Preface: NAT technology is a technology used to solve today's IP address resource depletion, but also the IPv4 to IPv6 transition technology, the vast majority of network environments using NAT technology
Article Directory
- First, the theoretical
- 1.NAT classification
- 2. routing black hole
- 3.Sever-map table
- 4.NAT processing flow of packets
- 5.FTP transmission
- Second, the experimental
First, the theoretical
1.NAT classification
1) NO-PAT NAT
- Like the dynamic NAT no-PAT conversion Cisco, many-port is not converted, it is not a public IP address termination
- Practical application scenarios using fewer, mainly for the needs of Internet users is relatively small, and the public IP address and a sufficient number of scenarios
2) Naft
- NAPT (Network Address and Port Translation, network address and port translation)
- Similar to Cisco's PAT conversion, NAPT namely converting the packet's source address, source port and conversion. Address conversion is not the external network interface IP address,
belonging to-many or many-conversion can save public network IP address, many usage scenarios.
- Similar to Cisco's PAT conversion, NAPT namely converting the packet's source address, source port and conversion. Address conversion is not the external network interface IP address,
3)Easy-IP
- An interface address (Easy-IP): its conversion method is very simple, is also known as Easy-IP
- NAPT and the same as that translates the source IP address, source port and conversion. An address difference is the only way to convert interface address configured NAT device external network interface IP address belongs to many-conversion, can save IP addresses
4)NAT Server
- Static-one release, mainly used for internal server needs to provide services to the Internet
5) Smart NAT
- Smart NAT (intelligent conversion) is converted by the NAPT address reserved for a public network, other public network address for performing NAT No-PAT conversion, the approach is not commonly used
6) triple NAT
- Triple NAT source IP address, source port, and protocol type related to a conversion, the source IP address and source port into a fixed public IP address and port, to solve the problem some special applications in general can not be achieved NAT
- Mainly used in a number of external users to access the LAN P2P applications
2. routing black hole
- When specific NAT translation may produce loops and invalid ARP, how it produces, probably, in some way the conversion of NAT in order to solve the network connection Internet, while mapping out a public IP
- So, if this time it was to access the mapping out of the public IP via internet, it will produce both cases
- To say it in detail, but also a lot of trouble, but to solve these two problems is simply to set a blackhole route (will be assigned to empty interface null0 internet access mapping out traffic initiative addresses)
1) How to resolve a loop and invalid ARP source address translation in environmental issues
-
NAT Server (crude Pan)
- NAT Server is a type of conversion, indicates the address of the source address and converting only a simple mapping between the ports does not involve mapping, such as source address 192.168.10.5, the translated address is 202.96.10.2, if done is NAT Server (crude Pan) this type of NAT, then all access 202.96.10.2 packets will be forwarded to this address 192.168.10.5
-
NAT Server (fine)
- NAT Server also convert one type of relationship represents the address mapping and the source address after conversion has been specifically targeted to a port, such as: source address is 192.168.10.5, the translated address is 202.96.10.2, do NAT Server (fine) of the NAT, there may be access 202.96.10.2 of FTP traffic (port 21) will forward to this address 192.168.10.5, but if access 202.96.10.2 Web traffic (80/443 ports), not necessarily or forwarded to this address 192.168.10.5, we can say NAT Server (fine) is based on the NAT port
- NAT Server also convert one type of relationship represents the address mapping and the source address after conversion has been specifically targeted to a port, such as: source address is 192.168.10.5, the translated address is 202.96.10.2, do NAT Server (fine) of the NAT, there may be access 202.96.10.2 of FTP traffic (port 21) will forward to this address 192.168.10.5, but if access 202.96.10.2 Web traffic (80/443 ports), not necessarily or forwarded to this address 192.168.10.5, we can say NAT Server (fine) is based on the NAT port
3.Sever-map table
- Stateful firewall have a table called the session table is used to record a message when the connected external network access network,
