Table of contents
Network security firewall server nat basic configuration experiment
2. Configure the port IP address as the area
Configure ftp in the trust-untrust zone
Open the ftp service on server1 in the untrust zone
Configure the ftp security policy in the trust-untrust zone
Configure the destination translation address pool
server2 configures HTTP service
Configure the security policy for the untrust to dmz-www zone
Configure the interface address to map the private network address
Configure source and destination double conversion (dual conversion outside nat domain)
Create a new original translation address pool
Add a server to the trust zone
Configure server mapping (open to the public network)Edit
Start the http service of the server
Configure security policies (external network access)
Test (external network access)
Create a new original address pool
destination address translation pool
Network security firewall server nat basic configuration experiment
Experimental diagram
1. Enter view mode
<USG6000V1>system-view
[USG6000V1] int g 0/0/0
[USG6000V1-GigabitEthernet0/0/0]ip address 192.168.160.1 24
[USG6000V1-GigabitEthernet0/0/0]service-manage all permit
2. Configure the port IP address as the area
firewall
untrust zone
server1
Client 2
DMZ area
trust zone
PC 1
Client 1
Configure ftp in the trust-untrust zone
Open the ftp service on server1 in the untrust zone
Configure the ftp security policy in the trust-untrust zone
log in to ftp
R1 configuration
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sy
[Huawei]sysname R1
[R1]int g 0/0/0
[R1-GigabitEthernet0/0/0]ip address 10.1.1.4 24
[R1-GigabitEthernet0/0/0]q
[R1]ip route-static 0.0.0.0 0 10.1.1.1
log in to ftp
Find server-map
<USG6000V1>dis firewall server-map
2023-03-27 21:20:33.470 +08:00
Current Total Server-map : 0
<USG6000V1>
Mar 27 2023 21:21:01+08:00 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.201
1.5.25.191.3.1 configurations have been changed. The current change number is 30
, the change loop count is 0, and the maximum number of records is 4095.
<USG6000V1>dis firewall server-map
2023-03-27 21:21:11.940 +08:00
Current Total Server-map : 1
Type: ASPF, 10.1.1.3 -> 100.1.1.2:2053, Zone:---
Protocol: tcp(Appro: ftp-data), Left-Time:00:00:07
Vpn: public -> public
<USG6000V1>display firewall session table
2023-03-27 21:33:41.470 +08:00
Current Total Sessions : 11
ftp VPN: public --> public 10.1.1.3:2059 +-> 100.1.1.2:21
tcp VPN: default --> default 192.168.160.2:58333 --> 192.168.160.1:8443
netbios-name VPN: default --> default 192.168.160.2:137 --> 192.168.160.255:1
37
ftp VPN: public --> public 10.1.1.3:2053 --> 100.1.1.2:21
tcp VPN: default --> default 192.168.160.2:59265 --> 192.168.160.1:8443
ftp VPN: public --> public 10.1.1.4:49901 --> 100.1.1.2:21
ftp VPN: public --> public 10.1.1.3:2057 +-> 100.1.1.2:21
ftp VPN: public --> public 10.1.1.3:2061 +-> 100.1.1.2:21
tcp VPN: default --> default 192.168.160.2:53849 --> 192.168.160.1:8443
ftp-data VPN: public --> public 10.1.1.3:2062 --> 100.1.1.2:2055
ftp VPN: public --> public 10.1.1.3:2055 --> 100.1.1.2:21
configure nat
Configure Internet nat policy
modify security policy
test
<R1>ping 100.1.1.3
PING 100.1.1.3: 56 data bytes, press CTRL_C to break
Reply from 100.1.1.3: bytes=56 Sequence=1 ttl=254 time=70 ms
Reply from 100.1.1.3: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 100.1.1.3: bytes=56 Sequence=3 ttl=254 time=40 ms
Reply from 100.1.1.3: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 100.1.1.3: bytes=56 Sequence=5 ttl=254 time=50 ms
--- 100.1.1.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/46/70 ms
grab bag
Configure the destination translation address pool
Create a new source address translation pool
Notice:
Configure routing blackholes to prevent the virtual device from being used as a real device.
Modify nat policy
access
At this point, the source address becomes the address of the address pool
Configure server mapping
server2 configures HTTP service
Configure server mapping
Safe area --- choose which area to send to
Black hole routing --- prevent it from being accessed as a real server
Public network address --- server mapping cannot be directly configured to the interface address (NAT policy can, server mapping is not)
Configure the security policy for the untrust to dmz-www zone
Destination address --- Write the private network address, the private network address is the real server, and the public network is just an IP (the address where the server is located)
test
<USG6000V1>display firewall server-map
2023-03-28 11:16:00.810 +08:00
Current Total Server-map : 1
Type: Nat Server, ANY -> 100.1.1.111:80[10.1.2.2:80], Zone: untrust , protoc
ol:tcp
Vpn: public -> public
<USG6000V1>
server nat calls the secret channel of server-map , and puts the public network traffic in for conversion
Configure the interface address to map the private network address
Turn off server mapping
configure dmz nat
test
Configure source and destination double conversion (dual conversion outside nat domain)
premise:
The source address of the public network address is not a private network address, and the object accessed by the public network address cannot be directly written as a private network address
Create a new original translation address pool
Configure nat policy
Destination address --- can be converted to port
test
Double switch in nat domain
Add a server to the trust zone
Configure server mapping (open to the public network)
examine
Start the http service of the server
Configure security policies (external network access)
Test (external network access)
Test (intranet access)
The intranet cannot be communicated, the solution: configure double transfer