某公司两个部门由于需要业务隔离而分属不同的VPN实例,且两个部门内部使用了相同的子网地址空间。现在要求这两个部门的主机PCA 和PCB之间能够通过NAT地址互相访问。
实验组网如图所示,PCA、PCB分别接在防火墙FW的GE1/0/1和GE1/0/2接口。
依照上图搭建实验环境,配置主机PCA、PCB上的IP地址分别为192.168.1.2和192.168.1.2。
创建VPN实例:
[H3C]ip vpn-instance vpn1
[H3C-vpn-instance-vpn1]quit
[H3C]ip vpn-instance vpn2
[H3C-vpn-instance-vpn2]quit
完成FW的接口地址和VPN实例配置。
[H3C]interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]ip address 192.168.1.1 24
[H3C-GigabitEthernet1/0/1]ip binding vpn-instance vpn1
[H3C-GigabitEthernet1/0/1]quit
[H3C]interface GigabitEthernet 1/0/2
[H3C-GigabitEthernet1/0/2]ip address 192.168.1.1 24
[H3C-GigabitEthernet1/0/2]ip binding vpn-instance vpn2
[H3C-GigabitEthernet1/0/2]quit
配置FW接口所属的安全域:
[H3C]security-zone name trust
[H3C-security-zone-Trust]import interface GigabitEthernet 1/0/1
[H3C-security-zone-Trust]quit
[H3C]security-zone name untrust
[H3C-security-zone-Untrust]import interface GigabitEthernet 1/0/2
[H3C-security-zone-Untrust]quit
配置VPN 1内的IP地址192.168.1.2到VPN 2内的IP地址172.16.1.2之间的静态地址转换映射:
[H3C]nat static outbound 192.168.1.2 vpn-instance vpn1 172.16.1.2 vpn-instance vpn2
配置VPN 2内的IP地址192.168.1.2到VPN 1内的IP地址172.16.2.2之间的静态地址转换映射:
[H3C]nat static outbound 192.168.1.2 vpn-instance vpn2 172.16.2.2 vpn-instance vpn1
配置安全策略:
[H3C]security-policy ip
[H3C-security-policy-ip]rule 0 name trust-untrust
[H3C-security-policy-ip-0-trust-untrust]source-zone trust
[H3C-security-policy-ip-0-trust-untrust]destination-zone untrust
[H3C-security-policy-ip-0-trust-untrust]vrf vpn2
[H3C-security-policy-ip-0-trust-untrust]action pass
[H3C-security-policy-ip-0-trust-untrust]quit
[H3C-security-policy-ip]rule 1 name untrust-trust
[H3C-security-policy-ip-1-untrust-trust]source-zone untrust
[H3C-security-policy-ip-1-untrust-trust]destination-zone trust
[H3C-security-policy-ip-1-untrust-trust]vrf vpn2
[H3C-security-policy-ip-1-untrust-trust]action pass
[H3C-security-policy-ip-1-untrust-trust]quit
[H3C-security-policy-ip]quit
在接口上配置静态地址转换:
[H3C]interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]nat static enable
[H3C-GigabitEthernet1/0/1]quit
[H3C]interface GigabitEthernet 1/0/2
[H3C-GigabitEthernet1/0/2]nat static enable
[H3C-GigabitEthernet1/0/2]quit
在PCA上执行ping命令,观察是否可以与PCB正常联通。正常情况下,PCA和PCB可以互通,且PCA的对外地址为172.16.1.2,PCB的对外地址为172.16.2.2。PCA上ping测试应显示如下:
C:\Users\PCA>ping 172.16.2.2
正在 Ping 172.16.2.2 具有 32 字节的数据:
来自 172.16.2.2 的回复: 字节=32 时间<1ms TTL=254
来自 172.16.2.2 的回复: 字节=32 时间<1ms TTL=254
来自 172.16.2.2 的回复: 字节=32 时间<1ms TTL=254
来自 172.16.2.2 的回复: 字节=32 时间<1ms TTL=254
172.16.2.2 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
通过查看如下显示信息,可以验证以上配置成功。
[H3C]display nat all
Static NAT mappings:
Totally 2 outbound static NAT mappings.
IP-to-IP:
Local IP : 192.168.1.2
Global IP : 172.16.1.2
Local VPN : vpn1
Global VPN : vpn2
NAT counting : 0
Config status: Active
IP-to-IP:
Local IP : 192.168.1.2
Global IP : 172.16.2.2
Local VPN : vpn2
Global VPN : vpn1
NAT counting : 0
Config status: Active
Interfaces enabled with static NAT:
Totally 2 interfaces enabled with static NAT.
