USG5500 配置地址池和easy-ip双出口NAT
一、组网需求:
1、某公司购买了两个运营商的公网IP,使公司内部用户能够通过NAT访问互联网。但是向A运营商只购买一个公网IP,所以想配置为easy-ip的NAT模式。向B运营商购买了6公网IP(202.202.202.1-202.202.202.6),所有想配置为NAT地址池模式。
另外,同一个网段的内网,指定IP的机器不能访问互联网,其他IP可以访问互联网。
2、网络拓扑
3、数据规划
VLAN:vlan172(172.16.1.1/24),vlan192(192.168.1.1/24),vlan100(100.100.100.1/24)
SW1:G0/0/1:(vlan100),G0/0/2:(vlan192),G0/0/3:(vlan172),G0/0/4:(vlan192)
FW1:G0/0/1(100.100.100.2),G0/0/2(201.201.201.1/24),G0/0/3(202.202.202.1/24)
ISP1:G0/0/2(201.201.201.2/24),G0/0/0(203.203.203.2/24)
ISP2:G0/0/2(202.202.202.6/24),G0/0/0(203.203.203.3/24)
4、配置思路
汇聚层划分vlan,并配置IP,对应接口应用vlan
防火墙配置IP,域间安全策略,NAT
二、操作步骤
SW1交换机
1、配置vlan和接口
system-view
[Huawei]sysname SW1
[SW1]vlan batch 172 192 100
[SW1]interface Vlanif 172
[SW1-Vlanif172]ip address 172.16.1.1 24
[SW1-Vlanif172]q
[SW1]interface Vlanif 192
[SW1-Vlanif192]ip address 192.168.1.1 24
[SW1-Vlanif192]q
[SW1]interface Vlanif 100
[SW1-Vlanif100]ip address 100.100.100.1 24
[SW1-Vlanif100]q
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type access
[SW1-GigabitEthernet0/0/2]port default vlan 192
[SW1-GigabitEthernet0/0/2]q
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type access
[SW1-GigabitEthernet0/0/4]port default vlan 192
[SW1-GigabitEthernet0/0/4]q
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]port default vlan 172
[SW1-GigabitEthernet0/0/3]q
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 100
[SW1-GigabitEthernet0/0/1]q 2、添加路由
[SW1]ip route-static 0.0.0.0 0.0.0.0 100.100.100.2FW1防火墙
1、配置接口IP地址
system-view
[SRG]sysname FW1
[FW1]interface GigabitEthernet 0/0/1
[FW1-GigabitEthernet0/0/1]ip address 100.100.100.2 24
[FW1-GigabitEthernet0/0/1]q
[FW1]interface GigabitEthernet 0/0/2
[FW1-GigabitEthernet0/0/2]ip address 201.201.201.1 24
[FW1-GigabitEthernet0/0/2]q
[FW1]interface GigabitEthernet 0/0/3
[FW1-GigabitEthernet0/0/3]ip address 202.202.202.1 24
[FW1-GigabitEthernet0/0/3]q 2、接口加入对应安全区域
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 0/0/1
[FW1-zone-trust]q
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 0/0/2
[FW1-zone-untrust]add interface GigabitEthernet 0/0/3
[FW1-zone-untrust]q3、配置域间安全策略,允许内网指定网点与公网进行报文交互,并拒绝指定内网IP不能与公网通信
[FW1]policy interzone trust untrust outbound
[FW1-policy-interzone-trust-untrust-outbound]policy 1
[FW1-policy-interzone-trust-untrust-outbound-1]policy source 192.168.1.20 0
[FW1-policy-interzone-trust-untrust-outbound-1]action deny
[FW1-policy-interzone-trust-untrust-outbound-1]q
[FW1-policy-interzone-trust-untrust-outbound]policy 2
[FW1-policy-interzone-trust-untrust-outbound-2]policy source 192.168.0.0 mask 16
[FW1-policy-interzone-trust-untrust-outbound-2]action permit
[FW1-policy-interzone-trust-untrust-outbound-2]q
[FW1-policy-interzone-trust-untrust-outbound]policy 3
[FW1-policy-interzone-trust-untrust-outbound-3]policy source 172.16.0.0 mask 16
[FW1-policy-interzone-trust-untrust-outbound-3]action permit
[FW1-policy-interzone-trust-untrust-outbound-3]q
[FW1-policy-interzone-trust-untrust-outbound]q这里需要注意的是策略的执行顺序,默认是按照配置的先后顺序,而不是policy数字的大小。所以如果拒绝动作是后来才配置的,需要移动策略的顺序。(执行命令policy move policy-id1 { before | after } policy-id2,调整策略优先级。)
4、配置NAT地址池,并允许端口转换,实现公网地址复用
[FW1]nat address-group 172 202.202.202.3 202.202.202.65、配置源NAT策略,实现内网指定网段访问公网时自动进行源地址转换
