Home > Operation and Maintenance > Safety > How to implement firewall NAT control analysis

How to implement firewall NAT control analysis

王林
Release: 2023-05-28 13:04:13
forward
1544 people have browsed it

one. NAT classification
NAT No-pat: Similar to Cisco's dynamic conversion, it only converts the source IP address and network address, but does not convert the port. It is a many-to-many conversion and cannot save public IP addresses, so it is less used
NAPT: (Network Address and Port Translation) is similar to Cisco's PAT conversion. NAPT converts the source address of the packet and also converts the source port.
Output interface address: (Easy-IP) The conversion method is simple and similar to NAPT The same, that is, converting the source address and source port, which is a many-to-one conversion
Smart NAT (intelligent conversion): NAPT conversion by reserving a public network address
Triple NAT: with source IP address, source A kind of conversion related to du port and protocol type
2, black hole routing
Loop and invalid ARP problems in the source address conversion scenario
How to implement firewall NAT control analysis
How to implement firewall NAT control analysis
Three, Server-map table
Solve FTP data transmission problems through Server-map table
How to implement firewall NAT control analysis
The session table records connection information, including connection status
How to implement firewall NAT control analysis
Application of Server-map in NAT
How to implement firewall NAT control analysis
How to implement firewall NAT control analysis
The forward entry carries port information, which is used to allow external users to access 202.96.1.10 directly through the Server -map table for target address translation
The reverse entry does not carry port information, and the target address is arbitrary. It is used to enable the server to access the Internet. The prerequisite is that it must be the TCP protocol.
Four, NAT reporting Processing flow of the article
How to implement firewall NAT control analysis
NAT configuration (three methods)
How to implement firewall NAT control analysis
(1)NAT No-pat
How to implement firewall NAT control analysis
Go one way Default route
Configure security policy
How to implement firewall NAT control analysis
Configure NAT address group. In the address group, the address corresponds to the public IP
How to implement firewall NAT control analysis
Configure NAT policy
How to implement firewall NAT control analysis
Configure black hole routing for the converted global address (address in the NAT address group)
How to implement firewall NAT control analysis
Verify the NAT configuration. Use PC1 to ping PC2 on the external network, and you can view the session table![] How to implement firewall NAT control analysis
The three red boxes represent the source address, converted address, and accessed address
You can also view the Server-map table
How to implement firewall NAT control analysis
How to implement firewall NAT control analysis

(2) NAPT configuration
Still as shown above, redo NAPT
Configure IP
How to implement firewall NAT control analysis
How to implement firewall NAT control analysis
Configure security policy
How to implement firewall NAT control analysis
Configure NAT address group, the address group corresponds to the public network IP
How to implement firewall NAT control analysis
Configure NAT policy
How to implement firewall NAT control analysis
Configure routing black hole
How to implement firewall NAT control analysis
Verification As a result, PC1 is used to ping the external network PC2
How to implement firewall NAT control analysis
How to implement firewall NAT control analysis
(3) The outbound interface address (Easy-IP) is to use the g0/0/1 interface of the R1 router to access PC2 (reconfigure )
Configure IP
How to implement firewall NAT control analysis
How to implement firewall NAT control analysis
Configure security policy
How to implement firewall NAT control analysis
Configure NAT policy
How to implement firewall NAT control analysis
Verification can be found, both It is the converted R1 router g0/0/1 interface IP to access
How to implement firewall NAT control analysis
Five, comprehensive case
requirements:

