实验拓扑图
实验准备
PC机
PC1
PC2(地址转换并不会用到,此处模拟内网环境凑数)
PC3
交换机
<Huawei>undo ter mo
Info: Current terminal monitor is off.
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy sw1
[sw1]int g0/0/1
[sw1]vlan batch 10 20 100
Info: This operation may take a few seconds. Please wait for a moment...done.
[sw1]int g0/0/1
[sw1-GigabitEthernet0/0/1]p l a //port link-type access 直连主机
[sw1-GigabitEthernet0/0/1]p d v 10 //port default vlan 10 划分该接口给vlan10
[sw1-GigabitEthernet0/0/1]
[sw1-GigabitEthernet0/0/1]int g0/0/2
[sw1-GigabitEthernet0/0/2]p l a
[sw1-GigabitEthernet0/0/2]p d v 20
[sw1-GigabitEthernet0/0/2]
[sw1-GigabitEthernet0/0/2]int g0/0/3
[sw1-GigabitEthernet0/0/3]p l a
[sw1-GigabitEthernet0/0/3]p d v 10
[sw1-GigabitEthernet0/0/3]
[sw1-GigabitEthernet0/0/3]q
[sw1]int Vlanif10 //建立逻辑端口Vlanif10
[sw1-Vlanif10]ip addr 192.168.1.10 24 //设置IP地址
[sw1-Vlanif10]
[sw1-Vlanif10]int Vlanif20 //Vlanif20
[sw1-Vlanif20]ip addr 192.168.2.100 24
[sw1-Vlanif20]
[sw1-Vlanif20]int Vlanif10
[sw1-Vlanif10]ip addr 192.168.1.100 24
[sw1]int Vlanif100 //Vlanif100
[sw1-Vlanif100]ip addr 192.168.100.1 24
[sw1-Vlanif100]
[sw1-Vlanif100]q
[sw1]ospf 1
[sw1-ospf-1]silent-int
[sw1-ospf-1]silent-interface g0/0/1 //被动接口,路由协议的更新不从此接口发出,但可以接收更新
[sw1-ospf-1]sil
[sw1-ospf-1]silent-interface g0/0/2
[sw1-ospf-1]
[sw1-ospf-1]area 0
[sw1-ospf-1-area-0.0.0.0]network 0.0.0.0 0.0.0.0 //宣告直连网段信息
防火墙
<USG6000V1>undo ter mo
Info: Current terminal monitor is off.
<USG6000V1>sy
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sy fw1
[fw1]int g1/0/1
[fw1-GigabitEthernet1/0/1]ip addr 192.168.100.11 24 //设置接口IP地址
[fw1-GigabitEthernet1/0/1]
[fw1-GigabitEthernet1/0/1]int g1/0/0
[fw1-GigabitEthernet1/0/0]ip addr 202.1.1.11 24
[fw1-GigabitEthernet1/0/0]
[fw1-GigabitEthernet1/0/0]q
[fw1]firewall zone trust //打开trust域
[fw1-zone-trust]add int g1/0/1 //将接口加入trust域
[fw1-zone-trust]firewall zone untrust //打开unntrust域
[fw1-zone-untrust]add int g1/0/0/ //将接口加入untrust域
[fw1-zone-untrust]q
[fw1]sec
[fw1]security-policy //设置安全策略
[fw1-policy-security]rule name trust2untrust
[fw1-policy-security-rule-trust2untrust]source-zone trust //源地址IP来自trust
[fw1-policy-security-rule-trust2untrust]destination-zone untrust //目的地址IP来自untrust
[fw1-policy-security-rule-trust2untrust]action permit //启用策略
[fw1-policy-security-rule-trust2untrust]dis th //查看当前策略
2020-07-30 05:26:15.590
#
rule name trust2untrust
source-zone trust
destination-zone untrust
action permit
#
return
[fw1-policy-security-rule-trust2untrust]
[fw1-policy-security-rule-trust2untrust]q
[fw1-policy-security]q
[fw1]
[fw1]ip routr-s
[fw1]ip route-s
[fw1]ip route-static 0.0.0.0 0.0.0.0 202.1.1.1 //设置默认路由
[fw1]
[fw1]ospf 1
[fw1-ospf-1]default-route-a
[fw1-ospf-1]default-route-advertise //向邻居发送默认路由
[fw1-ospf-1]
[fw1-ospf-1]area 0
[fw1-ospf-1-area-0.0.0.0]network 192.168.100.11 0.0.0.255 //只需要宣告g1/0/1接口
[fw1-ospf-1-area-0.0.0.0]
路由(模拟公网)
不设置路由表
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy r1
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ip addr 202.1.1.1 24
