cjh 华为USG:私网用户通过NAPT访问Internet(不限制公网地址对应的私网地址数)
华为USG:私网用户通过NAPT访问Internet(不限制公网地址对应的私网地址数)
(1)需求
某公司在网络边界处部署了FW作为安全网关。
为了使私网中192.168.1.0/24网段的用户可以正常访问Internet,需要在FW上配置源NAT策略。
除了公网接口的IP地址外,公司还向ISP申请了6个IP地址(192.168.2.249~192.168.2.254)作为私网地址转换后的公网地址。网络环境如图所示,其中sw2是ISP提供的接入网关。
(2)拓扑
(3)基本配置
sw1:
interface Vlanif1
ip address 192.168.1.100 255.255.255.0
interface GE1/0/0
undo shutdown
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
sw2:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 192.168.2.100 255.255.255.0
#
fw:
aaa
manager-user admin
password cipher @%@%dh[dSye2Y1ZNa`W|"kn*I8Pe#|sy/^'(J.[z3\V8z\D58PhI@%@%
service-type web terminal telnet
level 15
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 10.12.3.3 255.255.0.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.2.254 255.255.255.0
service-manage ping permit
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
security-policy
default action permit
测试:目前sw1是ping不通sw2的
<sw1>ping 192.168.2.100
PING 192.168.2.100: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.2.100 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<sw1>
(4.1)配置NAT地址池,配置时开启允许端口地址转换,实现公网地址复用。
nat address-group addressgroup1
mode pat
route enable
section 0 192.168.2.249 192.168.2.254
(4.2)配置源NAT策略,实现私网指定网段访问Internet时自动进行源地址转换。
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group addressgroup1
(4.3)在FW上配置缺省路由,使私网流量可以正常转发至ISP的路由器。
[USG6000V2]ip route-static 0.0.0.0 0.0.0.0 192.168.2.100
测试:
<sw1>ping -c 40 192.168.2.102
PING 192.168.2.102: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
--- 192.168.2.102 ping statistics ---
4 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<sw1>
<sw1>
<sw1>
<sw1>
<sw1>ping -c 40 192.168.2.100
PING 192.168.2.100: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.100: bytes=56 Sequence=1 ttl=254 time=41 ms
Reply from 192.168.2.100: bytes=56 Sequence=2 ttl=254 time=6 ms
Reply from 192.168.2.100: bytes=56 Sequence=3 ttl=254 time=7 ms
Reply from 192.168.2.100: bytes=56 Sequence=4 ttl=254 time=8 ms
Reply from 192.168.2.100: bytes=56 Sequence=5 ttl=254 time=7 ms
Reply from 192.168.2.100: bytes=56 Sequence=6 ttl=254 time=6 ms
[USG6000V2]display firewall session table
2023-02-09 06:45:19.530
Current Total Sessions : 5
tcp VPN: public --> public 192.168.2.254:59265 --> 192.168.0.1:1024
icmp VPN: public --> public 192.168.1.100:25600[192.168.2.254:2054] --> 192.168.2.100:2048
tcp VPN: default --> default 10.12.18.99:14576 --> 10.12.3.3:8443
SMB VPN: default --> default 10.12.160.10:138 --> 10.12.255.255:138
icmp VPN: public --> public 192.168.1.100:1088[192.168.2.254:2049] --> 192.168.2.102:2048
[USG6000V2]
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 华为USG:私网用户通过NAPT访问Internet(不限制公网地址对应的私网地址数)
作者: cjh
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm