cjh 华为防火墙:服务器映射(允许服务器使用公网地址上网no-reverse )
华为防火墙:服务器映射(允许服务器使用公网地址上网no-reverse )
(1)基本配置
sysname SW1
#
vlan batch 10 to 11
#
interface Vlanif10
ip address 192.168.10.254 255.255.255.0
#
interface Vlanif11
ip address 192.168.11.254 255.255.255.0
#
interface GE1/0/0
undo shutdown
port default vlan 11
#
interface GE1/0/1
undo shutdown
port default vlan 10
#
ip route-static 192.168.20.0 255.255.255.0 192.168.11.1
sysname SW2
#
vlan batch 20 to 22
#
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
#
interface Vlanif21
ip address 192.168.21.254 255.255.255.0
interface GE1/0/0
undo shutdown
port default vlan 21
#
interface GE1/0/1
undo shutdown
port default vlan 20
#
ip route-static 0.0.0.0 0.0.0.0 192.168.21.1
sysname SW3
#
interface Vlanif30
ip address 192.168.30.254 255.255.255.0
#
interface Vlanif31
ip address 192.168.31.254 255.255.255.0
#
interface GE1/0/0
undo shutdown
port default vlan 31
#
interface GE1/0/1
undo shutdown
port default vlan 30
#
sysname FW1
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.125.19 255.255.254.0
service-manage http permit
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.11.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.21.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.31.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
#
#
security-policy
default action permit #安全策略放通了所有。
#
ip route-static 192.168.10.0 255.255.255.0 192.168.11.254
ip route-static 192.168.20.0 255.255.255.0 192.168.21.254
ip route-static 192.168.30.0 255.255.255.0 192.168.31.254
#
(2)拓扑图
说明:PC2可以ping通PC1 192.168.10.100, 并且PC2已经搭建好了web服务,端口为8111。如下图所示:
PC1 192.168.10.100 可以PING通PC2 192.168.20.73,如下图所示:
PC1 192.168.10.100 Ping不通192.168.31.0/24网段,因为SW1上没有到达192.168.31.0/24的路由,如下图所示:
(3)配置服务器映射:
[FW1]
[FW1]nat server webxx zone untrust global 192.168.31.80 inside 192.168.20.73 no-reverse
[FW1]
测试:PC3可以访问pc2的web界面。
PC1与PC2也可以互相ping通。
在PC1上抓包:可以看到PC2 ping PC1的包的源目ip地址。
在防火墙上查看会话:
[FW1]display firewall session table
2025-02-28 09:48:55.760
Current Total Sessions : 3
icmp VPN: public --> public 192.168.20.73:1 --> 192.168.10.100:2048
tcp VPN: default --> default 192.168.125.181:13156 --> 192.168.125.19:8443
icmp VPN: public --> public 192.168.10.100:1 --> 192.168.20.73:2048
[FW1]
[FW1]display nat server
2025-02-28 09:48:39.570
Server in private network information:
Total 1 NAT server(s)
server name : webxx
id : 0 zone : untrust
global-start-addr : 192.168.31.80 global-end-addr : 192.168.31.80
inside-start-addr : 192.168.20.73 inside-end-addr : 192.168.20.73
global-start-port : --- global-end-port : ---
inside-start-port : --- inside-end-port : ---
globalvpn : public insidevpn : public
vsys : public protocol : ---
vrrp : --- no-revers : 1
interface : --- vrrp-bind-interface: ---
unr-route : 0 description : ---
nat-disable : 0
[FW1]
[FW1]
删除“nat server webxx zone untrust global 192.168.31.80 inside 192.168.20.73 no-reverse”的no-reverse。删除“no-reverse”就是在防火墙的web管理界面勾选上“允许服务器使用公网地址上网”。
测试:PC3可以访问pc2的web界面。
PC1可以ping通PC2, 但PC2不可以ping通PC1。
在PC1上抓包查看:可以看到PC2 192.168.20.73 ping PC1 192.168.10.100时,当包到达PC1时,源ip 192.168.20.73变成了192.168.31.80。但SW1上是没有往192.168.31.0/24网段的路由,所以此时PC2是ping不通PC1。但PC1是可以ping通PC2。
[FW1]
[FW1]display firewall session table
2025-02-28 09:55:11.900
Current Total Sessions : 2
icmp VPN: public --> public 192.168.20.73:1[192.168.31.80:1] --> 192.168.10.100:2048
tcp VPN: default --> default 192.168.125.181:13156 --> 192.168.125.19:8443
[FW1]
(3.2)可以在SW1配置往192.168.31.0/24的路由:
[~SW1]ip route-static 192.168.31.0 255.255.255.0 192.168.11.1
结果:PC1与PC2又互通了,但是PC1收到PC2发过来的包的源地址是192.168.31.80。
PC1收到PC2发过来的包的源地址是192.168.31.80,如果源地址需要是PC2的,则会以下几种方式解决。
方式1:增加 “no-reverse”参数
方式2:细分接口所属的安全区域
(4.1)方式1:增加 “no-reverse”参数
增加 “nat server webxx zone untrust global 192.168.31.80 inside 192.168.20.73”的no-reverse参数。增加“no-reverse”就是在防火墙的web管理界面不勾选上“允许服务器使用公网地址上网”。
(4.2)方式2:细分接口所属的安全区域
(6)拓扑图
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 华为防火墙:服务器映射(允许服务器使用公网地址上网no-reverse )
作者: cjh
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm