Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

NAT configuration in USG Firewall

2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

USG firewall in the NAT configuration, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

USG Firewall NAT configuration

Learning purpose

Master the method of configuring NATServer on USG firewall

Master the method of configuring NATEasy IP on USG firewall

Topological graph

Scene:

You are the network administrator of the company. The company uses a network firewall to isolate into three areas. Now we are going to publish the telnet service provided by a server in the DMZ area (IP address: 10. 0. 3. 3). The public addresses are 10. 0. 10. 20 and 24. 0. And the users of the Trust area of the internal network access the external area through Easy-IP. Access in other directions is prohibited.

On the switch, the interfaces of G0Uniqq1 and G0UniUnix 21 are defined to vlan11, the interfaces of G0Uniqp2 and G0UniUnix 22 are defined to vlan12, and the interfaces of G0Placer3 and G0UniUniq23 are defined to vlan13. Three network segments are planned respectively.

Learning task

Step one. Basic configuration and IP addressin

First configure address information for the three routers.

[Huawei] sysname R1

[R1] interface g0/0/1

[R1-GigabitEthernet0/0/1] ip add 10.0.10.124

[R1-GigabitEthernet0/0/1] desc this portconnect to S1-G0/0/1

[R1-GigabitEthernet0/0/1] interfaceloopback0

[R1-LoopBack0] ip add 10.0.1.1 24

[R1-LoopBack0] q

[Huawei] sysname R2

[R2] interface g0/0/1

[R2-GigabitEthernet0/0/1] ip add 10.0.20.224

[R2-GigabitEthernet0/0/1] desc this portconnect to S1-G0/0/2

[R2-GigabitEthernet0/0/1] interfaceloopback0

[R2-LoopBack0] ip add 10.0.2.2 24

[R2-LoopBack0] q

[Huawei] sysname R3

[R3] interface g0/0/1

[R3-GigabitEthernet0/0/1] ip add 10.0.30.324

[R3-GigabitEthernet0/0/1] desc this portconnect to S1-G0/0/3

[R3-GigabitEthernet0/0/1] interfaceloopback0

[R3-LoopBack0] ip add 10.0.3.3 24

[R3-LoopBack0] q

When configuring an address for the firewall, G0UniGram 1 is configured with 10.0.20.254Universe 24.

[SRG] sysname FW

13:06:03 2014-07-08

[FW] interface g0/0/1

13:06:30 2014-07-08

[FW-GigabitEthernet0/0/1] ip add 10.0.20.25424

13:07:01 2014-07-08

[FW-GigabitEthernet0/0/1] desc this portconnect to S1-G0/0/22

13:07:52 2014-07-08

[FW-GigabitEthernet0/0/1] interface g0/0/0

13:08:23 2014-07-08

[FW-GigabitEthernet0/0/0] dis this

13:08:31 2014-07-08

#

Interface GigabitEthernet0/0/0

Alias GE0/MGMT

Ipaddress 192.168.0.1 255.255.255.0

Dhcpselect interface

Dhcpserver gateway-list 192.168.0.1

#

Return

[FW-GigabitEthernet0/0/0] undo ip add

13:08:42 2014-07-08

Info: The DHCP server configuration on thisinterface will be deleted.

[FW-GigabitEthernet0/0/0] display this

13:08:46 2014-07-08

#

Interface GigabitEthernet0/0/0

Alias GE0/MGMT

#

Return

[FW-GigabitEthernet0/0/0] ip add 10.0.10.25424

13:09:29 2014-07-08

[FW-GigabitEthernet0/0/0] desc this portconnect to S1-G0/0/21

13:10:05 2014-07-08

[FW-GigabitEthernet0/0/0] interface G0/0/2

13:10:15 2014-07-08

[FW-GigabitEthernet0/0/2] ip add 10.0.30.25424

13:10:28 2014-07-08

[FW-GigabitEthernet0/0/2] desc this portconnect to S1-G0/0/23

13:10:53 2014-07-08

[FW-GigabitEthernet0/0/2] q

Vlan needs to be defined according to requirements on the switch.

[Huawei] sysname S1

[S1] vlan batch 11 to 13

Info: This operation may take a fewseconds. Please wait for a moment...done.

