华为USG:私网用户通过Easy IP访问Internet

华为USG:私网用户通过Easy IP访问Internet

fw1_2023.02.09.09时41分45秒.txt

sw1_2023.02.09.09时59分06秒.txt

sw2_2023.02.09.09时58分50秒.txt

某公司在网络边界处部署了FW作为安全网关。公司只向ISP申请了一个公网IP地址用于FW公网接口和ISP的sw2互联。为了使公司私网中192.168.1.0/24网段的用户可以正常访问Internet,需要在FW上配置出接口地址方式的源NAT策略,使用私网用户直接借用FW公网接口的IP地址来访问Internet。

(1)拓扑图

图片.png

(2)基本配置

sw1:
interface Vlanif1
 ip address 192.168.1.100 255.255.255.0
interface GE1/0/0
 undo shutdown
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254

sw2:
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 192.168.2.100 255.255.255.0
#

fw:
aaa
  manager-user admin
  password cipher @%@%dh[dSye2Y1ZNa`W|"kn*I8Pe#|sy/^'(J.[z3\V8z\D58PhI@%@%
  service-type web terminal telnet
  level 15
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 10.12.3.3 255.255.0.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 192.168.1.254 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit               
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.2.254 255.255.255.0
 service-manage ping permit
#

firewall zone local
 set priority 100
#                                         
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
firewall zone dmz
 set priority 50
#
security-policy
 default action permit

测试:目前sw1是ping不通sw2的

<sw1>ping 192.168.2.100
  PING 192.168.2.100: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 192.168.2.100 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
<sw1>

(3)Easy ip配置

fw:

nat-policy
 rule name policy_easyip-nat
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action source-nat easy-ip

配置出接口地址方式的源NAT策略时,只需要设置easy-ip参数即可,FW将通过查询路由自动找到对应的出接口地址。

图片.png

<USG6000V2>display nat-policy rule all
2023-02-09 01:55:33.120  
Total:2
RULE ID  RULE NAME                         STATE      ACTION       HITS        
-------------------------------------------------------------------------------
1        policy_easyip-nat                 enable     src-nat      1           
0        default                           enable     no-nat       0           
-------------------------------------------------------------------------------
<USG6000V2>

<USG6000V2>display nat-policy rule name policy_easyip-nat
2023-02-09 01:56:09.550
 (1 times matched)
 rule name policy_easyip-nat
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action source-nat easy-ip
<USG6000V2>

测试:SW1已经可以ping通sw2了

<sw1>ping 192.168.2.100
  PING 192.168.2.100: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.100: bytes=56 Sequence=1 ttl=254 time=118 ms
    Reply from 192.168.2.100: bytes=56 Sequence=2 ttl=254 time=6 ms
    Reply from 192.168.2.100: bytes=56 Sequence=3 ttl=254 time=7 ms
    Reply from 192.168.2.100: bytes=56 Sequence=4 ttl=254 time=6 ms
    Reply from 192.168.2.100: bytes=56 Sequence=5 ttl=254 time=6 ms
  --- 192.168.2.100 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 6/28/118 ms


display firewall session table  (备注:长ping, 会话才会一直存在,display时才能显示出来)

 图片.png


疑问:如果在web界面配置easy vpn?答:一样的

图片.png

图片.png



1、本站资源长期持续更新。
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。

转载请保留出处:  www.zh-cjh.com珠海陈坚浩博客 » 华为USG:私网用户通过Easy IP访问Internet

作者: cjh


手机扫一扫,手机上查看此文章:

一切源于价值!

其他 模板文件不存在: ./template/plugins/comment/pc/index.htm

未雨绸缪、居安思危!

数据安全、有备无患!

注意操作、数据无价!

一切源于价值!