某公司在网络边界处部署了FW1作为安全网关。为了使私网中10.1.1.0/24网段的用户可以正常访问Internet,需要在FW1上配置源NAT策略。由于需要上网的用户少,FW1采用NAT No-PAT的地址转换方式,将私网地址与公网地址一对一转换。公司向ISP申请了10个IP地址(1.1.1.11~1.1.1.17)作为私网地址转换后的公网地址。网络环境如下拓扑所示。
数据规划表
项目 | 数据 | 说明 | |
GigabitEthernet 1/0/1 | ip:10.1.1.1/24 安全域:Trust | 私网PC要将10.1.1.1设为网关 | |
GigabitEthernet 1/0/2 | ip:1.1.1.1/24 安全域:Untrust | —— | |
允许访问Internet的私网网段 | 10.1.1.0/24 | —— | |
转换后的公网地址 | 1.1.1.11~1.1.1.17 | 由于上网的用户少,FW1采用NAT NO-PAT方式。 | |
路由 | FW缺省路由 | 目的地址:0.0.0.0 下一跳:1.1.1.254 | 为了使私网流量可以正常转发至ISP的路由器,可以在FW上配置去往Internet的缺省路由。 |
Router静态路由 | 目的地址:1.1.1.11~1.1.1.17 下一跳:1.1.1.1 | 由于转换后的公网地址不存在实际接口,通过路由协议无法直接发现,所以需要在Router上手工配置静态路由。通常需要联系ISP的网络管理员配置。 |
配置如下:
1、配置接口IP地址和安全区域,完成网络基本参数配置
#配置接口GigabitEthernet 1/0/1的IP地址及安全域
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 10.1.1.1 24
[FW1-GigabitEthernet1/0/1]quit
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/1
[FW1-zone-trust]quit
#配置接口GigabitEthernet 1/0/2的IP地址及安全域
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ip address 1.1.1.1 24
[FW1-GigabitEthernet1/0/2]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/2
[FW1-zone-untrust]quit
验证GigabitEthernet1/0/1,GigabitEthernet1/0/2的ip地址及安全域
[FW1]display ip interface brief
2022-05-10 03:49:07.390
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 6
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 6
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 unassigned down down
GigabitEthernet1/0/1 10.1.1.1/24 up up
GigabitEthernet1/0/2 1.1.1.1/24 up up
GigabitEthernet1/0/3 unassigned down down
GigabitEthernet1/0/4 unassigned down down
GigabitEthernet1/0/5 unassigned down down
GigabitEthernet1/0/6 unassigned down down
NULL0 unassigned up up(s)
Virtual-if0 unassigned up up(s)
[FW1]display zone
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/1
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/2
2.配置安全策略,允许私网指定网段与Internet进行报文交互
[FW1] security-policy
[FW1-policy-security] rule name policy1
[FW1-policy-security-rule-policy1] source-zone trust
[FW1-policy-security-rule-policy1] destination-zone untrust
[FW1-policy-security-rule-policy1] source-address 10.1.1.0 24
[FW1-policy-security-rule-policy1] action permit
[FW1-policy-security-rule-policy1] quit
验:
[FW1-policy-security]display this
2022-05-10 03:56:15.140
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
action permit
return
3.配置NAT地址池,不开启端口转换
[FW1]nat address-group natgroup1
[FW1-address-group-natgroup1]mode no-pat global
[FW1-address-group-natgroup1]section 0 1.1.1.11 1.1.1.17
[FW1-address-group-natgroup1]route enable
[FW1-address-group-natgroup1]quit
验:
nat address-group natgroup1
mode no-pat global
route enable
section 0 1.1.1.11 1.1.1.17
4.配置源NAT策略,实现私网指定网段访问Internet时自动进行源地址转换
[FW1]nat-policy
[FW1-policy-nat]rule name policy_nat1
[FW1-policy-nat-rule-policy_nat1]source-zone trust
[FW1-policy-nat-rule-policy_nat1]destination-zone untrust
[FW1-policy-nat-rule-policy_nat1]source-address 10.1.1.0 24
[FW1-policy-nat-rule-policy_nat1]action source-nat address-group natgroup1
[FW1-policy-nat-rule-policy_nat1]quit
验:
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
action source-nat address-group natgroup1
return
5.在FW上配置缺省路由,使私网流量可以正常转发至ISP的路由器
[FW1]ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
6.在Internet上配置到NAT地址池地址(1.1.1.11~1.1.1.17)的静态路由,下一跳为1.1.1.1,使从Internet返回的流量可以被正常转发至FW。
[AR1]ip route-static 1.1.1.254 1.1.1.11 1.1.1.1
Error: The mask is invalid.
[AR1]ip route-static 1.1.1.254 1.1.1.12 1.1.1.1
Error: The mask is invalid.