Print

防火墙两次NAT典型配置

2019-12-06 发表

组网及说明


某公司两个部门由于需要业务隔离而分属不同的VPN实例,且两个部门内部使用了相同的子网地址空间。现在要求这两个部门的主机PCA PCB之间能够通过NAT地址互相访问。



实验组网如所示,PCAPCB分别接在防火墙FWGE1/0/1GE1/0/2接口。


配置步骤

 

步骤一:搭建实验环境

依照上图搭建实验环境,配置主机PCAPCB上的IP地址分别为192.168.1.2192.168.1.2

步骤二:基本配置

创建VPN实例:

[H3C]ip vpn-instance vpn1

[H3C-vpn-instance-vpn1]quit

[H3C]ip vpn-instance vpn2

[H3C-vpn-instance-vpn2]quit

完成FW的接口地址和VPN实例配置。

[H3C]interface GigabitEthernet 1/0/1

[H3C-GigabitEthernet1/0/1]ip address 192.168.1.1 24

[H3C-GigabitEthernet1/0/1]ip binding vpn-instance vpn1

[H3C-GigabitEthernet1/0/1]quit

[H3C]interface GigabitEthernet 1/0/2

[H3C-GigabitEthernet1/0/2]ip address 192.168.1.1 24

[H3C-GigabitEthernet1/0/2]ip binding vpn-instance vpn2

[H3C-GigabitEthernet1/0/2]quit

配置FW接口所属的安全域:

[H3C]security-zone name trust

[H3C-security-zone-Trust]import interface GigabitEthernet 1/0/1

[H3C-security-zone-Trust]quit

[H3C]security-zone name untrust

[H3C-security-zone-Untrust]import interface GigabitEthernet 1/0/2

[H3C-security-zone-Untrust]quit

配置VPN 1内的IP地址192.168.1.2VPN 2内的IP地址172.16.1.2之间的静态地址转换映射:

[H3C]nat static outbound 192.168.1.2 vpn-instance vpn1 172.16.1.2 vpn-instance vpn2

配置VPN 2内的IP地址192.168.1.2VPN 1内的IP地址172.16.2.2之间的静态地址转换映射:

[H3C]nat static outbound 192.168.1.2 vpn-instance vpn2 172.16.2.2 vpn-instance vpn1

配置安全策略:

[H3C]security-policy ip

[H3C-security-policy-ip]rule 0 name trust-untrust

[H3C-security-policy-ip-0-trust-untrust]source-zone trust

[H3C-security-policy-ip-0-trust-untrust]destination-zone untrust

[H3C-security-policy-ip-0-trust-untrust]vrf vpn2

[H3C-security-policy-ip-0-trust-untrust]action pass

[H3C-security-policy-ip-0-trust-untrust]quit

[H3C-security-policy-ip]rule 1 name untrust-trust

[H3C-security-policy-ip-1-untrust-trust]source-zone untrust

[H3C-security-policy-ip-1-untrust-trust]destination-zone trust

[H3C-security-policy-ip-1-untrust-trust]vrf vpn2

[H3C-security-policy-ip-1-untrust-trust]action pass

[H3C-security-policy-ip-1-untrust-trust]quit

[H3C-security-policy-ip]quit

在接口上配置静态地址转换:

[H3C]interface GigabitEthernet 1/0/1

[H3C-GigabitEthernet1/0/1]nat static enable

[H3C-GigabitEthernet1/0/1]quit

[H3C]interface GigabitEthernet 1/0/2

[H3C-GigabitEthernet1/0/2]nat static enable

[H3C-GigabitEthernet1/0/2]quit

步骤三:验证配置

PCA上执行ping命令,观察是否可以与PCB正常联通。正常情况下,PCAPCB可以互通,且PCA的对外地址为172.16.1.2PCB的对外地址为172.16.2.2PCAping测试应显示如下:

C:\Users\PCA>ping 172.16.2.2

 

正在 Ping 172.16.2.2 具有 32 字节的数据:

来自 172.16.2.2 的回复: 字节=32 时间<1ms TTL=254

来自 172.16.2.2 的回复: 字节=32 时间<1ms TTL=254

来自 172.16.2.2 的回复: 字节=32 时间<1ms TTL=254

来自 172.16.2.2 的回复: 字节=32 时间<1ms TTL=254

 

172.16.2.2 Ping 统计信息:

    数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失)

往返行程的估计时间(以毫秒为单位):

    最短 = 0ms,最长 = 0ms,平均 = 0ms

 

通过查看如下显示信息,可以验证以上配置成功。

[H3C]display nat all

Static NAT mappings:

  Totally 2 outbound static NAT mappings.