when the external network to match the returned data to the recording session table, the flow returns directly related to the release
1) difference
- Session table records the connection information, including connection state
- erver-map table records the connection information is not current, but by analyzing the packets for the current connection information obtained,
the information is used to solve the problem of subsequent data stream through the firewall. The role of server-map table may be understood to solve future problems through a rainy day,
such as FTP such as multi-port protocol, in the three-way handshake from the outset, to finalize the transfer of data, its process, the port may occur change and other issues,
Server-just to solve this problem the Map - However, also require the server-map table in the NAT, that is, when there is data traffic through the firewall by NAT manner,
server-map table records a corresponding relationship between the source address and the address translation, so that the subsequent flow can not view the NAT strategy,
directly to the server-map matching table to achieve efficient NAT translation. If the user's Internet access via address conversion,
you can also match the server-map table, thereby efficiently forwards the data to the network real host (must guarantee the security policy allows)
2) Configuration
- server-map table without manual configuration, is auto-generated
- In NAT, not all of the tables can be generated server-map table, I simply summed up as follows
- When the NAT After firewall configuration within certain class is generated on the firewall Server-map, the default server-map generating two entries,
each entry is a forward and reverse entries (Reverse), as follows
[USG6000V1]display firewall server-map
Current Total Server-map : 2
正向 Type: Nat Server, ANY -> 202.96.1.10:445[192.168.1.4:445], Zone:---, protocol:tcp
Vpn: public -> public
反向 Type: Nat Server Reverse, 192.168.1.4[202.96.1.10] -> ANY, Zone:---, protocol:tcp
Vpn: public -> public, counter: 1
- At this point the role of Server-map table is
- Forward entries: carry port information for the Internet users to access internal network servers directly to the destination address by server-map conversion tables.
- Reverse entry (Reverse): do not carry port information, and the destination address is arbitrary, so that the server can be used to access the Internet.
4.NAT processing flow of packets
-
Firewall interface to a message sent from receipt to final needs to undergo a series of treatment processes, and NAT just a task of them. NAT routing configuration and security policies are affected, so the understanding of the NAT packet processing process has a very big help to configure the AT. NAT on the packet processing flow as shown below
-
It can be seen from the figure above, because the order of processing packet firewall is a security policy target address translation → → source address translation, so NAT environment, the source address of the security policy should address before the source address translation, the destination address should It is the target address after address translation
-
A message, usually in the same network device, there is a translation entries only, i.e., either the converted source address (other than the NAT NAT-Server type conversion), or destination address conversion (NAT NAT-Server type conversion ). Translate the source address and destination address does not exist on the same network device
-
NAT follows the flow of processing packets
- 1. After the firewall receives the packet, it first checks whether the packet matches the entry in the Server-map, if so, the target address entries converted packet, then the step (3) process; otherwise, step (2) deal with.
- Step 2. Find whether there is objective NAT configuration, if it is, and in line with NAT conditions, the conversion destination address (3) processing; otherwise directly to Step (3) processing.
- 3. Find the target address of the packet routing table, if there is a target route, step (4) processing; otherwise, dropping packets.
- 4. order matching rules of the security policy, if the policy allows packets, step (5) process; otherwise, the packet is discarded.
- 5. Find whether the source of the NAT NAT configuration and whether the conditions exist, if so, the source address after the conversion step (6) processing; otherwise, directly in step (6) process.
- 6. Create a session before sending the message, and the subsequent return of the packet can be forwarded directly match the session table.
- 7. firewall to send packets.
