6-华为防火墙(配置基于源IP地址的NAT)
一、实验一:配置No-Pat
1、基本配置略:
2、R1开启Telnet功能:
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode password ?
[R1-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):cisco
[R1-ui-vty0-4]user privilege level 15
3、配置Trust到Untrust的Zone间策略:
[SRG]policy interzone trust untrust outbound
[SRG-policy-interzone-trust-untrust-outbound]policy create-mode auto-sort enable
[SRG-policy-interzone-trust-untrust-outbound]policy 5
[SRG-policy-interzone-trust-untrust-outbound-5]policy source 192.168.1.0 mask 24
[SRG-policy-interzone-trust-untrust-outbound-5]policy destination 202.100.1.0 mask 24
[SRG-policy-interzone-trust-untrust-outbound-5]policy service service-set telnet
[SRG-policy-interzone-trust-untrust-outbound-5]policy service service-set icmp
[SRG-policy-interzone-trust-untrust-outbound-5]action permit
4、NAT未部署前地址未转换:
Login authentication
Password:cisco
5、配置no-pat:
[SRG]nat address-group 1 202.100.1.10 202.100.1.20 //创建地址组
[SRG]nat-policy interzone trust untrust outbound //创建Zone间NAT策略
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 0
[SRG-nat-policy-interzone-trust-untrust-outbound-0]policy source 192.168.1.0 mask 24 //需要转换的源地址段
[SRG-nat-policy-interzone-trust-untrust-outbound-0]address-group 1 no-pat //转换后的地址组,并且不转换到端口
[SRG-nat-policy-interzone-trust-untrust-outbound-0]action source-nat //执行源转换动作
测试:
查看防火墙会话转换:
[SRG]display firewall session table verbose //源端口50573,转换后端口依然是50573
查看防火墙Map:
[SRG]display firewall server-map
二:实验二:配置PAT,有外部地址池的端口转换
[SRG-nat-policy-interzone-trust-untrust-outbound-0]undo address-group
[SRG-nat-policy-interzone-trust-untrust-outbound-0]address-group 1
测试:
[SRG]display firewall session table verbose
三、实验三:配置Easy-IP,转换192.168.1.2到USG的g0/0/0接口地址
[SRG]nat-policy interzone trust untrust outbound
[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy 0
[SRG-nat-policy-interzone-trust-untrust-outbound-0]undo address-group
[SRG-nat-policy-interzone-trust-untrust-outbound-0]easy-ip GigabitEthernet 0/0/0
测试:
[SRG]display firewall session table verbose
【6-华为防火墙(配置基于源IP地址的NAT)】转载于:https://blog.51cto.com/13856092/2138637
推荐阅读
- vue-cli|vue-cli 3.x vue.config.js 配置
- 华为旁!大社区、地铁新盘,佳兆业城市广场五期!
- 从战略性的角度可以配置股票
- 缓存有关的配置和属性
- Spring|Spring Boot 自动配置的原理、核心注解以及利用自动配置实现了自定义 Starter 组件
- 当荣耀V9把华为mate9的脸打得啪啪作响
- Vagrant|Vagrant (三) - 网络配置
- java|java b2b2c shop 多用户商城系统源码- config 修改配置
- CentOS7 阿里云镜像配置方法
- Python|Win10下 Python开发环境搭建(PyCharm + Anaconda) && 环境变量配置 && 常用工具安装配置