USG防火墙中的NAT配置,很多新手对此不是很清楚,为了帮助大家解决这个难题,下面小编将为大家详细讲解,有这方面需求的人可以来学习下,希望你能有所收获。USG防火墙 NAT配置学习目的掌握在USG防火墙上配置NATServer的方法掌握在USG防火墙上配置NATEasy IP的方法拓扑图场景: 你是公司的网络管理员。公司使用网络防火墙隔离成三个区域。现在要将DMZ区域中的一台服务器(IP地址:10.0.3.3)提供的telnet服务发布出去,对外公开的地址是10.0.10.20、24.并且内部网络Trust区域的用户通过Easy-IP的方式访问外部区域。其它方向的访问被禁止。 在交换机上将G0/0/1与G0/0/21接口定义到vlan11,将G0/0/2与G0/0/22接口定义到vlan12,将G0/0/3与G0/0/23接口定义到vlan13.分别规划了三个网段。学习任务步骤一.基本配置与IP编址 首先给三个路由器配置地址信息。[Huawei]sysname R1[R1]interface g0/0/1[R1-GigabitEthernet0/0/1]ip add 10.0.10.124[R1-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/1[R1-GigabitEthernet0/0/1]interfaceloopback0[R1-LoopBack0]ip add 10.0.1.1 24[R1-LoopBack0]q[Huawei]sysname R2[R2]interface g0/0/1[R2-GigabitEthernet0/0/1]ip add 10.0.20.224[R2-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/2[R2-GigabitEthernet0/0/1]interfaceloopback0[R2-LoopBack0]ip add 10.0.2.2 24[R2-LoopBack0]q[Huawei]sysname R3[R3]interface g0/0/1[R3-GigabitEthernet0/0/1]ip add 10.0.30.324[R3-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/3[R3-GigabitEthernet0/0/1]interfaceloopback0[R3-LoopBack0]ip add 10.0.3.3 24[R3-LoopBack0]q给防火墙配置地址时,G0/0/1配置10.0.20.254/24.[SRG]sysname FW13:06:032014/07/08[FW]interface g0/0/113:06:302014/07/08[FW-GigabitEthernet0/0/1]ip add 10.0.20.2542413:07:012014/07/08[FW-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/2213:07:522014/07/08[FW-GigabitEthernet0/0/1]interface g0/0/013:08:232014/07/08[FW-GigabitEthernet0/0/0]dis this13:08:312014/07/08#interface GigabitEthernet0/0/0alias GE0/MGMTipaddress 192.168.0.1 255.255.255.0dhcpselect interfacedhcpserver gateway-list 192.168.0.1#return[FW-GigabitEthernet0/0/0]undo ip add13:08:422014/07/08Info: The DHCP server configuration on thisinterface will be deleted.[FW-GigabitEthernet0/0/0]display this13:08:462014/07/08#interface GigabitEthernet0/0/0alias GE0/MGMT#return[FW-GigabitEthernet0/0/0]ip add 10.0.10.2542413:09:292014/07/08[FW-GigabitEthernet0/0/0]desc this portconnect to S1-G0/0/2113:10:052014/07/08[FW-GigabitEthernet0/0/0]interface G0/0/213:10:152014/07/08[FW-GigabitEthernet0/0/2]ip add 10.0.30.2542413:10:282014/07/08[FW-GigabitEthernet0/0/2]desc this portconnect to S1-G0/0/2313:10:532014/07/08[FW-GigabitEthernet0/0/2]q交换机上需要按照需求定义vlan[Huawei]sysname S1[S1]vlan batch 11 to 13Info: This operation may take a fewseconds. Please wait for a moment…done.[S1]interface g0/0/1[S1-GigabitEthernet0/0/1]port link-typeaccess[S1-GigabitEthernet0/0/1]port default vlan11[S1]interface g0/0/2[S1-GigabitEthernet0/0/2]port link-typeaccess[S1-GigabitEthernet0/0/2]port default vlan12[S1-GigabitEthernet0/0/2]interface g0/0/3[S1-GigabitEthernet0/0/3]port link-typeaccess[S1-GigabitEthernet0/0/3]port default vlan13[S1-GigabitEthernet0/0/3]interface g0/0/21[S1-GigabitEthernet0/0/21]port link-typeaccess[S1-GigabitEthernet0/0/21]port default vlan11[S1-GigabitEthernet0/0/21]interface g0/0/22[S1-GigabitEthernet0/0/22]port link-typeaccess[S1-GigabitEthernet0/0/22]port default vlan12[S1-GigabitEthernet0/0/22]interface g0/0/23[S1-GigabitEthernet0/0/23]port link-typeaccess[S1-GigabitEthernet0/0/23]port default vlan13步骤二.将接口配置到安全区域 防火墙默认有四个区域,分别是“local”、“trust”、“untrust”、“dmz”。 实验中我们用到“trust”、’untrust”、“dmz”三个区域。将G0/0/0加入untrust区域、g/0/0/2加入dmz和g/0/0/1加入trust。[FW]firewall zone trust13:45:312014/07/08[FW-zone-trust]dis this13:45:352014/07/08#firewall zone trustsetpriority 85addinterface GigabitEthernet0/0/0#return[FW-zone-trust]undo add inter[FW-zone-trust]undo add interface g0/0/013:46:012014/07/08[FW-zone-trust]add interface g0/0/113:46:222014/07/08[FW-zone-trust]firewall zone untrust[FW-zone-untrust]add interface g0/0/013:47:242014/07/08[[FW-zone-untrust]firewall zone dmz13:48:062014/07/08[FW-zone-dmz]add interface g0/0/213:48:13 2014/07/08[FW-zone-dmz]q 默认情况下,防火墙并不允许出local区域外的其它区域之间进行通信。为了便于验证配置的正确性,我们首先将防火墙区域之间的默认过滤规则配置为允许所有区域间通信。配置完成后在FW设备上测试连通性。[FW]firewall packet-filter default permitall13:51:192014/07/08Warning:Setting the default packetfiltering to permit poses security risks. Youare advised to configure the securitypolicy based on the actual data flows. Areyou sure you want to continue?