FC1000-AK115 NAT配置
一、所有接口都已经配置好ip地址。二、配置NAT策略
配置NAT地址组,这个地址组当有多个公网IP地址时,就需要使用到地址组。使用NAT基于对象组,这个NAT转换,必须要新版本的防火墙系统才可以使用。
下面的地址组成员中的IP地址是公网的IP地址。
如果只有一个公网IP地址,那么就起始IP地址至结束IP地址。
NAT配置完成之后,可以看到正常可以访问到192.168.20.1
display current-configuration
#
version 7.1.064, Release 9524P33
#
sysname H3C
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
nat address-group 1 name PATpool
address 192.168.20.252 192.168.20.252
#
password-recovery enable
#
vlan 1
#
controller Cellular1/0/0
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.20.252 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name DMZ
import interface GigabitEthernet1/0/4
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
#
security-zone name Management
import interface GigabitEthernet1/0/2
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class usb
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
info-center source FILTER logfile deny
#
ssh server enable
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$AHSTROYDWSAiY2MO$v3h9/cuIrAncnzZllSmnbgGGvuqT/myMWRsr5ufvcBGrkqPoo4szlWhadz4Y/jt7JK8LFMrfXaEwYZdGCveQgQ==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
session synchronization enable
session synchronization http
#
ipsec logging negotiation enable
#
nat policy
rule name 1
outbound-interface GigabitEthernet1/0/0
action address-group 1
#
ike logging negotiation enable
#
ip https enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
security-policy ip
rule 1 name trust-local
action pass
source-zone Trust
destination-zone Local
rule 2 name local-untrust
action pass
source-zone Local
destination-zone Untrust
rule 3 name trust-untrust
action pass
source-zone Trust
destination-zone Untrust
#
return
拓扑
然后,把untrust接口更改为自动获取IP地址,就可以访问外网
查看一下NAT地址组,如果将地址组成员删除,那还能正常上网么。
发现无法正常开网,而且PC无法ping通192.168.20.1
动态配置可以上网,为什么Untrust接口配置动态就可以正常上网呢?
<H3C>display current-configuration
#
version 7.1.064, Release 9524P33
#
sysname H3C
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
nat address-group 1 name PATpool
address 192.168.20.3 192.168.20.3
#
password-recovery enable
#
vlan 1
#
controller Cellular1/0/0
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address dhcp-alloc
ip last-hop hold
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
ip address 192.168.30.1 255.255.255.0
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/1
#
security-zone name DMZ
import interface GigabitEthernet1/0/4
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
#
security-zone name Management
import interface GigabitEthernet1/0/2
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class usb
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
info-center source FILTER logfile deny
#
ssh server enable
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$AHSTROYDWSAiY2MO$v3h9/cuIrAncnzZllSmnbgGGvuqT/myMWRsr5ufvcBGrkqPoo4szlWhadz4Y/jt7JK8LFMrfXaEwYZdGCveQgQ==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
session synchronization enable
session synchronization http
#
ipsec logging negotiation enable
#
nat policy
rule name 1
outbound-interface GigabitEthernet1/0/0
action address-group 1
#
ike logging negotiation enable
#
ip https enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
security-policy ip
rule 1 name trust-local
action pass
source-zone Trust
destination-zone Local
rule 2 name local-untrust
action pass
source-zone Local
destination-zone Untrust
rule 3 name trust-untrust
action pass
source-zone Trust
destination-zone Untrust
#
重点,那是因为untrust配置动态IP地址后,会自动加一个静态路由,0.0.0.0/24 下一跳:192.168.20.1 出接口GE1/0/0
display ip routing-table
Destinations : 21 Routes : 21
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 70 0 192.168.20.1 GE1/0/0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
192.168.2.0/24 Direct 0 0 192.168.2.1 GE1/0/1
192.168.2.0/32 Direct 0 0 192.168.2.1 GE1/0/1
192.168.2.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.2.255/32 Direct 0 0 192.168.2.1 GE1/0/1
192.168.20.0/24 Direct 0 0 192.168.20.3 GE1/0/0
192.168.20.0/32 Direct 0 0 192.168.20.3 GE1/0/0
192.168.20.3/32 Direct 0 0 127.0.0.1 InLoop0
192.168.20.255/32 Direct 0 0 192.168.20.3 GE1/0/0
192.168.30.0/24 Direct 0 0 192.168.30.1 GE1/0/4
192.168.30.0/32 Direct 0 0 192.168.30.1 GE1/0/4
192.168.30.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.30.255/32 Direct 0 0 192.168.30.1 GE1/0/4
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
正面的截图是Untrust接口配置了动态获取IP地址,和静态IP地址后,可以看到上面有一个默认路由,下面配置静态的没有看到默认静态路由。
那NAT地址组又怎么来确定呢?如果外网有多个公网IP地址,那就需要使用地址组来填写,但如果只有一个公网IP地址,也可以用地址组来转换。
转换的时候,直接填写起始地址和结束地址都是同一个IP地址即可。
如果只有一个公网IP地址,可以不使用地址组进行NAT转换,可以使用Easy IP,选择接口地址进行转换。
想直接删除无法删除,必须先将NAT基于对象组,中的引用地址组的NAT策略删除后,才可以删除这个NAT地址组。
NAT动态转换中,引用NAT地址组。
如果只有一个静态公网IP地址,可以不需要使用NAT地址组,可以直接使用Easy IP 进行NAT出接口转换。
回顾一下
在转换会话列表中,可以看到PC可以正常ping通192.168.20.1,状态显示正常,说明NAT已经配置成功。
但为什么就ping不通192.168.10.234呢?当untrust接口配置为自动获取时,发现可以正常ping通192.168.10.234
也可以正常ping通外网Ip地址。
那是由于Untrust外网口如果设置为自动获取会在防火墙上,会自动配置一条静态的默认路由。
可以看到静态路由中没有手动配置过默认路由。
将Untrust接口ip地址更改为指定静态IP地址。
特别注意一点是:Untrust口的网关没有配置。如果配置网关后,就会有默认路由,这样网络就可以正常访问了。因为你在Untrust外网口直接配置外网口ip地址,但如果没有配置网关,就没有默认路由,导致防火墙,只能ping通过猫和防火墙连接的接口,导致无法正常访问互联网。
用PC去ping 外网和192.168.10.234发现还是不通。
最后发现默认路由配置错了。
重新配置默认路由。
三、基于ACL
如果基于ACL去配置外网访问,可以通过ACL来控制一些电脑可以上外网或者不可以上外网,如果不配置ACL那么,设备都可以通过NAT转换到公网,上互联网。
基于ALC,将内部的192.168.2.1-192.168.2.100可以上转换NAT,其他地址都不可以上互联网。
ACL 2000配置完成。
查看对象
NAT配置ACL策略。
测试结果
都是通的,不建议这个使用。
页:
[1]