Interface: GigabitEthernet1/0/1
Config status: Active
Interface: GigabitEthernet1/0/2
Config status: Active
NAT logging:
Log enable : Disabled
Flow-begin : Disabled
Flow-end : Disabled
Flow-active : Disabled
Port-block-assign : Disabled
Port-block-withdraw : Disabled
Alarm : Disabled
NO-PAT IP usage : Disabled
NAT mapping behavior:
Mapping mode : Address and Port-Dependent
ACL : ---
Config status: Active
NAT ALG:
DNS : Enabled
FTP : Enabled
H323 : Disabled
ICMP-ERROR : Enabled
ILS : Disabled
MGCP : Disabled
NBT : Disabled
PPTP : Enabled
RTSP : Enabled
RSH : Disabled
SCCP : Disabled
SIP : Disabled
SQLNET : Disabled
TFTP : Disabled
XDMCP : Disabled
Static NAT load balancing: Disabled
通过以下显示命令,可以看到Host A访问Host B时生成NAT会话信息。
[H3C]display nat session verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.2/1
Destination IP/port: 172.16.2.2/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: vpn1/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 192.168.1.2/1
Destination IP/port: 172.16.1.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: vpn2/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Untrust
State: ICMP_REPLY
Application: ICMP
Rule ID: 0
Rule name: trust-untrust
Start time: 2018-09-03 11:17:50 TTL: 28s
Initiator->Responder: 4 packets 240 bytes
Responder->Initiator: 4 packets 240 bytes
Total sessions found: 1
或者通过命令display nat session source-ip 192.168.1.2 destination-ip 172.16.2.2 verbose查看:
[H3C] display nat session source-ip 192.168.1.2 destination-ip 172.16.2.2 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.2/1
Destination IP/port: 172.16.2.2/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: vpn1/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 192.168.1.2/1
Destination IP/port: 172.16.1.2/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: vpn2/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Untrust
State: ICMP_REPLY
Application: ICMP
Rule ID: 0
Rule name: trust-untrust
Start time: 2018-09-03 11:18:43 TTL: 28s
Initiator->Responder: 4 packets 240 bytes
Responder->Initiator: 4 packets 240 bytes
Total sessions found: 1
从以上会话信息可以看出,VPN实例vpn1里的主机PCA 192.168.1.2访问172.16.1.2,从VPN实例vpn2里的主机PCB 192.168.1.2回应报文的目的地址是172.16.1.2,说明双向的地址转换已经成功。
可通过命令debugging ip packet可以查看具体报文上送过程:
<H3C>debugging ip packet
<H3C>terminal monitor
The current terminal is enabled to display logs.
<H3C>terminal debugging
<H3C>debugging ip packet
The current terminal is enabled to display debugging logs
<H3C>*Sep 7 15:16:26:179 2018 H3C IPFW/7/IPFW_PACKET: -COntext=1;
Receiving, interface = GigabitEthernet1/0/1
version = 4, headlen = 20, tos = 0
pktlen = 84, pktid = 14, offset = 0, ttl = 255, protocol = 1
checksum = 19422, s = 192.168.1.2, d = 172.16.2.2
channelID = 0, vpn-InstanceIn = 1, vpn-InstanceOut = 1.
prompt: Receiving IP packet from interface GigabitEthernet1/0/1.
Payload: ICMP
type = 8, code = 0, checksum = 0xad48.
*Sep 7 15:16:26:180 2018 H3C IPFW/7/IPFW_PACKET: -COntext=1;
Sending, interface = GigabitEthernet1/0/2
version = 4, headlen = 20, tos = 0
pktlen = 84, pktid = 14, offset = 0, ttl = 254, protocol = 1
checksum = 19934, s = 172.16.1.2, d = 192.168.1.2
channelID = 0, vpn-InstanceIn = 2, vpn-InstanceOut = 2.
prompt: Sending IP packet received from interface GigabitEthernet1/0/1 at interface GigabitEthernet1/0/2.
Payload: ICMP
type = 8, code = 0, checksum = 0xad48.
