华为H3C第六章Nat
实验需求:
- 内网客户端可以访问互联网服务器(ping通即可)
- 互联网客户端可以访问内网服务器(通过ftp访问)
- 内网服务器可以访问互联网服务器(ping通即可)
步骤:
- 配置客户端、路由器、防火墙ip地址
- 配置区域、将接口加入到区域
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface g1/0/0
[USG6000V1-zone-trust]add interface g1/0/2
[USG6000V1-zone-trust]quit
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface g1/0/1
[USG6000V1-zone-trust]quit
3. 配置内网访问外网安全策略、追加一条默认路由
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name nei_wai
[USG6000V1-policy-security-rule-nei_wai]source-zone trust
[USG6000V1-policy-security-rule-nei_wai]destination-zone untrust
[USG6000V1-policy-security-rule-nei_wai]action permit
[USG6000V1-zone-trust]quit
[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 202.96.1.2
4. 配置源Nat策略,实现内网访问外网
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name natpolicy
[USG6000V1-policy-nat-rule-natpolicy]source-zone trust
[USG6000V1-policy-nat-rule-natpolicy]destination-zone untrust
[USG6000V1-policy-nat-rule-natpolicy]action nat easy-ip
[USG6000V1-policy-nat-rule-natpolicy]quit
[USG6000V1-policy-nat]quit
验证内网_外网nat转换:
内网客户端ping 202.96.2.2
内网服务器ping 202.96.2.2
5. 配置安全策略策略,允许外网访问内网的ftp协议
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name wai_nei_ftp
[USG6000V1-policy-security-rule-wai_nei_ftp]source-zone untrust
[USG6000V1-policy-security-rule-wai_nei_ftp]destination-zone trust
[USG6000V1-policy-security-rule-wai_nei_ftp]destination-address 192.168.1.0 24
[USG6000V1-policy-security-rule-wai_nei_ftp]service ftp
[USG6000V1-policy-security-rule-wai_nei_ftp]action permit
[USG6000V1-policy-security-rule-wai_nei_ftp]quit
[USG6000V1-policy-security]quit
6. 配置Nat server
[USG6000V1]nat server natserver_ftp protocol tcp global 202.96.1.100 21 inside 192.168.1.1 21 no-reverse
7. 配置黑洞路由
[USG6000V1]ip route-static 202.96.10.100 32 NULL 0
8. 外网客户端访问202.96.1.100的ftp服务器验证