[FW1]nat-policy interzone trust untrust outbound
[FW1-nat-policy-interzone-trust-untrust-outbound]policy 1
[FW1-nat-policy-interzone-trust-untrust-outbound-1]action source-nat
[FW1-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.0 mask 16
[FW1-nat-policy-interzone-trust-untrust-outbound-1]easy-ip GigabitEthernet 0/0/2
[FW1-nat-policy-interzone-trust-untrust-outbound-1]q
[FW1-nat-policy-interzone-trust-untrust-outbound]policy 2
[FW1-nat-policy-interzone-trust-untrust-outbound-2]action source-nat
[FW1-nat-policy-interzone-trust-untrust-outbound-2]policy source 172.16.0.0 mask 16
[FW1-nat-policy-interzone-trust-untrust-outbound-2]address-group 172
[FW1-nat-policy-interzone-trust-untrust-outbound-2]q
[FW1-nat-policy-interzone-trust-untrust-outbound]q6、在防火墙配置缺省路由,使内网流量可以正常发送至ISP路由器
[FW1]ip route-static 0.0.0.0 0.0.0.0 201.201.201.2
[FW1]ip route-static 0.0.0.0 0.0.0.0 202.202.202.2
[FW1]ip route-static 192.168.0.0 16 100.100.100.1
[FW1]ip route-static 172.16.0.0 16 100.100.100.1三、查看防火墙验证
1、防火墙NAT转发记录
[FW1]display firewall session table
16:37:35 2018/08/05
Current Total Sessions : 10
icmp VPN:public --> public 172.16.1.10:19639[202.202.202.6:2079]-->203.203.203.10:2048
icmp VPN:public --> public 172.16.1.10:19895[202.202.202.6:2080]-->203.203.203.10:2048
icmp VPN:public --> public 172.16.1.10:20151[202.202.202.6:2081]-->203.203.203.10:2048
icmp VPN:public --> public 172.16.1.10:20407[202.202.202.6:2082]-->203.203.203.10:2048
icmp VPN:public --> public 172.16.1.10:20663[202.202.202.6:2083]-->203.203.203.10:2048
icmp VPN:public --> public 192.168.1.10:22455[201.201.201.1:2123]-->203.203.203.10:2048
icmp VPN:public --> public 192.168.1.10:22711[201.201.201.1:2124]-->203.203.203.10:2048
icmp VPN:public --> public 192.168.1.10:23223[201.201.201.1:2125]-->203.203.203.10:2048
icmp VPN:public --> public 192.168.1.10:23479[201.201.201.1:2126]-->203.203.203.10:2048
icmp VPN:public --> public 192.168.1.10:23735[201.201.201.1:2127]-->203.203.203.10:20482、域间安全策略命中次数,可以看到允许通过的IP次数和拒绝IP(192.268.1.20)的次数为5
[FW1]display policy interzone trust untrust outbound
16:40:33 2018/08/05
policy interzone trust untrust outbound
firewall default packet-filter is deny
policy 1 (5 times matched)
action deny
policy service service-set ip
policy source 192.168.1.20 0
policy destination any
policy 2 (80 times matched)
action permit
policy service service-set ip
policy source 192.168.0.0 mask 16
policy destination any
policy 3 (38 times matched)
action permit
policy service service-set ip
policy source 172.16.0.0 mask 16
policy destination any四、补充说明
1、就算域间策略默认规则是放通的,但是如果手动指定的拒绝通过,还是无法访问的,比如trunk到untrunk 默认是允许的
[FW1]firewall packet-filter default permit interzone trust untrust direction outbound 但是还是会被拒绝,可以看到拒绝命中条目增加了
[FW1]display policy interzone trust untrust outbound
17:09:35 2018/08/05
policy interzone trust untrust outbound
firewall default packet-filter is permit
policy 1 (34 times matched)
action deny
policy service service-set ip
policy source 192.168.1.20 0
policy destination any
policy 2 (80 times matched)
action permit
policy service service-set ip
policy source 192.168.0.0 mask 16
policy destination any
policy 3 (38 times matched)
action permit
policy service service-set ip
policy source 172.16.0.0 mask 16
policy destination any