[Y/N]y[FW]ping -c 1 10.0.10.113:51:562014/07/08PING 10.0.10.1: 56 data bytes,press CTRL_C to breakReply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=90 ms —10.0.10.1 ping statistics — 1packet(s) transmitted 1packet(s) received0.00% packet lossround-trip min/avg/max = 90/90/90 ms[FW]ping -c 1 10.0.20.213:52:082014/07/08PING 10.0.20.2: 56 data bytes,press CTRL_C to breakReply from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=400 ms —10.0.20.2 ping statistics — 1packet(s) transmitted 1packet(s) received0.00% packet lossround-trip min/avg/max = 400/400/400 ms[FW]ping -c 1 10.0.30.313:52:182014/07/08PING 10.0.30.3: 56 data bytes,press CTRL_C to breakReply from 10.0.30.3: bytes=56 Sequence=1 ttl=255 time=410 ms —10.0.30.3 ping statistics — 1packet(s) transmitted 1packet(s) received0.00% packet lossround-trip min/avg/max = 410/410/410 ms步骤三.配置静态路由,实现网络的连通性 在R2和R3上配置缺省路由,在FW上配置明确的静态路由,实现三个loopback0接口之间的通信。R1无需定义缺省路由,原因是其作为internet设备,他不需要知道内部和DMZ区域的私有网络信息。[R2]ip route-static 0.0.0.0 0 10.0.20.254[R3]ip route-static 0.0.0.0 0 10.0.30.254[FW]ip route-static 10.0.1.0 24 10.0.10.113:58:262014/07/08[FW]ip route-static 10.0.2.0 24 10.0.20.213:58:402014/07/08[FW]ip route-static 10.0.3.0 24 10.0.30.313:58:522014/07/08 在防火墙上测试与10.0.1.0、10.0.2.0、10.0.3.0之间的连通性。[FW]ping -c 1 10.0.1.114:00:182014/07/08PING 10.0.1.1: 56 data bytes,press CTRL_C to breakReply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms —10.0.1.1 ping statistics — 1packet(s) transmitted 1packet(s) received0.00% packet lossround-trip min/avg/max = 80/80/80 ms[FW]ping -c 1 10.0.2.214:00:252014/07/08PING 10.0.2.2: 56 data bytes,press CTRL_C to breakReply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=170 ms —10.0.2.2 ping statistics — 1packet(s) transmitted 1packet(s) received0.00% packet lossround-trip min/avg/max = 170/170/170 ms[FW]ping -c 1 10.0.3.314:00:292014/07/08PING 10.0.3.3: 56 data bytes,press CTRL_C to breakReply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=110 ms —10.0.3.3 ping statistics — 1packet(s) transmitted 1packet(s) received0.00% packet lossround-trip min/avg/max = 110/110/110 ms 目前配置下,所有区域之间可以通讯,不被检查。但是由于当前尚未定义NAT,外部区域不能与内部和DMZ区域相互访问。步骤四.配置区域间的安全过滤 配置从Trust区域的部分网段10.0.2.3发往Untrust区域的数据包被放行。从Untrust区域发往DMZ目标服务器10.0.3.3的telnet请求被放行。[FW]firewall session link-state check[FW]policy interzone trust untrust outbound[FW-policy-interzone-trust-untrust-outbound]policy014:06:572014/07/08[FW-policy-interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.25514:07:182014/07/08[FW-policy-interzone-trust-untrust-outbound-0]actionpermit14:07:312014/07/08[FW-policy-interzone-trust-untrust-outbound-0]q14:07:402014/07/08[FW-policy-interzone-trust-untrust-outbound]q14:07:402014/07/08]policy interzone dmz untrust inbound14:09:012014/07/08[FW-policy-interzone-dmz-untrust-inbound]policy014:09:082014/07/08[FW-policy-interzone-dmz-untrust-inbound-0]policydestination 10.0.3.3 014:09:372014/07/08[FW-policy-interzone-dmz-untrust-inbound-0]policyservice service-set telnet[FW-policy-interzone-dmz-untrust-inbound-0]actionpermit14:09:552014/07/08[FW-policy-interzone-dmz-untrust-inbound-0]q14:09:552014/07/08步骤五.配置Easy-Ip,实现Trust区域到Untrust区域的访问。 配置使用Easy-IP,进行NAT源地址转换。并且将NAT与接口进行绑定。[FW-nat-policy-interzone-trust-untr免费云主机域名ust-outbound]policy014:14:002014/07/08[FW-nat-policy-interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.25514:14:262014/07/08[FW-nat-policy-interzone-trust-untrust-outbound-0]actionsource-nat14:14:372014/07/08[FW-nat-policy-interzone-trust-untrust-outbound-0]easy-ipg0/0/014:14:512014/07/08[FW-nat-policy-interzone-trust-untrust-outbound-0]q 配置完成后,验证Trust区域与Untrust区域之间的访问是否正常。
怎么查看域名的ip?相信很多没有经验的人对此束手无策,为此本文总结了问题出现的原因和解决方法,通过这篇文章希望你能解决这个问题。怎么查看域名的ip1.选择站长工具,利用站长工具进行查询2.进入站长工具平台,选择域名IP类3.输入想要查询的域名,点击查询4.就可…
免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。
微信扫一扫 
