW1]interface  GigabitEthernet  0/0/2
[SW1-GigabitEthernet0/0/2]port link-type  access
[SW1-GigabitEthernet0/0/2]port default  vlan 192
[SW1-GigabitEthernet0/0/2]q
[SW1]interface  GigabitEthernet  0/0/4
[SW1-GigabitEthernet0/0/4]port link-type access
[SW1-GigabitEthernet0/0/4]port default  vlan 192
[SW1-GigabitEthernet0/0/4]q
[SW1]interface  GigabitEthernet  0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]port default  vlan  172
[SW1-GigabitEthernet0/0/3]q
[SW1]interface  GigabitEthernet  0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default  vlan  100
[SW1-GigabitEthernet0/0/1]q

2、添加路由

[SW1]ip route-static 0.0.0.0 0.0.0.0 100.100.100.2

FW1防火墙

1、配置接口IP地址

system-view
[SRG]sysname FW1
[FW1]interface  GigabitEthernet  0/0/1
[FW1-GigabitEthernet0/0/1]ip address  100.100.100.2 24
[FW1-GigabitEthernet0/0/1]q
[FW1]interface  GigabitEthernet  0/0/2
[FW1-GigabitEthernet0/0/2]ip address  201.201.201.1 24
[FW1-GigabitEthernet0/0/2]q
[FW1]interface  GigabitEthernet  0/0/3
[FW1-GigabitEthernet0/0/3]ip address  202.202.202.1 24
[FW1-GigabitEthernet0/0/3]q

2、接口加入对应安全区域

[FW1]firewall zone trust
[FW1-zone-trust]add  interface  GigabitEthernet  0/0/1
[FW1-zone-trust]q
[FW1]firewall zone  untrust
[FW1-zone-untrust]add interface GigabitEthernet 0/0/2
[FW1-zone-untrust]add interface GigabitEthernet 0/0/3
[FW1-zone-untrust]q

3、配置域间安全策略,允许内网指定网点与公网进行报文交互,并拒绝指定内网IP不能与公网通信

[FW1]policy interzone  trust untrust outbound 
[FW1-policy-interzone-trust-untrust-outbound]policy 1
[FW1-policy-interzone-trust-untrust-outbound-1]policy source 192.168.1.20 0
[FW1-policy-interzone-trust-untrust-outbound-1]action  deny
[FW1-policy-interzone-trust-untrust-outbound-1]q
[FW1-policy-interzone-trust-untrust-outbound]policy 2
[FW1-policy-interzone-trust-untrust-outbound-2]policy  source 192.168.0.0 mask 16
[FW1-policy-interzone-trust-untrust-outbound-2]action  permit
[FW1-policy-interzone-trust-untrust-outbound-2]q	
[FW1-policy-interzone-trust-untrust-outbound]policy 3
[FW1-policy-interzone-trust-untrust-outbound-3]policy source 172.16.0.0 mask 16
[FW1-policy-interzone-trust-untrust-outbound-3]action  permit
[FW1-policy-interzone-trust-untrust-outbound-3]q
[FW1-policy-interzone-trust-untrust-outbound]q

这里需要注意的是策略的执行顺序,默认是按照配置的先后顺序,而不是policy数字的大小。所以如果拒绝动作是后来才配置的,需要移动策略的顺序。(执行命令policy move policy-id1 { before | after } policy-id2,调整策略优先级。

4、配置NAT地址池,并允许端口转换,实现公网地址复用

[FW1]nat address-group 172 202.202.202.3 202.202.202.6

5、配置源NAT策略,实现内网指定网段访问公网时自动进行源地址转换

[FW1]nat-policy interzone trust untrust outbound
[FW1-nat-policy-interzone-trust-untrust-outbound]policy 1
[FW1-nat-policy-interzone-trust-untrust-outbound-1]action  source-nat
[FW1-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.0 mask 16
[FW1-nat-policy-interzone-trust-untrust-outbound-1]easy-ip GigabitEthernet 0/0/2
[FW1-nat-policy-interzone-trust-untrust-outbound-1]q
[FW1-nat-policy-interzone-trust-untrust-outbound]policy 2
[FW1-nat-policy-interzone-trust-untrust-outbound-2]action  source-nat
[FW1-nat-policy-interzone-trust-untrust-outbound-2]policy source 172.16.0.0 mask 16
[FW1-nat-policy-interzone-trust-untrust-outbound-2]address-group 172
[FW1-nat-policy-interzone-trust-untrust-outbound-2]q
[FW1-nat-policy-interzone-trust-untrust-outbound]q

