华为H3C(NAT)实验

Posted on 2020-06-16 12:19  留不住的时间  阅读(890)  评论(0编辑  收藏  举报

 

 

华为H3C第六章Nat

 

实验需求:

  1. 内网客户端可以访问互联网服务器(ping通即可)
  2. 互联网客户端可以访问内网服务器(通过ftp访问)
  3. 内网服务器可以访问互联网服务器(ping通即可)

 

步骤:

  1. 配置客户端、路由器、防火墙ip地址
  2. 配置区域、将接口加入到区域

[USG6000V1]firewall zone trust

[USG6000V1-zone-trust]add interface g1/0/0

[USG6000V1-zone-trust]add interface g1/0/2

[USG6000V1-zone-trust]quit

[USG6000V1]firewall zone untrust

[USG6000V1-zone-untrust]add interface g1/0/1

[USG6000V1-zone-trust]quit

  3. 配置内网访问外网安全策略、追加一条默认路由

[USG6000V1]security-policy

[USG6000V1-policy-security]rule name nei_wai

[USG6000V1-policy-security-rule-nei_wai]source-zone trust

[USG6000V1-policy-security-rule-nei_wai]destination-zone untrust

[USG6000V1-policy-security-rule-nei_wai]action permit

[USG6000V1-zone-trust]quit

[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 202.96.1.2

  4. 配置源Nat策略,实现内网访问外网

[USG6000V1]nat-policy

[USG6000V1-policy-nat]rule name natpolicy

[USG6000V1-policy-nat-rule-natpolicy]source-zone trust

[USG6000V1-policy-nat-rule-natpolicy]destination-zone untrust

[USG6000V1-policy-nat-rule-natpolicy]action nat easy-ip

[USG6000V1-policy-nat-rule-natpolicy]quit

[USG6000V1-policy-nat]quit

  验证内网_外网nat转换:

    内网客户端ping 202.96.2.2

    内网服务器ping 202.96.2.2

   5. 配置安全策略策略,允许外网访问内网的ftp协议

[USG6000V1]security-policy

[USG6000V1-policy-security]rule name wai_nei_ftp

[USG6000V1-policy-security-rule-wai_nei_ftp]source-zone untrust

[USG6000V1-policy-security-rule-wai_nei_ftp]destination-zone trust

[USG6000V1-policy-security-rule-wai_nei_ftp]destination-address 192.168.1.0 24

[USG6000V1-policy-security-rule-wai_nei_ftp]service ftp

[USG6000V1-policy-security-rule-wai_nei_ftp]action permit

[USG6000V1-policy-security-rule-wai_nei_ftp]quit

[USG6000V1-policy-security]quit

  6. 配置Nat server

 

[USG6000V1]nat server natserver_ftp protocol tcp global 202.96.1.100 21 inside 192.168.1.1 21 no-reverse

  7. 配置黑洞路由

[USG6000V1]ip route-static 202.96.10.100 32 NULL 0

   8. 外网客户端访问202.96.1.100ftp服务器验证