In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
USG firewall in the NAT configuration, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.
USG Firewall NAT configuration
Learning purpose
Master the method of configuring NATServer on USG firewall
Master the method of configuring NATEasy IP on USG firewall
Topological graph
Scene:
You are the network administrator of the company. The company uses a network firewall to isolate into three areas. Now we are going to publish the telnet service provided by a server in the DMZ area (IP address: 10. 0. 3. 3). The public addresses are 10. 0. 10. 20 and 24. 0. And the users of the Trust area of the internal network access the external area through Easy-IP. Access in other directions is prohibited.
On the switch, the interfaces of G0Uniqq1 and G0UniUnix 21 are defined to vlan11, the interfaces of G0Uniqp2 and G0UniUnix 22 are defined to vlan12, and the interfaces of G0Placer3 and G0UniUniq23 are defined to vlan13. Three network segments are planned respectively.
Learning task
Step one. Basic configuration and IP addressin
First configure address information for the three routers.
[Huawei] sysname R1
[R1] interface g0/0/1
[R1-GigabitEthernet0/0/1] ip add 10.0.10.124
[R1-GigabitEthernet0/0/1] desc this portconnect to S1-G0/0/1
[R1-GigabitEthernet0/0/1] interfaceloopback0
[R1-LoopBack0] ip add 10.0.1.1 24
[R1-LoopBack0] q
[Huawei] sysname R2
[R2] interface g0/0/1
[R2-GigabitEthernet0/0/1] ip add 10.0.20.224
[R2-GigabitEthernet0/0/1] desc this portconnect to S1-G0/0/2
[R2-GigabitEthernet0/0/1] interfaceloopback0
[R2-LoopBack0] ip add 10.0.2.2 24
[R2-LoopBack0] q
[Huawei] sysname R3
[R3] interface g0/0/1
[R3-GigabitEthernet0/0/1] ip add 10.0.30.324
[R3-GigabitEthernet0/0/1] desc this portconnect to S1-G0/0/3
[R3-GigabitEthernet0/0/1] interfaceloopback0
[R3-LoopBack0] ip add 10.0.3.3 24
[R3-LoopBack0] q
When configuring an address for the firewall, G0UniGram 1 is configured with 10.0.20.254Universe 24.
[SRG] sysname FW
13:06:03 2014-07-08
[FW] interface g0/0/1
13:06:30 2014-07-08
[FW-GigabitEthernet0/0/1] ip add 10.0.20.25424
13:07:01 2014-07-08
[FW-GigabitEthernet0/0/1] desc this portconnect to S1-G0/0/22
13:07:52 2014-07-08
[FW-GigabitEthernet0/0/1] interface g0/0/0
13:08:23 2014-07-08
[FW-GigabitEthernet0/0/0] dis this
13:08:31 2014-07-08
#
Interface GigabitEthernet0/0/0
Alias GE0/MGMT
Ipaddress 192.168.0.1 255.255.255.0
Dhcpselect interface
Dhcpserver gateway-list 192.168.0.1
#
Return
[FW-GigabitEthernet0/0/0] undo ip add
13:08:42 2014-07-08
Info: The DHCP server configuration on thisinterface will be deleted.
[FW-GigabitEthernet0/0/0] display this
13:08:46 2014-07-08
#
Interface GigabitEthernet0/0/0
Alias GE0/MGMT
#
Return
[FW-GigabitEthernet0/0/0] ip add 10.0.10.25424
13:09:29 2014-07-08
[FW-GigabitEthernet0/0/0] desc this portconnect to S1-G0/0/21
13:10:05 2014-07-08
[FW-GigabitEthernet0/0/0] interface G0/0/2
13:10:15 2014-07-08
[FW-GigabitEthernet0/0/2] ip add 10.0.30.25424
13:10:28 2014-07-08
[FW-GigabitEthernet0/0/2] desc this portconnect to S1-G0/0/23
13:10:53 2014-07-08
[FW-GigabitEthernet0/0/2] q
Vlan needs to be defined according to requirements on the switch.
[Huawei] sysname S1
[S1] vlan batch 11 to 13
Info: This operation may take a fewseconds. Please wait for a moment...done.