6、在防火墙配置缺省路由,使内网流量可以正常发送至ISP路由器

[FW1]ip route-static 0.0.0.0 0.0.0.0 201.201.201.2
[FW1]ip route-static 0.0.0.0 0.0.0.0 202.202.202.2
[FW1]ip route-static 192.168.0.0 16 100.100.100.1
[FW1]ip route-static 172.16.0.0 16 100.100.100.1

三、查看防火墙验证

1、防火墙NAT转发记录

[FW1]display firewall session table
16:37:35  2018/08/05
 Current Total Sessions : 10
  icmp  VPN:public --> public 172.16.1.10:19639[202.202.202.6:2079]-->203.203.203.10:2048
  icmp  VPN:public --> public 172.16.1.10:19895[202.202.202.6:2080]-->203.203.203.10:2048
  icmp  VPN:public --> public 172.16.1.10:20151[202.202.202.6:2081]-->203.203.203.10:2048
  icmp  VPN:public --> public 172.16.1.10:20407[202.202.202.6:2082]-->203.203.203.10:2048
  icmp  VPN:public --> public 172.16.1.10:20663[202.202.202.6:2083]-->203.203.203.10:2048
  icmp  VPN:public --> public 192.168.1.10:22455[201.201.201.1:2123]-->203.203.203.10:2048
  icmp  VPN:public --> public 192.168.1.10:22711[201.201.201.1:2124]-->203.203.203.10:2048
  icmp  VPN:public --> public 192.168.1.10:23223[201.201.201.1:2125]-->203.203.203.10:2048
  icmp  VPN:public --> public 192.168.1.10:23479[201.201.201.1:2126]-->203.203.203.10:2048
  icmp  VPN:public --> public 192.168.1.10:23735[201.201.201.1:2127]-->203.203.203.10:2048

2、域间安全策略命中次数,可以看到允许通过的IP次数和拒绝IP(192.268.1.20)的次数为5

[FW1]display policy interzone trust untrust outbound 
16:40:33  2018/08/05
policy interzone trust untrust outbound
 firewall default packet-filter is deny
 policy 1 (5 times matched)
  action deny 
  policy service service-set ip
  policy source 192.168.1.20 0
  policy destination any

 policy 2 (80 times matched)
  action permit 
  policy service service-set ip
  policy source 192.168.0.0 mask 16
  policy destination any

 policy 3 (38 times matched)
  action permit 
  policy service service-set ip
  policy source 172.16.0.0 mask 16
  policy destination any

四、补充说明

1、就算域间策略默认规则是放通的,但是如果手动指定的拒绝通过,还是无法访问的,比如trunk到untrunk 默认是允许的

[FW1]firewall  packet-filter default permit interzone trust untrust  direction outbound 

但是还是会被拒绝,可以看到拒绝命中条目增加了

[FW1]display policy interzone trust untrust outbound
17:09:35  2018/08/05
policy interzone trust untrust outbound
 firewall default packet-filter is permit
 policy 1 (34 times matched)
  action deny 
  policy service service-set ip
  policy source 192.168.1.20 0
  policy destination any

 policy 2 (80 times matched)
  action permit 
  policy service service-set ip
  policy source 192.168.0.0 mask 16
  policy destination any

 policy 3 (38 times matched)
  action permit 
  policy service service-set ip
  policy source 172.16.0.0 mask 16
  policy destination any

 

你可能感兴趣的:(#,防火墙)