cjh 华为USG:私网用户通过NAPT访问Internet(限制公网地址对应的私网地址数)
华为USG:私网用户通过NAPT访问Internet(限制公网地址对应的私网地址数)
(1)需求
某公司在网络边界处部署了FW作为安全网关。为了使私网中192.168.1.0/24网段的用户可以正常访问Internet,需要在FW上配置源NAT策略。除了公网接口的IP地址外,公司还向ISP申请了6个IP地址(192.168.2.249~192.168.2.254)作为私网地址转换后的公网地址。当大量的内网用户上网时会导致NAT转换时端口冲突,因此需要限制公网地址对应的私网地址数,保证用户正常上网。网络环境如图所示,其中sw2是ISP提供的接入网关。
(2)拓扑
(3)配置
sw1:
interface Vlanif1
ip address 192.168.1.100 255.255.255.0
interface GE1/0/0
undo shutdown
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
sw2:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 192.168.2.100 255.255.255.0
#
fw:
aaa
manager-user admin
password cipher @%@%dh[dSye2Y1ZNa`W|"kn*I8Pe#|sy/^'(J.[z3\V8z\D58PhI@%@%
service-type web terminal telnet
level 15
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 10.12.3.3 255.255.0.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.2.254 255.255.255.0
service-manage ping permit
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
security-policy
default action permit
测试:目前sw1是ping不通sw2的
<sw1>ping 192.168.2.100
PING 192.168.2.100: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.2.100 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<sw1>
(4.1)配置NAT地址池,配置时开启允许端口地址转换,实现公网地址复用,同时配置私网与公网地址比例为256:1。
nat address-group addressgroup1 0
mode pat
route enable
srcip-car-num 256
section 0 192.168.2.249 192.168.2.254
(4.2)配置源NAT策略,实现私网指定网段访问Internet时自动进行源地址转换。
nat-policy
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group addressgroup1
(4.3)在FW上配置缺省路由,使私网流量可以正常转发至ISP的路由器。
[USG6000V2]ip route-static 0.0.0.0 0.0.0.0 192.168.2.100
测试:
<sw1>ping -c 40 192.168.2.100
PING 192.168.2.100: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.100: bytes=56 Sequence=1 ttl=254 time=132 ms
Reply from 192.168.2.100: bytes=56 Sequence=2 ttl=254 time=6 ms
Reply from 192.168.2.100: bytes=56 Sequence=3 ttl=254 time=6 ms
Reply from 192.168.2.100: bytes=56 Sequence=4 ttl=254 time=7 ms
Reply from 192.168.2.100: bytes=56 Sequence=5 ttl=254 time=5 ms
Reply from 192.168.2.100: bytes=56 Sequence=6 ttl=254 time=6 ms
[USG6000V2]display firewall session table
2023-02-09 08:02:11.550
Current Total Sessions : 11
NetBios VPN: default --> default 10.12.12.217:137 --> 10.12.255.255:137
tcp VPN: default --> default 10.12.18.99:1066 --> 10.12.3.3:8443
tcp VPN: public --> public 192.168.2.254:59841 --> 192.168.0.1:1024
NetBios VPN: default --> default 10.12.160.10:137 --> 10.12.255.255:137
SMB VPN: default --> default 10.12.12.150:138 --> 10.12.255.255:138
tcp VPN: default --> default 10.12.18.99:1428 --> 10.12.3.3:8443
icmp VPN: public --> public 192.168.1.100:9216[192.168.2.249:2048] --> 192.168.2.100:2048
tcp VPN: default --> default 10.12.18.99:1042 --> 10.12.3.3:8443
tcp VPN: default --> default 10.12.18.99:1429 --> 10.12.3.3:8443
tcp VPN: default --> default 10.12.18.99:1430 --> 10.12.3.3:8443
tcp VPN: default --> defaul
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 华为USG:私网用户通过NAPT访问Internet(限制公网地址对应的私网地址数)
作者: cjh
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm