防火墙nat与目的nat的区别(详解USG6000防火墙IPsecNAT配置)
防火墙nat与目的nat的区别(详解USG6000防火墙IPsecNAT配置)FW1:192.168.1.254/24 100.1.1.1/24PC2:192.168.2.1/24 二、IP设置:PC1:192.168.1.1/24
组网要求:1、在FW1和FW2上配置IPsec,使PC1与PC2互通。
2、在FW1和FW2上做nat,使得PC1和PC2可以访问公网。
3、建立云朵连接真机与ensp的防火墙,用网页方式访问防火墙。
一、eNSP实际操作视频:
二、IP设置:
PC1:192.168.1.1/24
PC2:192.168.2.1/24
FW1:192.168.1.254/24 100.1.1.1/24
AR1:100.1.1.2/24,200.1.1.1/24
FW2:200.1.1.2/24
三、FW1的主要配置文件:
#
sysname FW1
#
acl number 3000 #创建被保护的数据流
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
ipsec proposal 10 #配置IPsec安全提议
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 10 #配置ike安全提议
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer toFW2 #配置ike对等体
pre-shared-key %^%#]K0& yvB C2v;QD~WMHZs! KKV"[ j9gJ$4@;DT%^%#
ike-proposal 10
remote-address 200.1.1.2
#
ipsec policy map1 10 isakmp #配置IPsec安全策略
security acl 3000
ike-peer toFW2
proposal 10
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.1.1 255.255.255.0
service-manage ping permit
ipsec policy map1
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
#
security-policy
default action permit
#
nat-policy
rule name TtoU
source-zone trust
destination-zone untrust
source-address 192.168.1.0 0.0.0.255
destination-address-exclude 192.168.2.0 0.0.0.255
action source-nat easy-ip
#
return
四、AR2的主要配置文件:
#
sysname AR1
#
interface GigabitEthernet0/0/0
ip address 100.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 200.1.1.1 255.255.255.0
#
return
五、FW2的主要配置文件:
#
sysname FW2
#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
#
ipsec proposal 10
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer toFW1
pre-shared-key %^%#= 'y)zeh_R.sB7Wn ;3<$9!\<~OJX-:n[OHFNWR%%^%#
ike-proposal 10
remote-address 100.1.1.1
#
ipsec policy map1 10 isakmp
security acl 3000
ike-peer toFW1
proposal 10
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 200.1.1.2 255.255.255.0
service-manage ping permit
ipsec policy map1
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.2.254 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.1
#
security-policy
default action permit
#
nat-policy
rule name TtoU
source-zone trust
destination-zone untrust
source-address 192.168.2.0 0.0.0.255
destination-address-exclude 192.168.1.0 0.0.0.255
action source-nat easy-ip
#
return
六:验证结果
1、PC1 ping PC2是通的。
PC>ping 192.168.2.1 -t
Ping 192.168.2.1: 32 data bytes Press Ctrl_C to break
From 192.168.2.1: bytes=32 seq=1 ttl=126 time=16 ms
From 192.168.2.1: bytes=32 seq=2 ttl=126 time=16 ms
From 192.168.2.1: bytes=32 seq=3 ttl=126 time=16 ms
From 192.168.2.1: bytes=32 seq=4 ttl=126 time=16 ms
2、查看防火墙会话表,可以看到IPsec协议esp封装数据包走向
<FW1>dis firewall session table
2021-01-08 13:20:00.940
Current Total Sessions : 4
esp VPN: public --> public 200.1.1.2:0 --> 100.1.1.1:0
icmp VPN: public --> public 192.168.1.1:2652 --> 192.168.2.1:2048
icmp VPN: public --> public 192.168.1.1:2140 --> 192.168.2.1:2048
icmp VPN: public --> public 192.168.1.1:2396 --> 192.168.2.1:2048
3、PC1 ping 200.1.1.2时,查看防火墙会话表,可以看到私网地址转成100.1.1.1后再访问200.1.1.2
<FW1>dis firewall session table
2021-01-08 13:20:51.700
Current Total Sessions : 6
esp VPN: public --> public 200.1.1.2:0 --> 100.1.1.1:0
icmp VPN: public --> public 192.168.1.1:14172[100.1.1.1:2062] --> 200.1.1.2:2
048
icmp VPN: public --> public 192.168.1.1:14428[100.1.1.1:2063] --> 200.1.1.2:2
048
icmp VPN: public --> public 192.168.1.1:14940[100.1.1.1:2065] --> 200.1.1.2:2
048
icmp VPN: public --> public 192.168.1.1:15196[100.1.1.1:2066] --> 200.1.1.2:2
048
icmp VPN: public --> public 192.168.1.1:14684[100.1.1.1:2064] --> 200.1.1.2:2
048
本实验是通过华为模拟器eNSP1.3.00.100版(最新版)完成。该软件还包含CE、CX、NE40E、NE5000E、NE9000E、USG6000V的设备IOS,可完成复杂网络测试,需要该模拟器的朋友,可以转发此文关注小编,私信小编【666】即可获得。