  1. The financial host passes no- pat accesses the internet (using 100.2.2.10-11)

  2. The academic department host accesses the internet through napt (using 100.2.2.12)

  3. Others in the company The department accesses the internet through g1/0/0

  4. Configure natserver to publish the server in dmz (using 100.2.2.9)
    How to implement firewall NAT control analysis
    1. The financial host accesses the internet through no-pat
    1. Configure network parameters and Route
    [USG6000V1] int g1/0/2
    [USG6000V1-GigabitEthernet1/0/2] ip add 192.168.1.1 24
    [USG6000V1-GigabitEthernet1/0/2] undo sh
    Info: Interface GigabitEthernet1/0/2 is not shutdown.
    [USG6000V1-GigabitEthernet1/0/2] quit
    [USG6000V1] int g1/0/0
    [USG6000V1-GigabitEthernet1/0/0] ip add 100.1 .1.2 30
    [USG6000V1-GigabitEthernet1/0/0] undo sh
    [USG6000V1-GigabitEthernet1/0/0] quit
    [USG6000V1] i proute-static 0.0.0.0 0.0.0.0 100.1.1.1
    2. Configure security policy
    [USG6000V1] firewall zone trust
    [USG6000V1-zone-trust] add int g1/0/2
    [USG6000V1-zone-trust] quit
    [USG6000V1] firewall zone untrust
    [USG6000V1-zone-untrust] add int g1/0/0
    [USG6000V1-zone-untrust] quit
    [USG6000V1] security-policy
    [USG6000V1-policy-security] rule name sec_1
    [USG6000V1-policy-security-rule-sec_1] source-address 192.168.1.0 24
    [USG6000V1-policy-security-rule-sec_1] destination-zone untrust
    [USG6000V1-policy- security-rule-sec_1] action permit
    3. Configure the nat address group. The addresses in the address pool correspond to the public network address
    [USG6000V1-policy-security] quit
    [USG6000V1] nat address-group natgroup
    [USG6000V1-address-group-natgroup] section 0 100.2.2.10 100.2.2.11
    [USG6000V1-address-group-natgroup] mode no-pat local
    [USG6000V1-address-group-natgroup]
    4. Configure nat policy
    [USG6000V1] nat-policy
    [USG6000V1-policy-nat] rule name natpolicy
    [USG6000V1-policy-nat-rule-natpolicy] source-address 192.168.1.0 24
    [USG6000V1-policy-nat-rule-natpolicy] destination-zone untrust
    [USG6000V1-policy-nat-rule-natpolicy] action nat address-group natgroup                                    
    [USG6000V1-policy-nat- rule -natpolicy] quit
    [USG6000V1-policy-nat] quit
    5. Configure blackhole routing for the translated global address
    [USG6000V1] ip route-static 100.2.2.10 32 null 0
    [USG6000V1 ] ip route-static 100.2.2.11 32 null 0
    6.Configure r1 (isp)
    sys
    Enter system view, return user view with Ctrl Z.
    [Huawei] sysname r1
    [r1] undo info ena
    [r1] int g0/0/0
    [r1-GigabitEthernet0/0/0] ip add 100.1.1.1 30
    [r1-GigabitEthernet0/0/ 0] int g0/0/1
    [r1-GigabitEthernet0/0/1] ip add 200.1.1.1 24
    [r1-GigabitEthernet0/0/1] undo sh
    [r1-GigabitEthernet0/0/ 1] quit
    [r1] ip route-static 100.2.2.8 29 100.1.1.2
    7. Test: access the internet server from the financial client
    How to implement firewall NAT control analysis
    2. Academic Department The host accesses the internet through napt (using 100.2.2.12)
    1. Configure network parameters
    [USG6000V1] int g1/0/3
    [USG6000V1-GigabitEthernet1/0/3] ip add 192.168. 2.1 24
    [USG6000V1-GigabitEthernet1/0/3] quit
    [USG6000V1] firewall zone trust
    [USG6000V1-zone-trust] add int g1/0/3
    [USG6000V1-zone-trust ]q uit
    2. Configure security policy
    [USG6000V1] security-policy
    [USG6000V1-policy-security-rule-sec_2] source-address 192.168.2.0 24
    [USG6000V1-policy-security -rule-sec_2] destination-zone untrust
    [USG6000V1-policy-security-rule-sec_2] action permit
    [USG6000V1-policy-security-rule-sec_2] quit
    3. Configure nat address group
    [USG6000V1] nat address-group natgroup_2.0
    [USG6000V1-address-group-natgroup_2.0] section 0 100.2.2.12 100.2.2.12
    [USG6000V1-address-group-natgroup_2.0] mode pat
    [USG6000V1-address-group-natgroup_2.0] quit
    4. Configure nat policy
    [USG6000V1] nat-policy
    [USG6000V1-policy-nat] rule name natpolicy_2.0
    [USG6000V1-policy-nat-rule-natpolicy_2.0] source-address 192.168.2.0 24
    [USG6000V1-policy-nat-rule-natpolicy_2.0] destination-zone untrust
    [USG6000V1-policy-nat- rule-natpolicy_2.0] action nat address-group natgroup_2.0
    [USG6000V1-policy-nat-rule-natpolicy_2.0] quit
    [USG6000V1-policy-nat] quit
    5. After conversion Global address, configure black hole routing
    [USG6000V1] ip route-static 100.2.2.12 32 null 0
    6. Verify nat configuration
    .How to implement firewall NAT control analysis
    3. Outbound interface address ( easy-ip) enables other departments of the company to access the internet through g1/0/0

