防火墙的nat地址映射（防火墙NAT配置）

拓扑图

步骤一. 基本配置与IP编址

给路由器和防火墙配置地址，并配置静态路由，在交换机上配置VLAN。

<Huawei>system-view

Enter system view, return user view with Ctrl Z.

[Huawei]sysname R1

[R1]interface GigabitEthernet 0/0/1

[R1-GigabitEthernet0/0/1]ip address 1.1.1.1 24

[R1-GigabitEthernet0/0/1]interface loopback 0

[R1-LoopBack0]ip address 11.11.11.11 24

<Huawei>system-view

Enter system view, return user view with Ctrl Z.

[Huawei]sysname R2

[R2]interface GigabitEthernet0/0/1

[R2-GigabitEthernet0/0/1]ip address 10.0.20.2 24

[R2-GigabitEthernet0/0/1]interface loopback 0

[R2-LoopBack0]ip address 10.0.2.2 24

<Huawei>system-view

Enter system view, return user view with Ctrl Z.

[Huawei]sysname R3

[R3]interface GigabitEthernet0/0/1

[R3-GigabitEthernet0/0/1]ip address 10.0.20.3 24

[R3-GigabitEthernet0/0/1]interface loopback 0

[R3-LoopBack0]ip address 10.0.3.3 24

<Huawei>system-view

Enter system view, return user view with Ctrl Z.

[Huawei]sysname R4

[R4]interface GigabitEthernet 0/0/1

[R4-GigabitEthernet0/0/1]ip address 10.0.40.4 24

[R4-GigabitEthernet0/0/1]interface loopback 0

[R4-LoopBack0]ip address 10.0.4.4 24

防火墙默认会启用GigabitEthernet0/0/0接口的ip地址，为避免干扰，可以删除。

<USG6300>system-view

Enter system view, return user view with Ctrl Z.

[USG6300]sysname FW

[FW]int GigabitEthernet 0/0/0

[FW-GigabitEthernet0/0/0]undo ip address

[FW-GigabitEthernet0/0/0]interface GigabitEthernet 1/0/0

[FW-GigabitEthernet1/0/0]ip address 10.0.10.254 24

[FW-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1

[FW-GigabitEthernet1/0/1]ip address 10.0.20.254 24

[FW-GigabitEthernet1/0/1]interface GigabitEthernet 1/0/2

[FW-GigabitEthernet1/0/2]ip address 10.0.40.254 24

[FW-GigabitEthernet1/0/2]quit

交换机上需要按照需求定义VLAN。

[Quidway]sysname S1

[S1]vlan batch 11 to 13

[S1]interface GigabitEthernet 0/0/1

[S1-GigabitEthernet0/0/1]port link-type access

[S1-GigabitEthernet0/0/1]port default vlan 11

[S1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2

[S1-GigabitEthernet0/0/2]port link-type access

[S1-GigabitEthernet0/0/2]port default vlan 12

[S1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/3

[S1-GigabitEthernet0/0/3]port link-type access

[S1-GigabitEthernet0/0/3]port default vlan 12

[S1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/4

[S1-GigabitEthernet0/0/3]port link-type access

[S1-GigabitEthernet0/0/3]port default vlan 13

[S1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/21

[S1-GigabitEthernet0/0/21]port link-type access

[S1-GigabitEthernet0/0/21]port default vlan 11

[S1-GigabitEthernet0/0/21]interface GigabitEthernet 0/0/22

[S1-GigabitEthernet0/0/22]port link-type access

[S1-GigabitEthernet0/0/22]port default vlan 12

[S1-GigabitEthernet0/0/22]interface GigabitEthernet 0/0/23

[S1-GigabitEthernet0/0/23]port link-type access

[S1-GigabitEthernet0/0/23]port default vlan 13

在R2、R3和R4上配置缺省路由，在FW上配置明确的静态路由，实现四个Loopback0接口连接的网段之间的互通。R1无需定义缺省路由，原因是其作为Internet设备，它不需要知道内部和DMZ区域的私有网络信息。