-
Because the order of firewall handles packet destination address is converting the security policy → → source address translation, so NAT environment, the source address of the security policy should address before the source address translation, the destination address should be the address of the destination address translation
5.FTP transmission
1) Active mode
- 服务器主动发起数据连接。首先客户端向服务器的21端口建立FTP管理连接
控制连接源端口是1万以上的端口目标端口:21
客户端以PORT命令告诉服务器“我打开了某个端口”你来连我。
这个时候服务器以源端口20目标端口“我打开了某个端口”向客户机请求并建立连接
2.被动模式
- 假设客户端有防火墙
- 客户机主动发起数据连接。首先客户端想服务器的21端口建立FTP管理连接
- 客户端有防火墙,这个时候服务器连接客户机是连不起来的,因为客户端有防火墙,需要被动模式
服务端以PASV命令告诉客户端,于是客户端向服务端进行建立数据连接
二、实验
1.实验环境
- 实验软件:eNSP软件
- 实验设备:
- 一台USG6000V防火墙
- 一台路由器、一台三层交换机
- 三台PC机
- 一台FTP服务器,一台WEB服务器
- 一台client客户端
2.拓扑图
3.需求
- 1、ISP为公司分配的公网地址为100.2.2.8/29。
- 2、技术部属于trust区域,通过Easy-ip访问Internet。
- 3、行政部属于trust区域,通过NAPT访问internet(使用100.2.2.12/29)。
- 4、财务部属于trust区域,通过no-pat访问internet(使用100.2.2.10/29-100.2.2.11/29)
- 5、DMZ区域中的两台服务器配置NAT-Server发布,分别提供FTP服务及web服务(使用100.2.2.9/29)
- 6、防护墙的GE1/0/0属于UNtrust区域。
4.详细配置
1)IP地址
- 将所有PC机和server服务器以及client客户端配上ip地址,点击应用保存即可
- 其他配置都相同,接着进入R1以及防火墙FW1配置IP
- 防火墙配置IP,登录方式可查看上一篇博客华为防火墙理论与管理
[USG6000V1]dis cu
2020-02-13 05:17:57.580
!Software Version V500R005C10SPC300
#
sysname USG6000V1
#
。。。。省略部分内容
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.1.1.2 255.255.255.252
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 192.168.3.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.1
#
return
- R1配置
[R1]dis cu
#
sysname R1
#
interface GigabitEthernet0/0/0
ip address 100.1.1.1 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 200.1.1.1 255.255.255.0
#
ip route-static 100.2.2.8 255.255.255.248 100.1.1.2
//该地址为汇总后的地址
#
return
2)server服务器和client客户端配置
sever-ftp服务器配置
- 添加一个系统目录后点击启动
server-http服务器配置
- 创建一个html文件夹后点击配置,随后点击启动
client客户端配置
- 在ftpclient以及httpclient上配置ip 100.2.2.9
3)配置防火墙NAT
技术部的防火墙NAT
- 技术部属于trust区域,通过Easy-ip访问Internet
- 先将接口添加到对应区域
[USG6000V1]firewall zone trust //trust区域
[USG6000V1-zone-trust]add in g1/0/4
[USG6000V1-zone-trust]add in g1/0/3
[USG6000V1-zone-trust]add in g1/0/2
[USG6000V1-zone-trust]quit
[USG6000V1]firewall zone dmz //dmz区域
[USG6000V1-zone-dmz]add in g1/0/1
[USG6000V1-zone-dmz]quit
[USG6000V1]firewall zone untrust //untrust区域
[USG6000V1-zone-untrust]add in g1/0/0
- 配置安全策略
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name aqcl //定义安全策略名字
[USG6000V1-policy-security-rule-aqcl]source-zone trust //源区域为trust
[USG6000V1-policy-security-rule-aqcl]destination-zone untrust //目标区域为untrust
[USG6000V1-policy-security-rule-aqcl]action permit //动作为允许
- 配置NAT策略
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name natcl 定义NAT策略名字
[USG6000V1-policy-nat-rule-natcl]source-address 192.168.3.0 24 //定义源地址
[USG6000V1-policy-nat-rule-natcl]source-zone trust //定义源区域
[USG6000V1-policy-nat-rule-natcl]destination-zone untrust //定义目标区域
[USG6000V1-policy-nat-rule-natcl]action nat easy-ip //配置出接口方式