[S1] interface g0/0/1
[S1-GigabitEthernet0/0/1] port link-typeaccess
[S1-GigabitEthernet0/0/1] port default vlan11
[S1] interface g0/0/2
[S1-GigabitEthernet0/0/2] port link-typeaccess
[S1-GigabitEthernet0/0/2] port default vlan12
[S1-GigabitEthernet0/0/2] interface g0/0/3
[S1-GigabitEthernet0/0/3] port link-typeaccess
[S1-GigabitEthernet0/0/3] port default vlan13
[S1-GigabitEthernet0/0/3] interface g0/0/21
[S1-GigabitEthernet0/0/21] port link-typeaccess
[S1-GigabitEthernet0/0/21] port default vlan11
[S1-GigabitEthernet0/0/21] interface g0/0/22
[S1-GigabitEthernet0/0/22] port link-typeaccess
[S1-GigabitEthernet0/0/22] port default vlan12
[S1-GigabitEthernet0/0/22] interface g0/0/23
[S1-GigabitEthernet0/0/23] port link-typeaccess
[S1-GigabitEthernet0/0/23] port default vlan13
Step two. Configure the interface to the security zone
By default, firewalls have four zones, namely "local", "trust", "untrust" and "dmz".
In the experiment, we used three regions: "trust", "untrust" and "dmz". Add G0Uniqp0 to the untrust region, gUnixo to dmz and gmax to trust.
[FW] firewall zone trust
13:45:31 2014-07-08
[FW-zone-trust] dis this
13:45:35 2014-07-08
#
Firewall zone trust
Setpriority 85
Addinterface GigabitEthernet0/0/0
#
Return
[FW-zone-trust] undo add inter
[FW-zone-trust] undo add interface g0/0/0
13:46:01 2014-07-08
[FW-zone-trust] add interface g0/0/1
13:46:22 2014-07-08
[FW-zone-trust] firewall zone untrust
[FW-zone-untrust] add interface g0/0/0
13:47:24 2014-07-08
[[FW-zone-untrust] firewall zone dmz
13:48:06 2014-07-08
[FW-zone-dmz] add interface g0/0/2
13:48:13 2014-07-08
[FW-zone-dmz] q
By default, firewalls do not allow communication between areas outside the local zone. In order to verify the correctness of the configuration, we first configure the default filtering rules between firewall zones to allow communication between all areas. Test connectivity on the FW device after configuration is complete.
[FW] firewall packet-filter default permitall
13:51:19 2014-07-08
Warning:Setting the default packetfiltering to permit poses security risks. You
Are advised to configure the securitypolicy based on the actual data flows. Are
You sure you want to continue? [Y/N] y
[FW] ping-c 1 10.0.10.1
13:51:56 2014-07-08
PING 10.0.10.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=90 ms
-10.0.10.1 ping statistics-
1packet (s) transmitted
1packet (s) received
0.005% packet loss
Round-trip min/avg/max = 90-90-90 ms
[FW] ping-c 1 10.0.20.2
13:52:08 2014-07-08
PING 10.0.20.2: 56 data bytes,press CTRL_C to break
Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=400 ms
-10.0.20.2 ping statistics-
1packet (s) transmitted
1packet (s) received
0.005% packet loss
Round-trip min/avg/max = 400 ms 400 ms
[FW] ping-c 1 10.0.30.3
13:52:18 2014-07-08
PING 10.0.30.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.30.3: bytes=56 Sequence=1 ttl=255 time=410 ms
-10.0.30.3 ping statistics-
1packet (s) transmitted
1packet (s) received
0.005% packet loss
Round-trip min/avg/max = 410 ms 410 ms
Step three. Configure static routes to achieve network connectivity
Configure default routes on R2 and R3 and explicit static routes on FW to enable communication between the three loopback0 interfaces. R1 does not need to define a default route because, as an internet device, it does not need to know the private network information in the internal and DMZ areas.
[R2] ip route-static 0.0.0.0 0 10.0.20.254
[R3] ip route-static 0.0.0.0 0 10.0.30.254
[FW] ip route-static 10.0.1.0 24 10.0.10.1
13:58:26 2014-07-08
[FW] ip route-static 10.0.2.0 24 10.0.20.2
13:58:40 2014-07-08
[FW] ip route-static 10.0.3.0 24 10.0.30.3
13:58:52 2014-07-08
Test connectivity with 10.0.1.0, 10.0.2.0, 10.0.3.0 on the firewall.
[FW] ping-c 1 10.0.1.1
14:00:18 2014-07-08
PING 10.0.1.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms
-10.0.1.1 ping statistics-
1packet (s) transmitted
1packet (s) received
0.005% packet loss
Round-trip min/avg/max = 80-80-80 ms
[FW] ping-c 1 10.0.2.2
14:00:25 2014-07-08
PING 10.0.2.2: 56 data bytes,press CTRL_C to break
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=170 ms
-10.0.2.2 ping statistics-
1packet (s) transmitted
1packet (s) received
0.005% packet loss
Round-trip min/avg/max = 170thumb 170gam170 ms
[FW] ping-c 1 10.0.3.3
14:00:29 2014-07-08
PING 10.0.3.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=110 ms
-10.0.3.3 ping statistics-
1packet (s) transmitted
1packet (s) received
0.005% packet loss
Round-trip min/avg/max = 110 Compact 110 ms
Under the current configuration, all areas can communicate with each other without being checked. However, because NAT is not currently defined, external areas cannot be accessed with internal and DMZ areas.
