Shulou(Shulou.com)05/31 Report--

How to achieve firewall NAT control analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

one. NAT classification

NAT No-pat: similar to the dynamic translation of Cisco, only the source IP address and network address are translated, but not the port. It belongs to many-to-many translation, which can not save the public network IP address and uses less.

NAPT: (network address and port translation) similar to PAT translation of Cisco, NAPT translates both the source address of the message and the source port

Outgoing interface address: (Easy-IP) the translation method is simple, just like NAPT, that is, it translates the source address and the source port, which belongs to many-to-one translation.

Smart NAT (Intelligent Translation): NAPT translation by reserving a public network address

Triple NAT: a translation related to source IP address, source du port, and protocol type

Second, black hole routing

Loop and invalid ARP problems in Source address Translation scenario

Third, Server-map table

Solve the problem of FTP data transmission through Server-map table

The session table records connection information, including connection status

Application of Server-map in NAT

The forward entry carries port information, which is used to enable external users to perform destination address translation directly through the Server-map table when accessing 202.96.1.10.

The reverse entry does not carry port information, and the destination address is arbitrary, which is used to enable the server to access the Internet if it is TCP protocol.

Fourth, the processing flow of messages in NAT.

NAT configuration (three methods)

(1) NAT No-pat

Take a default route

Configure security policy

Configure the NAT address group, in which the address corresponds to the public network IP

Configure NAT policy

Configure black hole routing for translated global addresses (addresses in the NAT address group)

Verify the NAT configuration. You can use PC1 to ping the PC2 of the public network and view the session table! []

The three red boxes are represented as source address, translated address, and accessed address.

You can also view the Server-map table

(2) configuration of NAPT

Still the picture above, redo NAPT

Configure IP

Configure security policy

Configure the NAT address group, which corresponds to the public network IP

Configure NAT policy

Configure routing black hole

The verification result is verified by PC1ping public network PC2

(3) the outgoing interface address (Easy-IP) is used to access the PC2 (reconfiguration) using the interface of the R1 router.

Configure IP

Configure security policy

Configure NAT policy

After verification, it can be found that all the converted R1 routers are accessed by interface IP of the converted R1 router.

Fifth, comprehensive cases

Request:

The finance host accesses internet through no-pat (using 100.2.2.10-11)

The mainframe of the academic department accesses internet through napt (using 100.2.2.12)

Other departments of the company visit internet through g1UniGram 0

Configure the server in the natserver publishing dmz (using 100.2.2.9)

Financial mainframe accesses internet through no-pat

1. Configure network parameters and routing

[USG6000V1] int g1/0/2

[USG6000V1-GigabitEthernet1/0/2] ip add 192.168.1.1 24

[USG6000V1-GigabitEthernet1/0/2] undo sh

Info: Interface GigabitEthernet1/0/2 is not shutdown.

[USG6000V1-GigabitEthernet1/0/2] quit

[USG6000V1] int g1/0/0

[USG6000V1-GigabitEthernet1/0/0] ip add 100.1.1.2 30

[USG6000V1-GigabitEthernet1/0/0] undo sh

[USG6000V1-GigabitEthernet1/0/0] quit

[USG6000V1] i proute-static 0.0.0.0 0.0.0.0 100.1.1.1

two。 Configure security policy

[USG6000V1] firewall zone trust

[USG6000V1-zone-trust] add int g1/0/2

[USG6000V1-zone-trust] quit

[USG6000V1] firewall zone untrust

[USG6000V1-zone-untrust] add int g1/0/0

[USG6000V1-zone-untrust] quit

[USG6000V1] security-policy

[USG6000V1-policy-security] rule name sec_1

[USG6000V1-policy-security-rule-sec_1] source-address 192.168.1.0 24

[USG6000V1-policy-security-rule-sec_1] destination-zone untrust

[USG6000V1-policy-security-rule-sec_1] action permit

3. Configure the nat address group. The address in the address pool corresponds to the public network address.

[USG6000V1-policy-security] quit

[USG6000V1] nat address-group natgroup

[USG6000V1-address-group-natgroup] section 0 100.2.2.10 100.2.2.11

[USG6000V1-address-group-natgroup] mode no-pat local

[USG6000V1-address-group-natgroup]

4. Configure nat policy

[USG6000V1] nat-policy

[USG6000V1-policy-nat] rule name natpolicy

[USG6000V1-policy-nat-rule-natpolicy] source-address 192.168.1.0 24

[USG6000V1-policy-nat-rule-natpolicy] destination-zone untrust

[USG6000V1-policy-nat-rule-natpolicy] action nat address-group natgroup

[USG6000V1-policy-nat-rule-natpolicy] quit

[USG6000V1-policy-nat] quit

5. Configure black hole routing for translated global addresses

[USG6000V1] ip route-static 100.2.2.10 32 null 0

[USG6000V1] ip route-static 100.2.2.11 32 null 0

6. Configure R1 (isp)

Sys

Enter system view, return user view with Ctrl+Z.