- 现在就可以使用PC1(技术部主机) ping外网的200.1.1.2(client客户端)进行验证了,在ping的过程中查看会话表(时间长了该会话表将没有任何内容),可以看到具体的转换条目
[USG6000V1]dis firewall session table //使用dis firewall session table命令查看
2020-02-13 05:48:14.820
Current Total Sessions : 4
icmp VPN: public --> public 192.168.3.2:62177[100.1.1.2:2051] --> 200.1.1.2:2
048
icmp VPN: public --> public 192.168.3.2:61921[100.1.1.2:2050] --> 200.1.1.2:2
048
icmp VPN: public --> public 192.168.3.2:62689[100.1.1.2:2053] --> 200.1.1.2:2
048
icmp VPN: public --> public 192.168.3.2:62433[100.1.1.2:2052] --> 200.1.1.2:2
048
[USG6000V1]
- 注:Easy-ip类型的NAT不会产生server-map
行政部的防火墙NAT
-
配置行政部属于trust区域,通过NAPT访问internet(使用100.2.2.12/29)
-
由于在上面配置Easy-ip的NAT类型时,配置了安全策略,
所以接下来trust区域访问untrust区域的流量就不用配置安全策略了 -
配置NAT地址组,地址组中的地址对应的是公网地址100.2.2.12/29
[USG6000V1]nat address-group napt //定义nat地址组名
[USG6000V1-address-group-napt]section 0 100.2.2.12 //定义组中的地址
[USG6000V1-address-group-napt]mode pat //配置为NAPT方式
[USG6000V1-address-group-napt]quit
- 配置NAT策略
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name napt //自定义nat策略的组名
[USG6000V1-policy-nat-rule-napt]source-address 192.168.2.0 24 ####定义需要转换的源地址
[USG6000V1-policy-nat-rule-napt]source-zone trust //定义源区域
[USG6000V1-policy-nat-rule-napt]destination-zone untrust //定义目标区域
[USG6000V1-policy-nat-rule-napt]action source-nat address-group napt //关联地址组
- NAPT的NAT类型要配置黑洞路由,所以要针对转换后的全局地址100.2.2.12/32配置黑洞路由
[USG6000V1] ip route-static 100.2.2.12 32 NULL 0
- NAPT配置至此就完成了,可以自行验证,并查看会话表,查看是否转换为指定的地址
[USG6000V1]dis firewall session table
2020-02-13 07:58:11.940
Current Total Sessions : 5
icmp VPN: public --> public 192.168.2.2:26877[100.2.2.12:2067] --> 200.1.1.2:
2048
icmp VPN: public --> public 192.168.2.2:28413[100.2.2.12:2072] --> 200.1.1.2:
2048
icmp VPN: public --> public 192.168.2.2:27133[100.2.2.12:2068] --> 200.1.1.2:
2048
icmp VPN: public --> public 192.168.2.2:28669[100.2.2.12:2073] --> 200.1.1.2:
2048
icmp VPN: public --> public 192.168.2.2:30973[100.2.2.12:2079] --> 200.1.1.2:
2048
财务部的防火墙NAT
-
配置财务部属于trust区域,通过no-pat访问internet(使用100.2.2.10/29-100.2.2.11/29)
-
配置NAT地址组,地址组中的地址对应的是公网地址100.2.2.10–100.2.2.11
[USG6000V1]nat address-group natnopat //定义nat地址组名
[USG6000V1-address-group-natnopat]section 0 100.2.2.10 100.2.2.11 //定义组中的地址
[USG6000V1-address-group-natnopat]mode no-pat local //配置为NAT No-PAT方式
[USG6000V1-address-group-natnopat]quit
- 配置NAT策略
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name nopat //自定义nat策略的组名
[USG6000V1-policy-nat-rule-nopat]source-address 192.168.1.0 24 //定义需要转换的源地址
[USG6000V1-policy-nat-rule-nopat]source-zone trust //定义源区域
[USG6000V1-policy-nat-rule-nopat]destination-zone untrust //定义目标区域
[USG6000V1-policy-nat-rule-nopat]action source-nat address-group natnopat //关联地址组
[USG6000V1-policy-nat-rule-nopat]quit
- 针对转换后的全局地址(NAT地址组中的地址)配置黑洞路由
[USG6000V1]ip route-static 100.2.2.10 32 NULL 0
[USG6000V1]ip route-static 100.2.2.11 32 NULL 0
- 至此,NAT No-PAT配置完成了,可以自行验证,并且会产生server-map表
[USG6000V1]dis firewall session table //查看会话表
2020-02-13 08:16:46.280
Current Total Sessions : 5