  IP-to-IP:

    Local IP     : 192.168.1.2

    Global IP    : 172.16.1.2

    Local VPN    : vpn1

    Global VPN   : vpn2

    NAT counting : 0

    Config status: Active

 

  IP-to-IP:

    Local IP     : 192.168.1.2

    Global IP    : 172.16.2.2

    Local VPN    : vpn2

    Global VPN   : vpn1

    NAT counting : 0

    Config status: Active

 

Interfaces enabled with static NAT:

  Totally 2 interfaces enabled with static NAT.

  Interface: GigabitEthernet1/0/1

    Config status: Active

 

  Interface: GigabitEthernet1/0/2

    Config status: Active

 

NAT logging:

  Log enable          : Disabled

  Flow-begin          : Disabled

  Flow-end            : Disabled

  Flow-active         : Disabled

  Port-block-assign   : Disabled

  Port-block-withdraw : Disabled

  Alarm               : Disabled

  NO-PAT IP usage     : Disabled

 

NAT mapping behavior:

  Mapping mode : Address and Port-Dependent

  ACL          : ---

  Config status: Active

 

NAT ALG:

  DNS        : Enabled

  FTP        : Enabled

  H323       : Disabled

  ICMP-ERROR : Enabled

  ILS        : Disabled

  MGCP       : Disabled

  NBT        : Disabled

  PPTP       : Enabled

  RTSP       : Enabled

  RSH        : Disabled

  SCCP       : Disabled

  SIP        : Disabled

  SQLNET     : Disabled

  TFTP       : Disabled

  XDMCP      : Disabled

 

Static NAT load balancing:     Disabled

 

通过以下显示命令,可以看到Host A访问Host B时生成NAT会话信息。

[H3C]display nat session verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.2/1

  Destination IP/port: 172.16.2.2/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: vpn1/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/1

  Source security zone: Trust

Responder:

  Source      IP/port: 192.168.1.2/1

  Destination IP/port: 172.16.1.2/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: vpn2/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/2

  Source security zone: Untrust

State: ICMP_REPLY

Application: ICMP

Rule ID: 0

Rule name: trust-untrust

Start time: 2018-09-03 11:17:50  TTL: 28s

Initiator->Responder:            4 packets        240 bytes

Responder->Initiator:            4 packets        240 bytes

 

Total sessions found: 1

或者通过命令display nat session source-ip 192.168.1.2 destination-ip 172.16.2.2 verbose查看:

[H3C] display nat session source-ip 192.168.1.2 destination-ip 172.16.2.2 verbose

Slot 1:

Initiator:

  Source      IP/port: 192.168.1.2/1

  Destination IP/port: 172.16.2.2/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: vpn1/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/1

  Source security zone: Trust

Responder:

  Source      IP/port: 192.168.1.2/1

  Destination IP/port: 172.16.1.2/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: vpn2/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/0/2

  Source security zone: Untrust

State: ICMP_REPLY

Application: ICMP

Rule ID: 0

Rule name: trust-untrust

Start time: 2018-09-03 11:18:43  TTL: 28s

Initiator->Responder:            4 packets        240 bytes

Responder->Initiator:            4 packets        240 bytes

 

Total sessions found: 1

从以上会话信息可以看出,VPN实例vpn1里的主机PCA 192.168.1.2访问172.16.1.2,从VPN实例vpn2里的主机PCB 192.168.1.2回应报文的目的地址是172.16.1.2,说明双向的地址转换已经成功。

可通过命令debugging ip packet可以查看具体报文上送过程:

<H3C>debugging ip packet

<H3C>terminal monitor

The current terminal is enabled to display logs.

<H3C>terminal debugging

<H3C>debugging ip packet

The current terminal is enabled to display debugging logs

<H3C>*Sep  7 15:16:26:179 2018 H3C IPFW/7/IPFW_PACKET: -COntext=1;

Receiving, interface = GigabitEthernet1/0/1

version = 4, headlen = 20, tos = 0

pktlen = 84, pktid = 14, offset = 0, ttl = 255, protocol = 1

checksum = 19422, s = 192.168.1.2, d = 172.16.2.2

channelID = 0, vpn-InstanceIn = 1, vpn-InstanceOut = 1.

prompt: Receiving IP packet from interface GigabitEthernet1/0/1.

Payload: ICMP

  type = 8, code = 0, checksum = 0xad48.

 

*Sep  7 15:16:26:180 2018 H3C IPFW/7/IPFW_PACKET: -COntext=1;

Sending, interface = GigabitEthernet1/0/2

version = 4, headlen = 20, tos = 0

pktlen = 84, pktid = 14, offset = 0, ttl = 254, protocol = 1

checksum = 19934, s = 172.16.1.2, d = 192.168.1.2

channelID = 0, vpn-InstanceIn = 2, vpn-InstanceOut = 2.

prompt: Sending IP packet received from interface GigabitEthernet1/0/1 at interface GigabitEthernet1/0/2.

