当前位置: 代码迷 >> 综合 >> 进入华为软件 eNSP 学习的第七天
  详细解决方案

进入华为软件 eNSP 学习的第七天

热度:83   发布时间:2023-12-02 20:40:00.0

                                           NAT实验报告

 

实验拓扑图:

 

一、实验需求:

1.pc不同网段

2.需配置防火墙NAT

 

二、实验目标:

1.了解NAT的配置方法

2.了解NAT的作用

 

三、实验步骤:

  第一步:配置思路

     1.配置ip

     2.配置静态ip

     3.配置区域

     4.配置安全策略

     5.防火墙NAT配置

     6.配置NAT-Server

     7.测试

第二步:实验操作

  1. 配置ip

Client:

Server:

 

FW1:

[FW1] interface GigabitEthernet1/0/0

[FW1-GigabitEthernet1/0/0] ip address 192.168.4.254 255.255.255.0

[FW1-GigabitEthernet1/0/0] service-manage ping permit

 

[FW1] interface GigabitEthernet1/0/1

[FW1-GigabitEthernet1/0/1] ip address 192.168.2.254 255.255.255.0

[FW1-GigabitEthernet1/0/1] service-manage ping permit

 

[FW1] interface GigabitEthernet1/0/2

[FW1-GigabitEthernet1/0/2] ip address 202.169.3.2 255.255.255.0

[FW1-GigabitEthernet1/0/2] service-manage ping permit

R1:

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]ip add 192.168.1.254  24

[R1-GigabitEthernet0/0/1]int g0/0/0

[R1-GigabitEthernet0/0/0]ip add 192.168.3.1  24

 

2.配置静态:

FW1:

ip route-static 0.0.0.0  0.0.0.0  192.168.3.1

R1:

ip route-static 0.0.0.0 0.0.0.0 202.169.3.2

 

 

3.配置区域:

FW1:

[FW1]firewall zone trust

[FW1-zone-trust]add interface GigabitEthernet1/0/1

[FW1]firewall zone untrust

[FW1-zone-untrust]add interface GigabitEthernet1/0/2

[FW1]firewall zone dmz

[FW1-zone-dmz] add interface GigabitEthernet1/0/0

 

4.配置安全策略:

FW1:

[FW1]security-policy

[FW1-policy-security] rule name 1

[FW1-policy-security-rule-1] source-zone untrust

[FW1-policy-security-rule-1] destination-zone dmz

[FW1-policy-security-rule-1] destination-address 192.168.4.1 32

[FW1-policy-security-rule-1] service ftp

[FW1-policy-security-rule-1] action permit

[FW1-policy-security]rule name 2

[FW1-policy-security-rule-2] source-zone trust

[FW1-policy-security-rule-2] destination-zone untrust

[FW1-policy-security-rule-2] action permit

 

5.防火墙NAT配置:

[FW1]nat address-group a

[FW1-address-group-a]mode pat

[FW1-address-group-a]section 1 192.168.3.100 192.168.3.110

[FW1]nat-policy

[FW1-policy-nat]rule name 1

[FW1-policy-nat]source-zone trust

[FW1-policy-nat]destination-zone untrust

[FW1-policy-nat]source-address 192.168.2.0 24

[FW1-policy-nat]action nat address-group a

6.配置NAT-server:

FW1:

[FW1]nat server ftpsever 0 protocol tcp global 192.168.3.5 ftp inside 192.168.4.1 ftp

 

7.测试:

 

 

 

 

      

                                     NAT双接口实验报告

 

实验拓扑图:

 

一、实验需求:

1.pc与服务端不在同一网段

2.网关在交换机上

3.使用静态路由打通

4.广域网不能出现私网地址

5.总部服务器使用NAT双出口

 

二、实验步骤:

  第一步:配置思路

     1.配置vlan和ip并开启ping服务

     2.配置静态路由

     3.防火墙配置区域

     4.防火墙开启安全策略

     5.路由器配置Easyip

     6.在防火墙上配置natserver

     7.测试

第二步:实验操作

  1. 配置vlan和ip并开启ping服务

PC:

SW1:

    vlan batch 10 20 30 40

    interface GigabitEthernet0/0/1

    port link-type access

    port default vlan 10

    interface GigabitEthernet0/0/2

    port link-type access

    port default vlan 20

    interface GigabitEthernet0/0/3

    port link-type access

    port default vlan 30

    interface GigabitEthernet0/0/4

    port link-type access

    port default vlan 40

SW2:

   vlan batch 10 20 30

    interface GigabitEthernet0/0/1

     port link-type access

     port default vlan 30

     interface GigabitEthernet0/0/2

     port link-type access

     port default vlan 10

     interface GigabitEthernet0/0/3

     port link-type access

     port default vlan 20

 

SW1

interface Vlanif10

 ip address 192.168.1.254 255.255.255.0

interface Vlanif20

 ip address 192.168.2.254 255.255.255.0

interface Vlanif30

 ip address 192.168.3.254 255.255.255.0

interface Vlanif40

 ip address 192.168.4.1 255.255.255.0

FW1

interface GigabitEthernet1/0/0

 ip address 192.168.4.2 255.255.255.0

 service-manage ping permit

 

interface GigabitEthernet1/0/1

 ip address 192.168.100.1 255.255.255.0

 service-manage ping permit

 

interface GigabitEthernet1/0/2

ip address 192.168.101.1 255.255.255.0

 service-manage ping permit

R1

interface GigabitEthernet0/0/0

 ip address 192.168.100.2 255.255.255.0

 

interface GigabitEthernet0/0/1

 ip address 192.168.102.1 255.255.255.0

R2

interface GigabitEthernet0/0/0

 ip address 192.168.101.2 255.255.255.0

 

interface GigabitEthernet0/0/1

 ip address 192.168.103.1 255.255.255.0

R3

interface GigabitEthernet0/0/0

 ip address 192.168.7.1 255.255.255.0

 

interface GigabitEthernet0/0/1

 ip address 192.168.103.2 255.255.255.0

 

interface GigabitEthernet0/0/2

 ip address 192.168.102.2 255.255.255.0

SW2

interface Vlanif10

 ip address 192.168.5.254 255.255.255.0

 

interface Vlanif20

 ip address 192.168.6.254 255.255.255.0

 

interface Vlanif30

 ip address 192.168.7.2 255.255.255.0

 

 

  1. 配置静态路由

  SW1

ip route-static 0.0.0.0 0.0.0.0 192.168.4.2

FW1

ip route-static 0.0.0.0 0.0.0.0 192.168.4.1

ip route-static 192.168.102.0 255.255.255.0 192.168.100.2

ip route-static 192.168.102.0 255.255.255.0 192.168.101.2 preference 100

ip route-static 192.168.103.0 255.255.255.0 192.168.101.2

ip route-static 192.168.103.0 255.255.255.0 192.168.100.2 preference 100

R1

ip route-static 192.168.101.0 255.255.255.0 192.168.100.1

ip route-static 192.168.103.0 255.255.255.0 192.168.102.2

R2

ip route-static 192.168.100.0 255.255.255.0 192.168.101.1

ip route-static 192.168.102.0 255.255.255.0 192.168.103.2

R3

ip route-static 192.168.100.0 255.255.255.0 192.168.102.1

ip route-static 192.168.100.0 255.255.255.0 192.168.103.1 preference 100

ip route-static 192.168.101.0 255.255.255.0 192.168.103.1

ip route-static 192.168.101.0 255.255.255.0 192.168.102.1 preference 100

ip route-static 192.168.5.0 255.255.255.0 192.168.7.2

ip route-static 192.168.6.0 255.255.255.0 192.168.7.2

SW2

ip route-static 0.0.0.0 0.0.0.0 192.168.7.1

 

  1. 防火墙配置区域

 FW1

firewall zone trust

 set priority 85

 add interface GigabitEthernet0/0/0

 add interface GigabitEthernet1/0/0

 

firewall zone untrust

 set priority 5

 add interface GigabitEthernet1/0/1

 add interface GigabitEthernet1/0/2

 

  1. 防火墙开启安全策略

  FW1

security-policy

 rule name 1

  source-zone trust

  destination-zone untrust

  action permit

 

 rule name 2

  source-zone untrust

  destination-zone trust

  action permit

 

nat address-group a 0

 mode pat

 section 1 192.168.100.100 192.168.100.110

 section 2 192.168.101.100 192.168.101.110

 

nat-policy

 rule name 1

  source-zone trust

  destination-zone untrust

  action nat address-group a

 

   rule name 2

  source-zone untrust

  destination-zone trust

  action nat address-group a

 

   

5. 路由器配置Easyip
    R3

acl number 2000 

 rule 5 permit source 192.168.5.0 0.0.0.255

 rule 10 permit source 192.168.6.0 0.0.0.255

 

interface GigabitEthernet0/0/1

 nat outbound 2000

 

interface GigabitEthernet0/0/2

nat outbound 2000

6. 在防火墙上配置natserver

nat server up 0 protocol tcp global 192.168.100.100 ftp inside

192.168.2.1 ftp no-reverse

 nat server down 1 protocol tcp global 192.168.101.101 ftp inside 192.168.2.1 ftp no-reverse

7.测试:

抓包:

 

 

 

 

  相关解决方案

代码迷 - 您身边的软件异常,代码异常,编程异常助手(发现,解决,分享)
Copyright © 2009-2013 DAIMAMI.COM. All rights reserved.