Shulou(Shulou.com)05/31 Report--

Firewall nat+ switch routing + system soft routing network environment is like, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Background: the existing business system network environment is 172 network segment, through the uplink Huawei 8508 through the firewall and routing to connect to the public network. The business system is in the computer room on the third floor, and now the whole business and core area system need to be connected to the monitoring system PATROL, which is located on the 6th floor.

Monitor host IP:192.168.165.89

Monitoring access network segment: 192.168.1.1-192.168.1.30

Monitoring access segment gateway: 192.168.1.30, the monitoring access segment and the monitoring host are connected.

Environment: the network equipment is all owned by Huawei, the switch Huawei LS-S5328C, the firewall Huawei Eudemon 200E, and the server system are all SUSE 10 ENTERPRISE SERVER 64bit versions.

Requirements: the business environment is 172 network segments, and the servers are bound with dual network cards (the server is four network cards, and the other two are not wired). Without increasing the network wiring of the existing business environment and changing the network deployment of the existing business environment, two lines are drawn from the switch where the monitoring platform is located to the two firewalls of the business environment to realize the monitoring of the whole business area and the core area.

Network topology diagram:

Implementation process:

1. Settings on the firewall: (the configurations of the two firewalls are similar)

# interface Ethernet2/0/0

Description link_to_jiankong

Ip address 192.168.192.1 255.255.255.224

# firewall zone name jiankong

Set priority 70

Add interface Ethernet2/0/0

# firewall interzone jiankong untrust

Packet-filter 3001 outbound

# firewall interzone jiankong trust

Packet-filter 3002 inbound

(note: the access policy from the monitoring area to the business area and the core area is omitted here)

# nat server global 192.168.192.3 inside 172.29.141.253

Nat server global 192.168.192.4 inside 172.29.141.254

Nat server global 192.168.192.5 inside 172.29.141.66

Nat server global 192.168.192.6 inside 172.29.141.67

Nat server global 192.168.192.7 inside 172.29.141.12

Nat server global 192.168.192.8 inside 172.29.141.13

Nat server global 192.168.192.9 inside 172.29.141.14

Nat server global 192.168.192.10 inside 172.29.141.15

Nat server global 192.168.192.11 inside 172.29.141.16

Nat server global 192.168.192.12 inside 172.29.141.17

Nat server global 192.168.192.12 inside 172.29.141.18

Nat server global 192.168.192.12 inside 172.29.141.19

(except for two firewalls, the network equipment and servers in the business area and the core area are mapped to 192 addresses one by one by NAT)

# ip route-static 192.168.165.89 255.255.255.255 192.168.1.30 (# 192.168.192.30)

# snmp-agent community read Jun01

# snmp-agent target-host trap address udp-domain 192.168.165.89 params securityname Jun01

2. Set up on the layer 3 switch connected to the public network in the business area: (the configuration of the two layer 3 switches is similar)

# ip route-static 192.168.165.89 255.255.255.255 172.29.141.14

172.29.141.14 is the virtual address of VRRP on the two firewalls of the business area connected to the core area

# snmp-agent community read Jun01

# snmp-agent target-host trap address udp-domain 192.168.165.89 params securityname Jun01

3. Set up on the switch connected to the business area in the core area: (the configuration of the two core area switches is similar)

# ip route-static 192.168.165.89 255.255.255.255 172.29.141.19

172.29.141.19 is the virtual address of the VRRP on the two firewalls of the core area and the business area.

# snmp-agent community read Jun01

# snmp-agent target-host trap address udp-domain 192.168.165.89 params securityname Jun01

4. Soft routing settings on the server:

# yast (select a routing item after entering yast)

Finally, the selection is completed and the soft route is configured.

5. Test:

# netstat-nr can see the new routes, and then test the connectivity to the monitoring host through PING. Log in to the network device and test it through PING.

6. Monitor the installation of the client of the system, test and debug the whole monitoring system.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.