[r1-GigabitEthernet0/0/0]
[r1-GigabitEthernet0/0/0]int g0/0/1
[r1-GigabitEthernet0/0/1]ip addr 100.1.1.100 24
[r1-GigabitEthernet0/0/1]
[r1-GigabitEthernet0/0/1]
NAT地址转换
未进行地址转换前,由于AR1中没有到达PC1的路由表(无法接收响应包),所以无法ping通PC3
在防火墙上设置地址转换规则
[fw1]
[fw1]nat address-group 1 //设置地址池1
[fw1-address-group-1]dis th
2020-07-30 05:52:40.330
#
nat address-group 1 0
mode pat
#
return
[fw1-address-group-1]mode no-pat global //不设置端口转换
[fw1-address-group-1]section 202.1.1.10 202.1.1.15 //地址池(a-b),只有一个就只写一个地址
[fw1-address-group-1]
[fw1-address-group-1]dis th
2020-07-30 05:54:29.870
#
nat address-group 1 0
mode no-pat global
section 0 202.1.1.10 202.1.1.15
#
return
[fw1-address-group-1]
[fw1-address-group-1]q
[fw1]
[fw1]
[fw1]
[fw1]nat-p
[fw1]nat-policy //设置nat策略
[fw1-policy-nat]
[fw1-policy-nat]rule name nat
[fw1-policy-nat-rule-nat]
[fw1-policy-nat-rule-nat]source-zone trust
[fw1-policy-nat-rule-nat]destination-zone untrust
[fw1-policy-nat-rule-nat]
[fw1-policy-nat-rule-nat]source-address 192.168.1.0 24 //匹配该地址
[fw1-policy-nat-rule-nat]
[fw1-policy-nat-rule-nat]action source-nat address-group 1 //动作是源地址转换成地址池1的地址
Info: The current source conversion address pool type is no-pat, and if some bu
sinesses of the same user do not need to do NAT, please create a new rule with N
AT type No-nat, otherwise the user's business will be NAT.
[fw1-policy-nat-rule-nat]q
[fw1-policy-nat]q
[fw1]
设置完成后PC1pingPC3
此时查看防火墙上的地址转换
[fw1]dis firewall session table
2020-07-30 06:39:39.440
Current Total Sessions : 18
icmp VPN: public --> public 192.168.1.1:8299[202.1.1.10:8299] --> 100.1.1.1:2
048
icmp VPN: public --> public 192.168.1.1:12139[202.1.1.10:12139] --> 100.1.1.1
:2048
icmp VPN: public --> public 192.168.1.1:10347[202.1.1.10:10347] --> 100.1.1.1
:2048
icmp VPN: public --> public 192.168.1.1:9579[202.1.1.10:9579] --> 100.1.1.1:2
048
icmp VPN: public --> public 192.168.1.1:9067[202.1.1.10:9067] --> 100.1.1.1:2
048
icmp VPN: public --> public 192.168.1.1:10603[202.1.1.10:10603] --> 100.1.1.1
:2048
icmp VPN: public --> public 192.168.1.1:7787[202.1.1.10:7787] --> 100.1.1.1:2
048
icmp VPN: public --> public 192.168.1.1:8555[202.1.1.10:8555] --> 100.1.1.1:2
048
icmp VPN: public --> public 192.168.1.1:7531[202.1.1.10:7531] --> 100.1.1.1:2
048
icmp VPN: public --> public 192.168.1.1:11371[202.1.1.10:11371] --> 100.1.1.1
:2048
icmp VPN: public --> public 192.168.1.1:10091[202.1.1.10:10091] --> 100.1.1.1
:2048
icmp VPN: public --> public 192.168.1.1:9323[202.1.1.10:9323] --> 100.1.1.1:2
048
icmp VPN: public --> public 192.168.1.1:9835[202.1.1.10:9835] --> 100.1.1.1:2
048
icmp VPN: public --> public 192.168.1.1:11115[202.1.1.10:11115] --> 100.1.1.1
:2048
icmp VPN: public --> public 192.168.1.1:8811[202.1.1.10:8811] --> 100.1.1.1:2
048
icmp VPN: public --> public 192.168.1.1:11627[202.1.1.10:11627] --> 100.1.1.1
:2048
icmp VPN: public --> public 192.168.1.1:11883[202.1.1.10:11883] --> 100.1.1.1
:2048
icmp VPN: public --> public 192.168.1.1:8043[202.1.1.10:8043] --> 100.1.1.1:2
048
Happy ending.