[S1] interface g0/0/1

[S1-GigabitEthernet0/0/1] port link-typeaccess

[S1-GigabitEthernet0/0/1] port default vlan11

[S1] interface g0/0/2

[S1-GigabitEthernet0/0/2] port link-typeaccess

[S1-GigabitEthernet0/0/2] port default vlan12

[S1-GigabitEthernet0/0/2] interface g0/0/3

[S1-GigabitEthernet0/0/3] port link-typeaccess

[S1-GigabitEthernet0/0/3] port default vlan13

[S1-GigabitEthernet0/0/3] interface g0/0/21

[S1-GigabitEthernet0/0/21] port link-typeaccess

[S1-GigabitEthernet0/0/21] port default vlan11

[S1-GigabitEthernet0/0/21] interface g0/0/22

[S1-GigabitEthernet0/0/22] port link-typeaccess

[S1-GigabitEthernet0/0/22] port default vlan12

[S1-GigabitEthernet0/0/22] interface g0/0/23

[S1-GigabitEthernet0/0/23] port link-typeaccess

[S1-GigabitEthernet0/0/23] port default vlan13

Step two. Configure the interface to the security zone

By default, firewalls have four zones, namely "local", "trust", "untrust" and "dmz".

In the experiment, we used three regions: "trust", "untrust" and "dmz". Add G0Uniqp0 to the untrust region, gUnixo to dmz and gmax to trust.

[FW] firewall zone trust

13:45:31 2014-07-08

[FW-zone-trust] dis this

13:45:35 2014-07-08

#

Firewall zone trust

Setpriority 85

Addinterface GigabitEthernet0/0/0

#

Return

[FW-zone-trust] undo add inter

[FW-zone-trust] undo add interface g0/0/0

13:46:01 2014-07-08

[FW-zone-trust] add interface g0/0/1

13:46:22 2014-07-08

[FW-zone-trust] firewall zone untrust

[FW-zone-untrust] add interface g0/0/0

13:47:24 2014-07-08

[[FW-zone-untrust] firewall zone dmz

13:48:06 2014-07-08

[FW-zone-dmz] add interface g0/0/2

13:48:13 2014-07-08

[FW-zone-dmz] q

By default, firewalls do not allow communication between areas outside the local zone. In order to verify the correctness of the configuration, we first configure the default filtering rules between firewall zones to allow communication between all areas. Test connectivity on the FW device after configuration is complete.

[FW] firewall packet-filter default permitall

13:51:19 2014-07-08

Warning:Setting the default packetfiltering to permit poses security risks. You

Are advised to configure the securitypolicy based on the actual data flows. Are

You sure you want to continue? [Y/N] y

[FW] ping-c 1 10.0.10.1

13:51:56 2014-07-08

PING 10.0.10.1: 56 data bytes,press CTRL_C to break

Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=90 ms

-10.0.10.1 ping statistics-

1packet (s) transmitted

1packet (s) received

0.005% packet loss

Round-trip min/avg/max = 90-90-90 ms

[FW] ping-c 1 10.0.20.2

13:52:08 2014-07-08

PING 10.0.20.2: 56 data bytes,press CTRL_C to break

Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=400 ms

-10.0.20.2 ping statistics-

1packet (s) transmitted

1packet (s) received

0.005% packet loss

Round-trip min/avg/max = 400 ms 400 ms

[FW] ping-c 1 10.0.30.3

13:52:18 2014-07-08

PING 10.0.30.3: 56 data bytes,press CTRL_C to break

Reply from 10.0.30.3: bytes=56 Sequence=1 ttl=255 time=410 ms

-10.0.30.3 ping statistics-

1packet (s) transmitted

1packet (s) received

0.005% packet loss

Round-trip min/avg/max = 410 ms 410 ms

Step three. Configure static routes to achieve network connectivity

Configure default routes on R2 and R3 and explicit static routes on FW to enable communication between the three loopback0 interfaces. R1 does not need to define a default route because, as an internet device, it does not need to know the private network information in the internal and DMZ areas.

[R2] ip route-static 0.0.0.0 0 10.0.20.254

[R3] ip route-static 0.0.0.0 0 10.0.30.254

[FW] ip route-static 10.0.1.0 24 10.0.10.1

13:58:26 2014-07-08

[FW] ip route-static 10.0.2.0 24 10.0.20.2

13:58:40 2014-07-08

[FW] ip route-static 10.0.3.0 24 10.0.30.3

13:58:52 2014-07-08

Test connectivity with 10.0.1.0, 10.0.2.0, 10.0.3.0 on the firewall.

[FW] ping-c 1 10.0.1.1

14:00:18 2014-07-08

PING 10.0.1.1: 56 data bytes,press CTRL_C to break

Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms

-10.0.1.1 ping statistics-

1packet (s) transmitted

1packet (s) received

0.005% packet loss

Round-trip min/avg/max = 80-80-80 ms

[FW] ping-c 1 10.0.2.2

14:00:25 2014-07-08

PING 10.0.2.2: 56 data bytes,press CTRL_C to break

Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=170 ms

-10.0.2.2 ping statistics-

1packet (s) transmitted

1packet (s) received

0.005% packet loss

Round-trip min/avg/max = 170thumb 170gam170 ms

[FW] ping-c 1 10.0.3.3

14:00:29 2014-07-08

PING 10.0.3.3: 56 data bytes,press CTRL_C to break

Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=110 ms

-10.0.3.3 ping statistics-

1packet (s) transmitted

1packet (s) received

0.005% packet loss

Round-trip min/avg/max = 110 Compact 110 ms

Under the current configuration, all areas can communicate with each other without being checked. However, because NAT is not currently defined, external areas cannot be accessed with internal and DMZ areas.