[R2]ip route-static 0.0.0.0 0 10.0.20.254

[R3]ip route-static 0.0.0.0 0 10.0.20.254

[R4]ip route-static 0.0.0.0 0 10.0.40.254

[FW]ip route-static 10.0.2.0 24 10.0.20.2

[FW]ip route-static 10.0.3.0 24 10.0.20.3

[FW]ip route-static 10.0.4.0 24 10.0.40.4

[FW]ip route-static 0.0.0.0 0 1.1.1.1

配置完成后检查防火墙路由信息。

步骤二. 将接口配置到安全区域

防火墙上默认有四个区域，分别是“local“、”trust“、”untrust“、”dmz“。实验中我们使用到“trust“、”untrust“和”dmz“三个区域，分别将对应接口加入各安全区域，由于默认配置将GE0/0/0加入了“trust”区域，为避免干扰，将其删除。

[FW]firewall zone dmz

[FW-zone-dmz]add interface GigabitEthernet 1/0/2

[FW-zone-dmz]firewall zone trust

[FW-zone-trust]add interface GigabitEthernet 1/0/1

[FW-zone-trust]undo add interface GigabitEthernet 0/0/0

[FW-zone-trust]fire zone untrust

[FW-zone-untrust]add interface GigabitEthernet 1/0/0

[FW-zone-untrust]quit

检查各接口的区域：

检查各区域的优先级：

可以看到三个接口已经被划分到相应的区域内，默认情况下不同区域间是不可互通的，因此此时路由器之间流量无法通过。

步骤三. 配置安全策略

如果防火墙域间没有配置安全策略，或查找安全策略时，所有的安全策略都没有命中，则默认执行域间的缺省包过滤动作（拒绝通过）。

配置从Trust区域的网段10.0.2.0和10.0.3.0发往Untrust区域的数据包被放行。从Untrust区域发往DMZ目标服务器10.0.4.4的Telnet和FTP请求被放行。

[FW]security-policy

[FW-policy-security]rule name policy_sec_1

[FW-policy-security-rule-policy_sec_1]source-zone trust

[FW-policy-security-rule-policy_sec_1]destiNATion-zone untrust

[FW-policy-security-rule-policy_sec_1]source-address 10.0.2.0 mask 255.255.255.0

[FW-policy-security-rule-policy_sec_1]source-address 10.0.3.0 mask 255.255.255.0

[FW-policy-security-rule-policy_sec_1]action permit

[FW-policy-security-rule-policy_sec_1]rule name policy_sec_2

[FW-policy-security-rule-policy_sec_2]source-zone untrust

[FW-policy-security-rule-policy_sec_2]destination-zone dmz

[FW-policy-security-rule-policy_sec_2]destination-address 10.0.4.4 mask 255.255.255.255

[FW-policy-security-rule-policy_sec_2]service FTP

[FW-policy-security-rule-policy_sec_2]service telnet

[FW-policy-security-rule-policy_sec_2]action permit

步骤四. 配置基于源的NAT

使用公网地址1.1.1.254转换源地址。

[FW]nat address-group group1

[FW-nat-address-group-group1]section 1.1.1.254 1.1.1.254

配置完成后，检查地址池状态。

配置源NAT策略。

[FW]nat-policy

[FW-policy-nat]rule name policy_nat_1

[FW-policy-nat-rule-policy_nat_1]source-zone trust

[FW-policy-nat-rule-policy_nat_1]destination-zone untrust

[FW-policy-nat-rule-policy_nat_1]source-address 10.0.2.2 24

[FW-policy-nat-rule-policy_nat_1]source-address 10.0.3.3 24

[FW-policy-nat-rule-policy_nat_1]action nat address-group group1

[FW-policy-nat-rule-policy_nat_1]

测试连通性：

注意，直接测试R2和R3与11.11.11.11之间的连通性，显示不通。使用扩展Ping，指定了发送数据包的源地址为10.0.2.2后，实现了连通性。

原因是，直接发送数据包到10.0.1.1时，数据包的源地址为10.0.20.2，该地址不属于NAT转换的客户端地址范围。

步骤五. 配置NAT Server和源NAT将服务器发布

配置NAT Server 对外服务地址1.1.1.254，telnet端口2323，ftp端口2121：

[FW]nat server policy_natserver_1 protocol tcp global 1.1.1.254 2323 inside 10.0.4.4 telnet no-reverse

[FW]nat server policy_natserver_2 protocol tcp global 1.1.1.254 2121 inside 10.0.4.4 ftp no-reverse