    1. Configure network parameters
    [USG6000V1] int g1/0/4
    [USG6000V1-GigabitEthernet1/ 0/4] ip add 192.168.3.1 24
    [USG6000V1-GigabitEthernet1/0/4] quit
    [USG6000V1] firewall zone trust
    [USG6000V1-zone-trust] add int g1/0/4
    [USG6000V1-zone-trust]
    2. Configure security policy
    [USG6000V1] security-policy
    [USG6000V1-policy-security] rule name sec_3
    [USG6000V1-policy-security-rule-sec_3] source-address 192.168.3.0 24
    [USG6000V1-policy-security-rule-sec_3] destination-zone untrust
    [USG6000V1-policy-security-rule-sec_3] action permit
    [USG6000V1-policy-security-rule-sec_3] quit
    [USG6000V1-policy-security] quit
    3. Configure nat policy
    [USG6000V1] nat-policy
    [USG6000V1 -policy-nat] rule name natpolicy_3.0
    [USG6000V1-policy-nat-rule-natpolicy_3.0] source-address 192.168.3.0 24
    [USG6000V1-policy-nat-rule-natpolicy_3.0] destination -zone untrust
    [USG6000V1-policy-nat-rule-natpolicy_3.0] action nat easy-ip
    [USG6000V1-policy-nat-rule-natpolicy_3.0] quit
    [USG6000V1-policy-nat ] quit
    4. Verify easy-ip
    1) Ping test
    How to implement firewall NAT control analysis
    4. Configure natserver to publish the server in dmz (use 100.2.2.9)
    1. Configure network parameters
    [USG6000V1-GigabitEthernet1/0/0] int g1/0/1
    [USG6000V1-GigabitEthernet1/0/1] ip add 192.168.0.1 24
    [USG6000V1-GigabitEthernet1/ 0/1] quit
    [USG6000V1] firewall zone dmz
    [USG6000V1-zone-dmz] add int g1/0/1
    [USG6000V1-zone-dmz] quit
    2. Configure security policy
    [USG6000V1] security-policy
    [USG6000V1-policy-security] rule name sec_4
    [USG6000V1-policy-security-rule-sec_4] source-zone untrust
    [USG6000V1-policy-security- rule-sec_4] destination-address 192.168.0.0 24
    [USG6000V1-policy-security-rule-sec_4] action permit
    [USG6000V1-policy-security] quit
    3. Configure ftp application layer detection (this The step can be omitted, it is enabled by default)
    [USG6000V1] firewall inter trust untrust
    [USG6000V1-interzone-trust-untrust] detect ftp
    [USG6000V1-interzone-trust-untrust] quit
    4. Configure nat server
    [USG6000V1] nat server natserver global 100.2.2.9 inside 192.168.0.2
    5. Configure black hole routing
    [USG6000V1] ip route-static 100.2.2.9 32 null 0
    6. Verify
    1) Access the server in dmz on the internet host
    How to implement firewall NAT control analysis

The above is the detailed content of How to implement firewall NAT control analysis. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:yisu.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template