Step four. Configure security filtering between areas

Packets that are configured to be sent from part of the network segment 10.0.2.3 in the Trust area to the Untrust area are released. Telnet requests sent from the Untrust zone to the DMZ target server 10.0.3.3 are released.

[FW] firewall session link-state check

[FW] policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound] policy0

14:06:57 2014-07-08

[FW-policy-interzone-trust-untrust-outbound-0] policysource 10.0.2.0 0.0.0.255

14:07:18 2014-07-08

[FW-policy-interzone-trust-untrust-outbound-0] actionpermit

14:07:31 2014-07-08

[FW-policy-interzone-trust-untrust-outbound-0] q

14:07:40 2014-07-08

[FW-policy-interzone-trust-untrust-outbound] q

14:07:40 2014-07-08

] policy interzone dmz untrust inbound

14:09:01 2014-07-08

[FW-policy-interzone-dmz-untrust-inbound] policy0

14:09:08 2014-07-08

[FW-policy-interzone-dmz-untrust-inbound-0] policydestination 10.0.3.3 0

14:09:37 2014-07-08

[FW-policy-interzone-dmz-untrust-inbound-0] policyservice service-set telnet

[FW-policy-interzone-dmz-untrust-inbound-0] actionpermit

14:09:55 2014-07-08

[FW-policy-interzone-dmz-untrust-inbound-0] q

14:09:55 2014-07-08

Step five. Configure Easy-Ip to access the Trust area to the Untrust area.

Configure to use Easy-IP for NAT source address translation. And bind the NAT to the interface.

[FW-nat-policy-interzone-trust-untrust-outbound] policy0

14:14:00 2014-07-08

[FW-nat-policy-interzone-trust-untrust-outbound-0] policysource 10.0.2.0 0.0.0.2

fifty-five

14:14:26 2014-07-08

[FW-nat-policy-interzone-trust-untrust-outbound-0] actionsource-nat

14:14:37 2014-07-08

[FW-nat-policy-interzone-trust-untrust-outbound-0] easy-ipg0/0/0

14:14:51 2014-07-08

[FW-nat-policy-interzone-trust-untrust-outbound-0] q

After the configuration is complete, verify that the access between the Trust area and the Untrust area is normal.

Ping 10.0.1.1

PING 10.0.1.1: 56 data bytes,press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

-10.0.1.1 ping statistics-

5packet (s) transmitted

0packet (s) received

100.005% packet loss

Ping-a 10.0.2.2 10.0.1.1

PING 10.0.1.1: 56 data bytes,press CTRL_C to break

Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=220 ms

Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=100 ms

Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=100 ms

Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=120 ms

Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=440 ms

-10.0.1.1 ping statistics-

5packet (s) transmitted

5packet (s) received

0.005% packet loss

Round-trip min/avg/max = 100max 196max 440 ms

Note that the connectivity between 10.0.1.1 and 10.0.1.1 is tested directly and shows that it does not work. Using the extended ping, connectivity is achieved after specifying that the source address for sending the packet is 10.0.2.2. The reason is that when the packet is sent directly to 10.0.1.1, when the source address of the packet reaches 10.0.1.1, the source address of the packet is 10.0.20.2, which does not belong to the client address range of NAT translation.

Step six. Publish the intranet server 10.0.3.3

Configure telnet service for intranet server 10.0.3.3, which maps to address 10.0.10.20

[FW] nat server protocol tcp global10.0.10.20 telnet inside 10.0.3.3 telnet

Enable the Telnet function on R3 and test it on R1. During the test, you should note that the published address is 10.0.10.20, so when R1 accesses 10.0.3.3, the destination address is 10.0.10.20.

[R3] user-interface vty 0 4

[R3-ui-vty0-4] authentication-mode password

Please configure the login password (maximum length 16): 16

[R3-ui-vty0-4] set authentication password?

Cipher Set the password withcipher text

[R3-ui-vty0-4] set authentication passwordcip

[R3-ui-vty0-4] set authentication passwordcipher Huawei

[R3-ui-vty0-4] user privilege level 3

[R3-ui-vty0-4] Q

Telnet 10.0.10.20

Press CTRL_] to quit telnet mode

Trying 10.0.10.20...

Connected to 10.0.10.20...

Login authentication

Password:

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report