华为USG:二层环境下私网用户通过NAPT访问Internet (ping不通是因为运营商没有回包,但是透明防火墙是可以做NAT的)
华为USG:二层环境下私网用户通过NAPT访问Internet (ping不通是因为运营商没有回包,但是透明防火墙是可以做NAT的)
(1)组网需求
如图所示,为不改变现有网络的拓扑结构,FW以透明方式部署,上下行业务接口均工作在二层模式。
为了使私网中192.168.1.0/24网段的用户可以正常访问Internet,需要在FW上配置源NAT策略。除了出口网关的公网接口IP地址外,公司还向ISP申请了6个IP地址(100.100.100.100~100.100.100.105)作为私网地址转换后的公网地址。
(2)拓扑图
(3)配置
sw1:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 192.168.2.254 255.255.255.0
interface LoopBack1
ip address 192.168.1.254 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.2.1
sw2:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 192.168.2.1 255.255.255.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 100.100.100.200 255.255.255.0
sw3:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 100.100.100.254 255.255.255.0
fw:
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 10.12.3.3 255.255.0.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/0
portswitch
undo shutdown
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port link-type access
port default vlan 10
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
security-policy
default action permit
测试:
<sw1>ping 100.100.100.254
PING 100.100.100.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
(4.1)配置NAT地址池,配置时开启允许端口地址转换,实现公网地址复用。
nat address-group addressgroup1 0
mode pat
route enable
section 0 100.100.100.100 100.100.100.105
(4.2)配置源NAT策略,实现私网指定网段访问Internet时自动进行源地址转换。
nat-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group addressgroup1
(4.3)在汇聚交换机上配置到NAT地址池地址(100.100.100.100~100.100.100.105)的黑洞路由。
sw1:
ip route-static 100.100.100.100 255.255.255.255 NULL0
ip route-static 100.100.100.101 255.255.255.255 NULL0
ip route-static 100.100.100.102 255.255.255.255 NULL0
ip route-static 100.100.100.103 255.255.255.255 NULL0
ip route-static 100.100.100.104 255.255.255.255 NULL0
ip route-static 100.100.100.105 255.255.255.255 NULL0
sw3:
ip route-static 100.100.100.100 255.255.255.255 100.100.100.200
ip route-static 100.100.100.101 255.255.255.255 100.100.100.200
ip route-static 100.100.100.102 255.255.255.255 100.100.100.200
ip route-static 100.100.100.103 255.255.255.255 100.100.100.200
ip route-static 100.100.100.104 255.255.255.255 100.100.100.200
ip route-static 100.100.100.105 255.255.255.255 100.100.100.200
测试:
[sw1]ping -a 192.168.1.254 100.100.100.254
PING 100.100.100.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 100.100.100.254 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[sw1]
ping不通,原因,sw3没有回包,可以看到fw已经做了nat,而且在sw3上抓包,也可以看到ping的流量了:
[USG6000V2]display firewall session table
2023-02-10 03:16:49.340
Current Total Sessions : 4
icmp VPN: public --> public Vlan: 10 192.168.1.254:17408[100.100.100.105:2050] --> 100.100.100.254:2048
SMB VPN: default --> default 10.12.12.217:138 --> 10.12.255.255:138
tcp VPN: default --> default 10.12.18.99:17377 --> 10.12.3.3:8443
NetBios VPN: default --> default 10.12.12.150:137 --> 10.12.255.255:137
[USG6000V2]
在sw3的g1/0/0接口的抓包:有来包,没有回包,因为sw3arp查询,没有查询到100.100.100.105
此实验中,ping不通的原因参考:
静态路由改写直接路由中的某个ip的路由(1、如果静态路由的目的地址与下一跳地址在同一网段,则不生效。 2、静态路由也可以优于直连路由。)
http://www.zh-cjh.com/luyoujiaohuan/3661.html
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 华为USG:二层环境下私网用户通过NAPT访问Internet (ping不通是因为运营商没有回包,但是透明防火墙是可以做NAT的)
作者: cjh
手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm