強叔侃牆 NAT篇 NAT Server 三十二字真言(上篇)_實驗
阿新 • • 發佈:2019-01-06
拓撲結構
1,VPN配置
採用web方式配置。
FW1配置
FW2配置
Vpn 協商策略
security-policy rule name untrust2local_vpn source-zone untrust destination-zone local source-address 1.1.1.2 32 destination-address 1.1.1.1 32 service protocol udp destination-port 500 service protocol udp source-port 500 action permit rule name local2untrust_vpn source-zone local destination-zone untrust source-address 1.1.1.1 32 destination-address 1.1.1.2 32 service protocol udp destination-port 500 service protocol udp source-port 500 action permit
Nat Server
一正一反,出入自如
[FW1]nat server web protocol tcp global 1.1.1.1 9980 inside 192.168.2.2 80
[FW1]display firewall server-map Current Total Server-map : 2 Type: Nat Server, ANY -> 1.1.1.1:9980[192.168.2.2:80], Zone:---, protocol:tcp Vpn: public -> public Type: Nat Server Reverse, 192.168.2.2[1.1.1.1] -> ANY, Zone:---, protocol:tcp Vpn: public -> public, counter: 1
先關閉預設安全策略,用網際網路訪問內網主機,檢視會話表
tcp VPN: public --> public ID: c487f663b50b23061df5c21e60d Zone: untrust --> trust TTL: 00:20:00 Left: 00:19:45 Interface: GigabitEthernet1/0/0 NextHop: 192.168.2.2 MAC: 000c-2924-9304 <--packets: 1 bytes: 48 --> packets: 254 bytes: 10,176 1.1.2.2:1047 --> 1.1.1.1:9980[192.168.2.2:80] PolicyName: default
配置untrust到trust的安全策略
rule name accesswebserver
source-zone untrust
destination-zone trust
destination-address 192.168.2.2 32
service protocol tcp destination-port 80
action permit
外網主機可以訪問內網伺服器
內網主機訪問internet,NAT策略
rule name internet
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 192.168.2.0 24
action nat easy-ip
——————————————————————————————+++
主機還不能訪問internet,還需要配置trust到untrust安全策略
先關閉預設安全策略,用內網主機訪問外網web服務,檢視會話表
http VPN: public --> public ID: c487f663b5125f028635c21e99d
Zone: trust --> untrust TTL: 00:20:00 Left: 00:19:50
Interface: GigabitEthernet1/0/1 NextHop: 1.1.1.2 MAC: 00e0-fc04-1b46
<--packets: 1256 bytes: 50,624 --> packets: 8 bytes: 1,112
192.168.2.2:53677[1.1.1.1:2049] --> 1.1.2.2:80 PolicyName: default
配置trust到untrust安全策略,只允許訪問web服務。
rule name trut2untrust
source-zone trust
destination-zone untrust
source-address 192.168.2.0 24
service http
action permit
————————————————————————
伺服器訪問分部的web伺服器
檢視會話表
esp VPN: public --> public ID: c487f663b4be750539b5c21ec47
Zone: untrust --> local TTL: 00:10:00 Left: 00:09:55
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000
<--packets: 0 bytes: 0 --> packets: 1 bytes: 124
1.1.1.2:0 --> 1.1.1.1:0 PolicyName: default
新增untrust 到local安全策略,允許esp報文通過
rule name untrust2local
source-zone untrust
destination-zone local
source-address 1.1.1.2 32
destination-address 1.1.1.1 32
action permit
[FW1]nat server web protocol tcp global 1.1.1.1 9980 inside 192.168.2.2 80 no-reverse
[FW1]dis firewall session table
Current Total Sessions : 13
http VPN: public --> public 192.168.2.2:53521[1.1.1.1:53521] --> 10.0.0.2:80