华为USG：私网用户通过NAT No-PAT访问Internet(访问明确的目的Server)

华为USG：私网用户通过NAT No-PAT访问Internet(访问明确的目的Server)

（1）需求

组网需求
某工作室在网络边界处部署了FW作为安全网关。为了使私网中192.168.1.0/24网段的用户可以正常访问Internet，需要在FW上配置源NAT策略。由于需要上网的用户少且访问明确的目的Server，FW采用NAT No-PAT的地址转换方式，将匹配上NAT策略的私网地址进行一对一转换。工作室向ISP申请了6个IP地址（192.168.2.10～192.168.2.15）作为私网地址转换后的公网地址。网络环境如图所示，其中sw2是ISP提供的接入网关。

（2）拓扑图

（3）基本配置

sw1:
interface Vlanif1
 ip address 192.168.1.100 255.255.255.0
interface GE1/0/0
 undo shutdown
ip route-static 0.0.0.0 0.0.0.0 192.168.1.254

sw2:

interface GE1/0/0

 undo portswitch

 undo shutdown

 ip address 192.168.2.100 255.255.255.0

 ip address 192.168.2.101 255.255.255.0 sub

#

fw:
aaa
  manager-user admin
  password cipher @%@%dh[dSye2Y1ZNa`W|"kn*I8Pe#|sy/^'(J.[z3\V8z\D58PhI@%@%
  service-type web terminal telnet
  level 15
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 10.12.3.3 255.255.0.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 192.168.1.254 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit               
 service-manage telnet permit
 service-manage netconf permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.2.10 255.255.255.0
 service-manage ping permit
#

firewall zone local
 set priority 100
#                                         
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
firewall zone dmz
 set priority 50
#
security-policy
 default action permit

测试：目前sw1是ping不通sw2的192.168.2.101

<sw1>ping 192.168.2.101
  PING 192.168.2.101: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out
  --- 192.168.2.101 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss<sw1>

（3）配置NAT

配置NAT地址池，不开启端口转换。
nat address-group addressgroup1 0
 mode no-pat global
 route enable
 section 0 192.168.2.10 192.168.2.15

配置源NAT策略1，实现私网指定网段访问目的Server时自动进行源地址转换。
nat-policy
 rule name policy1
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.101 mask 255.255.255.255
  action source-nat address-group addressgroup1
配置源NAT策略2，实现私网指定网段访问非目的Server时不进行源地址转换。
nat-policy
 rule name policy2
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action no-nat

在FW上配置缺省路由，使私网流量可以正常转发至ISP的路由器。
ip route-static 0.0.0.0 0.0.0.0 192.168.2.101
测试:可以看到，源ip进行了转换，但是源端口没有转换。
<sw1>ping -c 40 192.168.2.101
  PING 192.168.2.101: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.101: bytes=56 Sequence=1 ttl=254 time=87 ms
    Reply from 192.168.2.101: bytes=56 Sequence=2 ttl=254 time=8 ms
    Reply from 192.168.2.101: bytes=56 Sequence=3 ttl=254 time=7 ms
    Reply from 192.168.2.101: bytes=56 Sequence=4 ttl=254 time=8 ms
    Reply from 192.168.2.101: bytes=56 Sequence=5 ttl=254 time=8 ms

[USG6000V2]display firewall session table
2023-02-09 04:23:18.730
 Current Total Sessions : 10
 tcp  VPN: default --> default  10.12.18.99:4853 --> 10.12.3.3:8443
 tcp  VPN: default --> default  10.12.18.99:14576 --> 10.12.3.3:8443
 tcp  VPN: public --> public  192.168.2.10:58201 --> 192.168.0.1:1024
 tcp  VPN: default --> default  10.12.18.99:14578 --> 10.12.3.3:8443
 NetBios  VPN: default --> default  10.12.160.10:137 --> 10.12.255.255:137
 tcp  VPN: default --> default  10.12.18.99:14579 --> 10.12.3.3:8443
 tcp  VPN: default --> default  10.12.18.99:14577 --> 10.12.3.3:8443
 icmp  VPN: public --> public  192.168.1.100:9216[192.168.2.10:9216] --> 192.168.2.101:2048
 SMB  VPN: default --> default  10.12.160.10:138 --> 10.12.255.255:138
 tcp  VPN: default --> default  10.12.18.99:14575 --> 10.12.3.3:8443
<USG6000V2>