防火墙nat与目的nat的区别（详解USG6000防火墙IPsecNAT配置）

防火墙nat与目的nat的区别（详解USG6000防火墙IPsecNAT配置）FW1:192.168.1.254/24 100.1.1.1/24PC2：192.168.2.1/24 二、IP设置：PC1:192.168.1.1/24

组网要求：1、在FW1和FW2上配置IPsec，使PC1与PC2互通。

2、在FW1和FW2上做nat，使得PC1和PC2可以访问公网。

3、建立云朵连接真机与ensp的防火墙，用网页方式访问防火墙。

一、eNSP实际操作视频：

二、IP设置：

PC1:192.168.1.1/24

PC2：192.168.2.1/24

FW1:192.168.1.254/24 100.1.1.1/24

AR1:100.1.1.2/24，200.1.1.1/24

FW2:200.1.1.2/24

三、FW1的主要配置文件：

#

sysname FW1

#

acl number 3000 #创建被保护的数据流

rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

#

ipsec proposal 10 #配置IPsec安全提议

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

#

ike proposal default

encryption-algorithm aes-256 aes-192 aes-128

dh group14

authentication-algorithm sha2-512 sha2-384 sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike proposal 10 #配置ike安全提议

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

#

ike peer toFW2 #配置ike对等体

pre-shared-key %^%#]K0& yvB C2v;QD~WMHZs! KKV"[ j9gJ$4@;DT%^%#

ike-proposal 10

remote-address 200.1.1.2

#

ipsec policy map1 10 isakmp #配置IPsec安全策略

security acl 3000

ike-peer toFW2

proposal 10

#

interface GigabitEthernet1/0/0

undo shutdown

ip address 192.168.1.254 255.255.255.0

#

interface GigabitEthernet1/0/1

undo shutdown

ip address 100.1.1.1 255.255.255.0

service-manage ping permit

ipsec policy map1

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/0

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/1

#

firewall zone dmz

set priority 50

#

ip route-static 0.0.0.0 0.0.0.0 100.1.1.2

#

security-policy

default action permit

#

nat-policy

rule name TtoU

source-zone trust

destination-zone untrust

source-address 192.168.1.0 0.0.0.255

destination-address-exclude 192.168.2.0 0.0.0.255

action source-nat easy-ip

#

return

四、AR2的主要配置文件：

#

sysname AR1

#

interface GigabitEthernet0/0/0

ip address 100.1.1.2 255.255.255.0

#

interface GigabitEthernet0/0/1

ip address 200.1.1.1 255.255.255.0

#

return

五、FW2的主要配置文件：

#

sysname FW2

#

acl number 3000

rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

#

ipsec proposal 10

esp authentication-algorithm sha2-256

esp encryption-algorithm aes-256

#

ike proposal default

encryption-algorithm aes-256 aes-192 aes-128

dh group14

authentication-algorithm sha2-512 sha2-384 sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

ike proposal 10

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

#

ike peer toFW1

pre-shared-key %^%#= 'y)zeh_R.sB7Wn ;3<$9!\<~OJX-:n[OHFNWR%%^%#

ike-proposal 10

remote-address 100.1.1.1

#

ipsec policy map1 10 isakmp

security acl 3000

ike-peer toFW1

proposal 10

#

interface GigabitEthernet1/0/0

undo shutdown

ip address 200.1.1.2 255.255.255.0

service-manage ping permit

ipsec policy map1

#

interface GigabitEthernet1/0/1

undo shutdown

ip address 192.168.2.254 255.255.255.0

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

#

firewall zone dmz

set priority 50

#

ip route-static 0.0.0.0 0.0.0.0 200.1.1.1

#

security-policy

default action permit

#

nat-policy

rule name TtoU

source-zone trust

destination-zone untrust

source-address 192.168.2.0 0.0.0.255

destination-address-exclude 192.168.1.0 0.0.0.255

action source-nat easy-ip

#

return

六：验证结果

1、PC1 ping PC2是通的。

PC>ping 192.168.2.1 -t

Ping 192.168.2.1: 32 data bytes Press Ctrl_C to break

From 192.168.2.1: bytes=32 seq=1 ttl=126 time=16 ms

From 192.168.2.1: bytes=32 seq=2 ttl=126 time=16 ms

From 192.168.2.1: bytes=32 seq=3 ttl=126 time=16 ms

From 192.168.2.1: bytes=32 seq=4 ttl=126 time=16 ms

2、查看防火墙会话表，可以看到IPsec协议esp封装数据包走向

<FW1>dis firewall session table

2021-01-08 13:20:00.940

Current Total Sessions : 4

esp VPN: public --> public 200.1.1.2:0 --> 100.1.1.1:0

icmp VPN: public --> public 192.168.1.1:2652 --> 192.168.2.1:2048

icmp VPN: public --> public 192.168.1.1:2140 --> 192.168.2.1:2048

icmp VPN: public --> public 192.168.1.1:2396 --> 192.168.2.1:2048

3、PC1 ping 200.1.1.2时，查看防火墙会话表，可以看到私网地址转成100.1.1.1后再访问200.1.1.2

<FW1>dis firewall session table

2021-01-08 13:20:51.700

Current Total Sessions : 6

esp VPN: public --> public 200.1.1.2:0 --> 100.1.1.1:0

icmp VPN: public --> public 192.168.1.1:14172[100.1.1.1:2062] --> 200.1.1.2:2

048

icmp VPN: public --> public 192.168.1.1:14428[100.1.1.1:2063] --> 200.1.1.2:2

048

icmp VPN: public --> public 192.168.1.1:14940[100.1.1.1:2065] --> 200.1.1.2:2

048

icmp VPN: public --> public 192.168.1.1:15196[100.1.1.1:2066] --> 200.1.1.2:2

048

icmp VPN: public --> public 192.168.1.1:14684[100.1.1.1:2064] --> 200.1.1.2:2

048

本实验是通过华为模拟器eNSP1.3.00.100版（最新版）完成。该软件还包含CE、CX、NE40E、NE5000E、NE9000E、USG6000V的设备IOS，可完成复杂网络测试，需要该模拟器的朋友，可以转发此文关注小编，私信小编【666】即可获得。