华为防火墙地址转换配置

0

华为防火墙地址转换

华为防火墙地址转换配置
配置要求:

1、允许外部区域Untrust访问dmz区域 HTTP和FTP服务器;通过Untrust区域访问HTTP和FTP服务器分别采用
202.100.1.100 80、202.100.1.100 2121;(设置允许服务器访问外部,和不允许访问外部资源);
2、允许trust 访问Untrust区域资源,(使用AR2 telnet,pingAR1测试),使用基于源IP地址NO-pat,NAPt,
   以及基于端口的地址转换easy-Ip
一、基本配置:
1、配置路由器
AR1
interface GigabitEthernet0/0/0
Ip address 202.100.1.1 24
quit
interface loopback 0
ip address 1.1.1.1 32
quit
ip route-static 0.0.0.0 0 202.100.1.10
配置telnet 用户名:huawei 密码:huawei123
user-interface vty 0 4
 authentication-mode aaa
quit
aaa
 local-user huawei password cipher huawei123
 local-user huawei privilege level 3
 local-user huawei service-type telnet
quit
AR2
interface GigabitEthernet0/0/0
Ip address 192.168.1.1 24
quit
interface loopback 0
ip address 2.2.2.2 32
quit
ip route-static 0.0.0.0 0 192.168.1.10
2、配置ip及区域
FW1
interface GigabitEthernet0/0/0
 ip address 202.100.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/1
 ip address 172.16.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/2
 ip address 192.168.1.10 255.255.255.0
quit
firewall zone trust
 add interface GigabitEthernet0/0/2
quit
firewall zone untrust
 add interface GigabitEthernet0/0/0
quit
firewall zone dmz
 add interface GigabitEthernet0/0/1
quit
firewall session link-state check  ==启动会话链路状态检查
firewall packet-filter default deny all  ==拒接所有流量
配置访问策略
(允许192.168.1.0/24 telnet 和ping Untrust区域 )
policy interzone trust untrust outbound
 policy 1
  action permit
  policy source 192.168.1.0 mask 255.255.255.0
  policy service service-set icmp
  policy service service-set telnet
(允许untrust区域访问HTTP,和FTP服务器
policy interzone dmz untrust inbound
 policy 1
  action permit
  policy service service-set http
  policy service service-set ftp
  policy destination 172.16.1.1 0
  policy destination 172.16.1.2 0
启动FTP流量监控:
firewall interzone dmz untrust
 detect ftp
client可以访问FTP
华为防火墙地址转换配置
client可以访问HTTP
华为防火墙地址转换配置
查看策略应用:

华为防火墙地址转换配置

二、 配置地址转换;
1、trust到untrust地址转换 
nat address-group 0 202.100.1.100 202.100.1.200   配置地址池
配置nat策略
nat-policy interzone trust untrust outbound
 policy 1                                 
  action source-nat
  policy source 192.168.1.0 0.0.0.255
  address-group 
配置一对一地址转换
nat-policy interzone trust untrust outbound

 policy 1

  action cource-nat

  policy source 192.168.1.0 0.0.0.255

  address-group 0 n0-pat 

转换为接口IP地址

nat-policy interzone trust untrust outbound

 policy 1

  action source-nat

  policy source 192.168.1.0 0.0.0.255

  easy-ip gigabitethernet0/0/1

查看配置
华为防火墙地址转换配置
华为防火墙地址转换配置

通过Untrust区域访问HTTP和FTP服务器分别采用
202.100.1.100 80、202.100.1.100 2121;(设置允许服务器访问外部,和不允许访问外部资源);
 nat server 0 protocol tcp global 202.100.1.100 2121 inside 172.16.1.2 ftp
 nat server 1 protocol tcp global 202.100.1.100 www inside 172.16.1.1 www
{不允许服务器访问外部资源
 nat server 0 protocol tcp global 202.100.1.100 2121 inside 172.16.1.2 ftp no-reverse
 nat server 1 protocol tcp global 202.100.1.100 www inside 172.16.1.1 www no-reverse
华为防火墙地址转换配置
配置查看[huaweiFW]display current-configuration 
12:47:36  2015/02/05
#
stp region-configuration
 region-name b05fe31530c0
 active region-configuration
#
interface GigabitEthernet0/0/0
 alias GE0/MGMT
 ip address 202.100.1.10 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address 172.16.1.10 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 192.168.1.10 255.255.255.0
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7            
#
interface GigabitEthernet0/0/8
#
interface NULL0
 alias NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/1
#
firewall interzone dmz untrust
 detect ftp                               
#
#
aaa
 local-user admin password cipher %$%$G`cqF,rt$@9cWbN#7uXWzypg%$%$
 local-user admin service-type web terminal telnet
 local-user admin level 15
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
#
nqa-jitter tag-version 1
#
 banner enable
#
user-interface con 0
 authentication-mode none
user-interface vty 0 4                    
 authentication-mode none
 protocol inbound all
#
 slb
#
right-manager server-group
#
 sysname huaweiFW
#
 l2tp domain suffix-separator @
#
 nat address-group 0 202.100.1.100 202.100.1.200
 nat server 0 protocol tcp global 202.100.1.100 2121 inside 172.16.1.2 ftp
 nat server 1 protocol tcp global 202.100.1.100 www inside 172.16.1.1 www
#
 ip df-unreachables enable
#
 firewall ipv6 session link-state check
 firewall ipv6 statistic system enable
#
 dns resolve
#
 firewall statistic system enable         
#
 pki ocsp response cache refresh interval 0
 pki ocsp response cache number 0
#
 undo dns proxy
#
 license-server domain lic.huawei.com
#
 web-manager enable
#
policy interzone trust untrust outbound
 policy 1
  action permit
  policy source 192.168.1.0 mask 255.255.255.0
#
policy interzone dmz untrust inbound
 policy 1
  action permit
  policy service service-set http
  policy service service-set ftp
  policy destination 172.16.1.1 0
  policy destination 172.16.1.2 0
#                                         
nat-policy interzone trust untrust outbound
 policy 1
  action source-nat
  policy source 192.168.1.0 0.0.0.255
  address-group 0 no-pat
#
return
[huaweiFW]