在R4上启用服务：

[R4]telnet server enable

[R4]ftp server enable

[R4-ui-vty0-4]authentication-mode aaa

[R4-ui-vty0-4]protocol inbound telnet

[R4-ui-vty0-4]quit

[R4]aaa

[R4-aaa]local-user test pass irreversible-cipher Admin@123

[R4-aaa]local-user test service telnet ftp

[R4-aaa]local-user test ftp-directory flash:/

[R4-aaa]local-user test privilege level 3

[R4-aaa]quit

FTP是多通道协议，NAT转换过程中需要配置NAT ALG功能。

在DMZ和Untrust域间配置NAT ALG，使服务器可以正常对外提供FTP服务。

[FW]firewall interzone dmz untrust

[FW-interzone-dmz-untrust]detect ftp

在R1上测试效果：

Untrust区域可以访问DMZ区域提供的Telnet和FTP服务。

最终设备配置

<S1>display current-configuration

!Software Version V200R008C00SPC500

#

sysname S1

#

vlan batch 11 to 13

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 11

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 12

#

interface GigabitEthernet0/0/3

port link-type access

port default vlan 12

#

interface GigabitEthernet0/0/4

port link-type access

port default vlan 13

#

interface GigabitEthernet0/0/21

port link-type access

port default vlan 11

#

interface GigabitEthernet0/0/22

port link-type access

port default vlan 12

#

interface GigabitEthernet0/0/23

port link-type access

port default vlan 13

#

return

<R1>display current-configuration

[V200R007C00SPC600]

#

sysname R1

#

interface GigabitEthernet0/0/1

ip address 1.1.1.1 255.255.255.0

#

interface LoopBack0

ip address 11.11.11.11 255.255.255.0

#

return

<R2>display current-configuration

[V200R007C00SPC600]

#

sysname R2

#

interface GigabitEthernet0/0/1

ip address 10.0.20.2 255.255.255.0

#

interface LoopBack0

ip address 10.0.2.2 255.255.255.0

#

ip route-static 0.0.0.0 0.0.0.0 10.0.20.254

#

return

<R3>display current-configuration

[V200R007C00SPC600]

#

sysname R3

#

interface GigabitEthernet0/0/1

ip address 10.0.20.3 255.255.255.0

#

interface LoopBack0

ip address 10.0.3.3 255.255.255.0 #

ip route-static 0.0.0.0 0.0.0.0 10.0.20.254

#

return

<R4>display current-configuration

[V200R007C00SPC600]

#

sysname R4

#

aaa

local-user test password irreversible-cipher Admin@123

local-user test privilege level 3

local-user test ftp-directory flash:/

local-user test service-type telnet ftp

#

interface GigabitEthernet0/0/1

ip address 10.0.40.4 255.255.255.0

#

interface LoopBack0

ip address 10.0.4.4 255.255.255.0

#

ftp server enable

#

telnet server enable

#

ip route-static 0.0.0.0 0.0.0.0 10.0.40.254

#

user-interface vty 0 4

authentication-mode aaa

protocol inbound telnet

#

return

<FW>display current-configuration

#

nat server policy_natserver_1 protocol tcp global 1.1.1.254 2323 inside 10.0.4.4 telnet no-reverse

nat server policy_natserver_2 protocol tcp global 1.1.1.254 2121 inside 10.0.4.4 ftp no-reverse

#

sysname FW

#

interface GigabitEthernet1/0/0

ip address 1.1.1.254 255.255.255.0

#

interface GigabitEthernet1/0/1

ip address 10.0.20.254 255.255.255.0

#

interface GigabitEthernet1/0/2

ip address 10.0.40.254 255.255.255.0

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet1/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

#

firewall zone dmz

set priority 50

add interface GigabitEthernet1/0/2

#

firewall interzone dmz untrust

detect ftp

#

ip route-static 0.0.0.0 0.0.0.0 1.1.1.1

ip route-static 10.0.2.0 255.255.255.0 10.0.20.2

ip route-static 10.0.3.0 255.255.255.0 10.0.20.3

ip route-static 10.0.4.0 255.255.255.0 10.0.40.4

#

nat address-group group1

section 0 1.1.1.254 1.1.1.254

#

security-policy

rule name policy_sec_1

source-zone trust

destination-zone untrust

source-address 10.0.2.0 mask 255.255.255.0

source-address 10.0.3.0 mask 255.255.255.0

action permit

rule name policy_sec_2

source-zone untrust

destination-zone dmz

destination-address 10.0.4.4 mask 255.255.255.255

service ftp

service telnet

action permit

#

nat-policy

rule name policy_nat_1

source-zone trust

destination-zone untrust

source-address 10.0.2.0 mask 255.255.255.0

source-address 10.0.3.0 mask 255.255.255.0

action nat address-group group1

#

return

,