Step four. Configure security filtering between areas
Packets that are configured to be sent from part of the network segment 10.0.2.3 in the Trust area to the Untrust area are released. Telnet requests sent from the Untrust zone to the DMZ target server 10.0.3.3 are released.
[FW] firewall session link-state check
[FW] policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound] policy0
14:06:57 2014-07-08
[FW-policy-interzone-trust-untrust-outbound-0] policysource 10.0.2.0 0.0.0.255
14:07:18 2014-07-08
[FW-policy-interzone-trust-untrust-outbound-0] actionpermit
14:07:31 2014-07-08
[FW-policy-interzone-trust-untrust-outbound-0] q
14:07:40 2014-07-08
[FW-policy-interzone-trust-untrust-outbound] q
14:07:40 2014-07-08
] policy interzone dmz untrust inbound
14:09:01 2014-07-08
[FW-policy-interzone-dmz-untrust-inbound] policy0
14:09:08 2014-07-08
[FW-policy-interzone-dmz-untrust-inbound-0] policydestination 10.0.3.3 0
14:09:37 2014-07-08
[FW-policy-interzone-dmz-untrust-inbound-0] policyservice service-set telnet
[FW-policy-interzone-dmz-untrust-inbound-0] actionpermit
14:09:55 2014-07-08
[FW-policy-interzone-dmz-untrust-inbound-0] q
14:09:55 2014-07-08
Step five. Configure Easy-Ip to access the Trust area to the Untrust area.
Configure to use Easy-IP for NAT source address translation. And bind the NAT to the interface.
[FW-nat-policy-interzone-trust-untrust-outbound] policy0
14:14:00 2014-07-08
[FW-nat-policy-interzone-trust-untrust-outbound-0] policysource 10.0.2.0 0.0.0.2
fifty-five
14:14:26 2014-07-08
[FW-nat-policy-interzone-trust-untrust-outbound-0] actionsource-nat
14:14:37 2014-07-08
[FW-nat-policy-interzone-trust-untrust-outbound-0] easy-ipg0/0/0
14:14:51 2014-07-08
[FW-nat-policy-interzone-trust-untrust-outbound-0] q
After the configuration is complete, verify that the access between the Trust area and the Untrust area is normal.
Ping 10.0.1.1
PING 10.0.1.1: 56 data bytes,press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
-10.0.1.1 ping statistics-
5packet (s) transmitted
0packet (s) received
100.005% packet loss
Ping-a 10.0.2.2 10.0.1.1
PING 10.0.1.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=220 ms
Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=100 ms
Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=100 ms
Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=120 ms
Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=440 ms
-10.0.1.1 ping statistics-
5packet (s) transmitted
5packet (s) received
0.005% packet loss
Round-trip min/avg/max = 100max 196max 440 ms
Note that the connectivity between 10.0.1.1 and 10.0.1.1 is tested directly and shows that it does not work. Using the extended ping, connectivity is achieved after specifying that the source address for sending the packet is 10.0.2.2. The reason is that when the packet is sent directly to 10.0.1.1, when the source address of the packet reaches 10.0.1.1, the source address of the packet is 10.0.20.2, which does not belong to the client address range of NAT translation.
Step six. Publish the intranet server 10.0.3.3
Configure telnet service for intranet server 10.0.3.3, which maps to address 10.0.10.20
[FW] nat server protocol tcp global10.0.10.20 telnet inside 10.0.3.3 telnet
Enable the Telnet function on R3 and test it on R1. During the test, you should note that the published address is 10.0.10.20, so when R1 accesses 10.0.3.3, the destination address is 10.0.10.20.
[R3] user-interface vty 0 4
[R3-ui-vty0-4] authentication-mode password
Please configure the login password (maximum length 16): 16
[R3-ui-vty0-4] set authentication password?
Cipher Set the password withcipher text
[R3-ui-vty0-4] set authentication passwordcip
[R3-ui-vty0-4] set authentication passwordcipher Huawei
[R3-ui-vty0-4] user privilege level 3
[R3-ui-vty0-4] Q
Telnet 10.0.10.20
Press CTRL_] to quit telnet mode
Trying 10.0.10.20...
Connected to 10.0.10.20...
Login authentication
Password:
Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.