*Sep 7 15:16:26:181 2018 H3C IPFW/7/IPFW_PACKET: -COntext=1;
Receiving, interface = GigabitEthernet1/0/2
version = 4, headlen = 20, tos = 0
pktlen = 84, pktid = 14, offset = 0, ttl = 255, protocol = 1
checksum = 19678, s = 192.168.1.2, d = 172.16.1.2
channelID = 0, vpn-InstanceIn = 2, vpn-InstanceOut = 2.
prompt: Receiving IP packet from interface GigabitEthernet1/0/2.
Payload: ICMP
type = 0, code = 0, checksum = 0xb548.
*Sep 7 15:16:26:181 2018 H3C IPFW/7/IPFW_PACKET: -COntext=1;
Sending, interface = GigabitEthernet1/0/1
version = 4, headlen = 20, tos = 0
pktlen = 84, pktid = 14, offset = 0, ttl = 254, protocol = 1
checksum = 19678, s = 172.16.2.2, d = 192.168.1.2
channelID = 0, vpn-InstanceIn = 1, vpn-InstanceOut = 1.
prompt: Sending IP packet received from interface GigabitEthernet1/0/2 at interface GigabitEthernet1/0/1.
Payload: ICMP
type = 0, code = 0, checksum = 0xb548.
从以上debugging信息可以看出,防火墙收到的PCA发来的报文源地址为s = 192.168.1.2, 目的地址d = 172.16.2.2,经过防火墙地址转换处理后,转发给PCB的报文源地址s = 172.16.1.2,目的地址 d = 192.168.1.2,完成了源地址和目的地址的双向转换,之后收到PCB发来的回应报文,源地址s = 192.168.1.2, 目的地址d = 172.16.1.2,经过防火墙之后,防火墙转发的报文, s = 172.16.2.2, d = 192.168.1.2,完成了源地址和目的地址的双向转换,这和最开始PCA发来的报文源目地址刚好匹配。
也可通过debugging nat packet命令查看具体地址转换过程:防火墙入接口收到报文后,目的地址变为192.168.1.2,从出接口转发给PCB的报文源地址变为 172.16.1.2,报文在防火墙上完成了源地址和目的地址的双向转换;防火墙收到PCB发来的回应报文,源地址192.168.1.2, 目的地址172.16.1.2;经过防火墙入接口转换,报文目的地址变为192.168.1.2,从防火墙出接口转发的报文源地址变为172.16.2.2,完成了源地址和目的地址的双向转换:
<H3C>debugging nat packet
<H3C>*Sep 7 14:16:20:542 2018 H3C NAT/7/COMMON: -COntext=1;
PACKET: (GigabitEthernet1/0/1-in-config) Protocol: ICMP
192.168.1.2: 154 - 172.16.2.2: 2048(VPN: 1) ------>
192.168.1.2: 154 - 192.168.1.2: 2048(VPN: 2)
*Sep 7 14:16:20:542 2018 H3C NAT/7/COMMON: -COntext=1;
PACKET: (GigabitEthernet1/0/2-out -config) Protocol: ICMP
192.168.1.2: 154 - 192.168.1.2: 2048(VPN: 1) ------>
172.16.1.2: 154 - 192.168.1.2: 2048(VPN: 2)
*Sep 7 14:16:20:543 2018 H3C NAT/7/COMMON: -COntext=1;
PACKET: (GigabitEthernet1/0/2-in-session) Protocol: ICMP
192.168.1.2: 154 - 172.16.1.2: 0(VPN: 2) ------>
192.168.1.2: 154 - 192.168.1.2: 0(VPN: 1)
*Sep 7 14:16:20:543 2018 H3C NAT/7/COMMON: -COntext=1;
PACKET: (GigabitEthernet1/0/1-out-session) Protocol: ICMP
192.168.1.2: 154 - 192.168.1.2: 0(VPN: 2) ------>
172.16.2.2: 154 - 192.168.1.2: 0(VPN: 1)
可通过debugging security-policy packet ip 查看匹配安全策略的情况:
<H3C>debugging security-policy packet ip
*Sep 7 14:45:20:639 2018 H3C FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Trust, Dst-ZOne=Untrust;If-In=GigabitEthernet1/0/1(2), If-Out=GigabitEthernet1/0/2(3); Packet Info:Src-IP=192.168.1.2, Dst-IP=192.168.1.2, VPN-Instance=vpn2, Src-MacAddr=a27f-9f87-0206,Src-Port=8, Dst-Port=0, Protocol=ICMP(1), Application=ICMP(22742), SecurityPolicy=trust-untrust, Rule-ID=0.