当前位置:网站首页>华为防火墙-5-NAT
华为防火墙-5-NAT
2022-08-11 05:33:00 【macob】
1 源NAT 基本原理
源NAT技术对IP报文的源地址进行转换,将私网IP地址转换成公网IP地址
多条NAT策略之间存在匹配顺序,如果报文命中了某一条NAT策略,就会按照该NAT 策略中引用的地址池来进行地址转换;如果报文没有命中某条 NAT 策略,则会向下继续查找
NAT No-PAT方式也会生成Server-map表,而且生成了正向和反向两条表项。
[FW] display firewall server-map
napt配置
[USG6000V1]nat address-group ag1
nat address-group ag1 0
mode pat
section 0 1.2.3.5 1.2.3.10
exclude-ip 1.2.3.6
[USG6000V1]nat-policy
rule name 10out
description 10,20网段napt
source-zone trust
source-address 10.10.0.0 mask 255.255.255.0
source-address 10.20.0.0 mask 255.255.255.0
action source-nat address-group ag1
安全策略
rule name tr1
source-address 10.10.0.0 mask 255.255.255.0
source-address 10.20.0.0 mask 255.255.255.0
action permit
配置黑洞路由
ip route-static 1.2.3.5 32 NULL 0
ip route-static 1.2.3.7 32 NULL 0
ip route-static 1.2.3.8 32 NULL 0
ip route-static 1.2.3.9 32 NULL 0
ip route-static 1.2.3.10 32 NULL 0
Easy-IP方式无需配置NAT地址池,也不用配置黑洞路由,只需在NAT策略中指定出接口即可
easy IP配置
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name 10out
rule name 10out
source-zone trust
source-address 10.10.0.0 mask 255.255.255.0
source-address 10.20.0.0 mask 255.255.255.0
action source-nat easy-ip
2022-07 实际配置:
rule name srcNat
egress-interface GigabitEthernet0/0/8
action source-nat easy-ip
display firewall session table
display firewall session table verbose
display firewall session table source inside 10.10.0.2
display nat address-group name ag1
display nat-policy rule all
display nat-policy rule name 10out
和NAPT一样,Easy-IP方式也不会生成Server-map表。
2 NAT Server
1)将服务器的私网地址10.1.1.2映射成公网地址1.1.1.1
[FW] nat server global 1.1.1.1 inside 10.1.1.2
按照上述配置会将服务器上所有服务项都发布到公网
[USG6000V1]nat server protocol tcp global 1.2.3.6 23 inside 172.16.0.254 23
undo nat server name 0 默认名称0
display nat server
NAT Server配置完成之后,也会生成Server-map表。不过与源NAT生成的Server-map表不同的是,NAT Server 的Server-map 表是静态的,不需要报文来触发,配置了NAT Server后就会自动生成,只有当NAT Server 配置被删除时,对应的Server-map 表项才会被删
[FW] display firewall server-map
2)配置安全策略:
rule name dmz
destination-zone dmz
destination-address 172.16.0.254 mask 255.255.255.255
service telnet
action permit
3)配置黑洞路由
为了避免路由环路,NAT Server 也需要配置黑洞路由。
[FW] ip route-static 1.2.3.6 32 NULL 0
边栏推荐
- Raspberry Pi set static IP address
- SECURITY DAY06 ( iptables firewall, filter table control, extended matching, typical application of nat table)
- ETCD容器化搭建集群
- 解决win10安装portal v13/v15要求反复重启问题。
- SECURITY DAY02( Zabbix报警机制 、 Zabbix进阶操作 、 监控案例)
- Es common operations and classical case
- mysql 中登录报错:ERROR 1045 (28000): Access denied for user ‘root‘@‘localhost‘ (using password: YES)ERROR
- Apache APISIX 默认密钥漏洞复现
- uboot代码解析1:根据目的找主线
- uboot设置默认的bootdelay
猜你喜欢
vi display line number in buildroot embedded file system
deepin v20.6+cuda+cudnn+anaconda(miniconda)
MoreFileRename batch file renaming tool
buildroot setup dhcp
Solve win10 installed portal v13 / v15 asked repeatedly to restart problem.
ETCD单节点故障应急恢复
解决win10安装portal v13/v15要求反复重启问题。
【LeetCode】306.累加数(思路+题解)
pytorch下tensorboard可视化深坑
Raspberry Pi set static IP address
随机推荐
文本三剑客——awk 截取+过滤+统计
MySQl进阶之索引结构
Threatless Technology-TVD Daily Vulnerability Intelligence-2022-8-5
项目笔记——随机2
visio文件批量转pdf
无胁科技-TVD每日漏洞情报-2022-8-2
Threatless Technology-TVD Daily Vulnerability Intelligence-2022-7-27
xx is not recognized as internal or external command
vnc远程桌面安装(2021-10-20日亲测可用)
AUTOMATION DAY06 (Ansible Advanced, Ansible Role)
无胁科技-TVD每日漏洞情报-2022-7-18
Apache APISIX 默认密钥漏洞复现
arcgis填坑_4
无胁科技-TVD每日漏洞情报-2022-7-25
查看CPU和其他硬件温度的软件
Threatless Technology-TVD Daily Vulnerability Intelligence-2022-8-6
FusionCompute8.0.0 实验(2)虚拟机创建
Two hundred questions in C language (0 basic continuous update) (1~5)
vulnhub靶机--6Day_Lab-v1.0.1
Threatless Technology-TVD Daily Vulnerability Intelligence-2022-7-19