icmp VPN: public --> public 192.168.1.2:22017[100.2.2.10:22017] --> 200.1.1.2
:2048
icmp VPN: public --> public 192.168.1.2:22785[100.2.2.10:22785] --> 200.1.1.2
:2048
icmp VPN: public --> public 192.168.1.2:22529[100.2.2.10:22529] --> 200.1.1.2
:2048
icmp VPN: public --> public 192.168.1.2:23041[100.2.2.10:23041] --> 200.1.1.2
:2048
icmp VPN: public --> public 192.168.1.2:22273[100.2.2.10:22273] --> 200.1.1.2
:2048
[USG6000V1]dis firewall server-map //查看server-map表
2020-02-13 08:17:47.660
Current Total Server-map : 2
Type: No-Pat Reverse, ANY -> 100.2.2.10[192.168.1.2], Zone: untrust
Protocol: ANY, TTL:---, Left-Time:---, Pool: 1, Section: 0
Vpn: public
Type: No-Pat, 192.168.1.2[100.2.2.10] -> ANY, Zone: untrust
Protocol: ANY, TTL:360, Left-Time:311, Pool: 1, Section: 0
Vpn: public
配置DMZ区域中的两台服务器
- 配置DMZ区域中的两台服务器配置NAT-Server发布,分别提供FTP服务及web服务(使用100.2.2.9/29)
- 配置安全策略
- Due to the configuration of the security policy before access is trust untrust zone, so it does not matter on the DMZ area, this is the server you want to publish out of the DMZ, so that Internet users can access to these servers, so it should be released UNtrust related services to the DMZ traffic
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name todmz
[USG6000V1-policy-security-rule-todmz]source-zone untrust
[USG6000V1-policy-security-rule-todmz]destination-zone dmz
[USG6000V1-policy-security-rule-todmz]destination-address 192.168.0.0 24
[USG6000V1-policy-security-rule-todmz]service ftp
[USG6000V1-policy-security-rule-todmz]service http
[USG6000V1-policy-security-rule-todmz]action permit
- Configuring the NAT server
[USG6000V1]nat server ftp protocol tcp global 100.2.2.9 21 inside 192.168.0.2 21
[USG6000V1]nat server http protocol tcp global 100.2.2.9 80 inside 192.168.0.3 80
- Use external network access to verify the client client1 can later access quickly view the sessions and server-map table
(for fear of aging to the time, will not see any entries), you will see the following results
- View Conversation tables and server-map table
[USG6000V1]dis firewall session table
2020-02-13 08:46:51.680
Current Total Sessions : 3
ftp VPN: public --> public 200.1.1.2:2055 +-> 100.2.2.9:21[192.168.0.2:21]
http VPN: public --> public 200.1.1.2:2057 --> 100.2.2.9:80[192.168.0.3:80]
ftp VPN: public --> public 200.1.1.2:2053 +-> 100.2.2.9:21[192.168.0.2:21]
[USG6000V1]dis firewall server-map
2020-02-13 08:48:09.740
Current Total Server-map : 4
Type: Nat Server, ANY -> 100.2.2.9:80[192.168.0.3:80], Zone:---, protocol:tc
p
Vpn: public -> public
Type: Nat Server, ANY -> 100.2.2.9:21[192.168.0.2:21], Zone:---, protocol:tc
p
Vpn: public -> public
Type: Nat Server Reverse, 192.168.0.2[100.2.2.9] -> ANY, Zone:---, protocol:
tcp
Vpn: public -> public, counter: 1
Type: Nat Server Reverse, 192.168.0.3[100.2.2.9] -> ANY, Zone:---, protocol:
tcp
Vpn: public -> public, counter: 1
- HTTP access
- The results show success, the end of the experiment