[Huawei] sysname r1

[r1] undo info ena

[r1] int g0/0/0

[r1-GigabitEthernet0/0/0] ip add 100.1.1.1 30

[r1-GigabitEthernet0/0/0] int g0/0/1

[r1-GigabitEthernet0/0/1] ip add 200.1.1.1 24

[r1-GigabitEthernet0/0/1] undo sh

[r1-GigabitEthernet0/0/1] quit

[r1] ip route-static 100.2.2.8 29 100.1.1.2

7. Test: access the internet server from the financial client

2. The mainframe of the academic department accesses internet through napt (using 100.2.2.12)

1. Configure network parameters

[USG6000V1] int g1/0/3

[USG6000V1-GigabitEthernet1/0/3] ip add 192.168.2.1 24

[USG6000V1-GigabitEthernet1/0/3] quit

[USG6000V1] firewall zone trust

[USG6000V1-zone-trust] add int g1/0/3

[USG6000V1-zone-trust] q uit

two。 Configure security policy

[USG6000V1] security-policy

[USG6000V1-policy-security-rule-sec_2] source-address 192.168.2.0 24

[USG6000V1-policy-security-rule-sec_2] destination-zone untrust

[USG6000V1-policy-security-rule-sec_2] action permit

[USG6000V1-policy-security-rule-sec_2] quit

3. Configure nat address groups

[USG6000V1] nat address-group natgroup_2.0

[USG6000V1-address-group-natgroup_2.0] section 0 100.2.2.12 100.2.2.12

[USG6000V1-address-group-natgroup_2.0] mode pat

[USG6000V1-address-group-natgroup_2.0] quit

4. Configure nat policy

[USG6000V1] nat-policy

[USG6000V1-policy-nat] rule name natpolicy_2.0

[USG6000V1-policy-nat-rule-natpolicy_2.0] source-address 192.168.2.0 24

[USG6000V1-policy-nat-rule-natpolicy_2.0] destination-zone untrust

[USG6000V1-policy-nat-rule-natpolicy_2.0] action nat address-group natgroup_2.0

[USG6000V1-policy-nat-rule-natpolicy_2.0] quit

[USG6000V1-policy-nat] quit

5. Configure black hole routing for translated global addresses

[USG6000V1] ip route-static 100.2.2.12 32 null 0

6. Verify nat configuration

.

Third, the outgoing interface address (easy-ip) enables other departments of the company to access internet through g1ap0ap0

1. Configure network parameters

[USG6000V1] int g1/0/4

[USG6000V1-GigabitEthernet1/0/4] ip add 192.168.3.1 24

[USG6000V1-GigabitEthernet1/0/4] quit

[USG6000V1] firewall zone trust

[USG6000V1-zone-trust] add int g1/0/4

[USG6000V1-zone-trust]

two。 Configure security policy

[USG6000V1] security-policy

[USG6000V1-policy-security] rule name sec_3

[USG6000V1-policy-security-rule-sec_3] source-address 192.168.3.0 24

[USG6000V1-policy-security-rule-sec_3] destination-zone untrust

[USG6000V1-policy-security-rule-sec_3] action permit

[USG6000V1-policy-security-rule-sec_3] quit

[USG6000V1-policy-security] quit

3. Configure nat policy

[USG6000V1] nat-policy

[USG6000V1-policy-nat] rule name natpolicy_3.0

[USG6000V1-policy-nat-rule-natpolicy_3.0] source-address 192.168.3.0 24

[USG6000V1-policy-nat-rule-natpolicy_3.0] destination-zone untrust

[USG6000V1-policy-nat-rule-natpolicy_3.0] action nat easy-ip

[USG6000V1-policy-nat-rule-natpolicy_3.0] quit

[USG6000V1-policy-nat] quit

4. Verify easy-ip

1) ping test

Configure the server in the natserver Publishing dmz (using 100.2.2.9)

1. Configure network parameters

[USG6000V1-GigabitEthernet1/0/0] int g1/0/1

[USG6000V1-GigabitEthernet1/0/1] ip add 192.168.0.1 24

[USG6000V1-GigabitEthernet1/0/1] quit

[USG6000V1] firewall zone dmz

[USG6000V1-zone-dmz] add int g1/0/1

[USG6000V1-zone-dmz] quit

two。 Configure security policy

[USG6000V1] security-policy

[USG6000V1-policy-security] rule name sec_4

[USG6000V1-policy-security-rule-sec_4] source-zone untrust

[USG6000V1-policy-security-rule-sec_4] destination-address 192.168.0.0 24

[USG6000V1-policy-security-rule-sec_4] action permit

[USG6000V1-policy-security] quit

3. Configure ftp application layer detection (this step can be omitted. It is enabled by default)

[USG6000V1] firewall inter trust untrust

[USG6000V1-interzone-trust-untrust] detect ftp

[USG6000V1-interzone-trust-untrust] quit

4. Configure nat server

[USG6000V1] natserver natserver global 100.2.2.9 inside 192.168.0.2

5. Configure black hole routin

[USG6000V1] ip route-static 100.2.2.9 32 null 0

6. Verification

1) access the server in dmz on the Internet host

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.