Payload: ICMP

  type = 8, code = 0, checksum = 0xad48.

 

*Sep  7 15:16:26:181 2018 H3C IPFW/7/IPFW_PACKET: -COntext=1;

Receiving, interface = GigabitEthernet1/0/2

version = 4, headlen = 20, tos = 0

pktlen = 84, pktid = 14, offset = 0, ttl = 255, protocol = 1

checksum = 19678, s = 192.168.1.2, d = 172.16.1.2

channelID = 0, vpn-InstanceIn = 2, vpn-InstanceOut = 2.

prompt: Receiving IP packet from interface GigabitEthernet1/0/2.

Payload: ICMP

  type = 0, code = 0, checksum = 0xb548.

 

*Sep  7 15:16:26:181 2018 H3C IPFW/7/IPFW_PACKET: -COntext=1;

Sending, interface = GigabitEthernet1/0/1

version = 4, headlen = 20, tos = 0

pktlen = 84, pktid = 14, offset = 0, ttl = 254, protocol = 1

checksum = 19678, s = 172.16.2.2, d = 192.168.1.2

channelID = 0, vpn-InstanceIn = 1, vpn-InstanceOut = 1.

prompt: Sending IP packet received from interface GigabitEthernet1/0/2 at interface GigabitEthernet1/0/1.

Payload: ICMP

  type = 0, code = 0, checksum = 0xb548.

从以上debugging信息可以看出,防火墙收到的PCA发来的报文源地址为s = 192.168.1.2, 目的地址d = 172.16.2.2,经过防火墙地址转换处理后,转发给PCB的报文源地址s = 172.16.1.2,目的地址 d = 192.168.1.2,完成了源地址和目的地址的双向转换,之后收到PCB发来的回应报文,源地址s = 192.168.1.2, 目的地址d = 172.16.1.2,经过防火墙之后,防火墙转发的报文, s = 172.16.2.2, d = 192.168.1.2,完成了源地址和目的地址的双向转换,这和最开始PCA发来的报文源目地址刚好匹配。

也可通过debugging nat packet命令查看具体地址转换过程:防火墙入接口收到报文后,目的地址变为192.168.1.2,从出接口转发给PCB的报文源地址变为 172.16.1.2,报文在防火墙上完成了源地址和目的地址的双向转换;防火墙收到PCB发来的回应报文,源地址192.168.1.2, 目的地址172.16.1.2;经过防火墙入接口转换,报文目的地址变为192.168.1.2,从防火墙出接口转发的报文源地址变为172.16.2.2,完成了源地址和目的地址的双向转换:

<H3C>debugging nat packet

<H3C>*Sep  7 14:16:20:542 2018 H3C NAT/7/COMMON: -COntext=1;

 PACKET: (GigabitEthernet1/0/1-in-config) Protocol: ICMP

     192.168.1.2:  154 -      172.16.2.2: 2048(VPN:    1) ------>

     192.168.1.2:  154 -     192.168.1.2: 2048(VPN:    2)

*Sep  7 14:16:20:542 2018 H3C NAT/7/COMMON: -COntext=1;

 PACKET: (GigabitEthernet1/0/2-out -config) Protocol: ICMP

     192.168.1.2:  154 -     192.168.1.2: 2048(VPN:    1) ------>

      172.16.1.2:  154 -     192.168.1.2: 2048(VPN:    2)

*Sep  7 14:16:20:543 2018 H3C NAT/7/COMMON: -COntext=1;

 PACKET: (GigabitEthernet1/0/2-in-session) Protocol: ICMP

     192.168.1.2:  154 -      172.16.1.2:    0(VPN:    2) ------>

     192.168.1.2:  154 -     192.168.1.2:    0(VPN:    1)

*Sep  7 14:16:20:543 2018 H3C NAT/7/COMMON: -COntext=1;

 PACKET: (GigabitEthernet1/0/1-out-session) Protocol: ICMP

     192.168.1.2:  154 -     192.168.1.2:    0(VPN:    2) ------>

      172.16.2.2:  154 -     192.168.1.2:    0(VPN:    1)

可通过debugging security-policy packet ip 查看匹配安全策略的情况:

<H3C>debugging security-policy packet ip

*Sep  7 14:45:20:639 2018 H3C FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Trust, Dst-ZOne=Untrust;If-In=GigabitEthernet1/0/1(2), If-Out=GigabitEthernet1/0/2(3); Packet Info:Src-IP=192.168.1.2, Dst-IP=192.168.1.2, VPN-Instance=vpn2, Src-MacAddr=a27f-9f87-0206,Src-Port=8, Dst-Port=0, Protocol=ICMP(1), Application=ICMP(22742), SecurityPolicy=trust-untrust, Rule-ID=0.


配置关键点