PIX防火墻NAT-創(chuàng)新互聯(lián)

        PIX防火墻NAT

創(chuàng)新互聯(lián)公司主營龍山網(wǎng)站建設(shè)的網(wǎng)絡(luò)公司,主營網(wǎng)站建設(shè)方案,APP應(yīng)用開發(fā),龍山h5重慶小程序開發(fā)搭建,龍山網(wǎng)站營銷推廣歡迎龍山等地區(qū)企業(yè)咨詢

一 實驗拓?fù)?/p>

PIX防火墻NAT

二 實驗要求

 1)完成防火墻的基本配置

 2)熟悉防火墻的訪問規(guī)則

 3)熟悉防火墻的路由配置

 4)理解防火墻的NAT的工作過程以及熟悉配置命令

   A) R1的lo0去往R2的lo0的報文使用動態(tài)NAT

   B)R1的lo1去往R2的lo1的報文使用PAT

   C)R3的lo0的報文去往outside方向使用靜態(tài)路由

 5)理解特殊NAT和策略NAT

三 實驗步驟

 1)路由器的基本配置和接口配置

 2)PIX防火墻的基本配置和接口配置

FW4(config)# int e0

FW4(config-if)# ip add 192.168.1.2 255.255.255.0

FW4 (config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

FW4 (config-if)# no shu

FW4 (config-if)# int e2

FW4 (config-if)# ip add 202.202.202.2 255.255.255.0

FW4 (config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

FW4 (config-if)# no shu

FW4 (config-if)# int e3

FW4 (config-if)# ip add 192.168.3.2 255.255.255.0

FW4(config-if)# nameif dmz

INFO: Security level for "dmz" set to 0 by default.

FW4 (config-if)# security-level 50

FW4 (config-if)# no shu

 3)測試直連鏈路的連通性

 4)配置靜態(tài)路由,實現(xiàn)全網(wǎng)連通,R2模擬公網(wǎng)路由器不配置路由

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2

R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2

FW4(config)#   route inside 192.168.10.0 255.255.255.0 192.168.1.1

FW4(config)# route inside 192.168.20.0 255.255.255.0 192.168.1.1

FW4(config)# route dmz 192.168.30.0 255.255.255.0 192.168.3.1

FW4(config)# route outside 0.0.0.0 0.0.0.0 202.202.202.2

5)按實驗要求完成防火漆的NAT配置,以及理解其工作過程

A)測試動態(tài)NAT

在做動態(tài)NAT之前,inside的R1不能訪問outside的R2.原因是沒有回來的路由。做了動態(tài)NAT之后,回來的路由即是直連路由(因為轉(zhuǎn)換成了202.202.202.0網(wǎng)段的地址),可以訪問

FW4(config)# access-list outacl extended permit icmp host 200.200.200.200 202.202.202.0 255.255.255.0 //允許主機202.202.202.202的基于icmp的數(shù)據(jù)訪問202.202.202.0網(wǎng)段(命名的擴展ACL?)

FW4(config)# access-group outacl in int outside //應(yīng)用到outside接口

FW4(config)# nat ?

configure mode commands/options:

 (  Open parenthesis for the name of the network interface where the

  hosts/network designated by the local IP address are accessed

FW4(config)# nat (inside) 1 192.168.10.0 255.255.255.0

FW4(config)# global (outside) 1 202.202.202.3-202.202.202.5 netmask 255.255.255.0  //用動態(tài)NAT實現(xiàn)私網(wǎng)訪問公網(wǎng),nat與global要一起用

測試結(jié)果:

R1#ping 200.200.200.200 so 192.168.10.1//注意要帶源,因為是允許轉(zhuǎn)換192.168.10.0網(wǎng)段的地址,不帶源的話默認(rèn)是使用出口地址

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 20/28/44 ms

B)測試PAT(PAT:將一段私網(wǎng)地址映射成一個全局地址)

FW4(config)# nat (inside) 2 192.168.20.0 255.255.255.0

FW4(config)# global (outside) 2 int

INFO: outside interface address added to PAT pool

測試結(jié)果:

R1#ping 200.200.200.200 so 192.168.20.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.20.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/68 ms

C)靜態(tài)NAT測試

FW4(config)# static (dmz,outside) 202.202.202.8 192.168.30.1 netmask 255.255.255.255  //實現(xiàn)私網(wǎng)訪問公網(wǎng),192.168.30.1轉(zhuǎn)換成202.202.202.8

FW4(config)# access-list dmzacl permit icmp 192.168.30.1 255.255.255.255 200.200.200.200 255.255.255.255//這里沒有應(yīng)用到具體的接口?

測試結(jié)果:

R3#ping 200.200.200.200 so 192.168.30.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.30.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 16/33/48 ms

6)測試特殊NAT和策略NAT;

A)特殊NAT

當(dāng)啟用nat-control命令時,內(nèi)個內(nèi)部地址必須具有一個對應(yīng)的內(nèi)部NAT規(guī)則。同樣,在允許通過安全設(shè)備進行通信之前,如果一個接口上啟用了一個外部動態(tài)NAT則每個外部地址必須具有一個對應(yīng)的外部NAT規(guī)則

測試:

注意要讓R1 ping通R3需要

FW4(config)#fixup protocol icmp

FW4(config)#no fixup protocol icmp

FW4(config)#access-list dmz-inside extended permit icmp 192.168.3.1 255.255.255.0 192.168.1.0 255.255.255.0 echo-reply

FW4(config)# access-group dmz-inside in int dmz

此時:

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/33/72 ms

啟用nat-control

FW4(config)# nat-control

測試:

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

B)身份NAT

轉(zhuǎn)換后的IP就是原來真實的IP相當(dāng)于沒有轉(zhuǎn)換,只能用在出站流量。與動態(tài)NAT類似,只是動態(tài)NAT要映射在全局地址。身份NAT是單向的。即下面例子中R3不能ping 通R1(192.168.3.1 ping 192.168.1.1)

FW4(config)# nat-control

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

FW4(config)# nat (inside) 0 192.168.1.1 255.255.255.255

nat 0 192.168.1.1 will be identity translated for outbound

//只有nat而沒有g(shù)lobal,聯(lián)系身份NAT的特點

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/31/68 ms

注意:上面的這兩個實驗都要建立在

讓R1 ping通R3

FW4(config)#fixup protocol icmp

FW4(config)#no fixup protocol icmp

FW4(config)#access-list dmz-inside extended permit icmp 192.168.3.1 255.255.255.0 192.168.1.0 255.255.255.0 echo-reply

FW4(config)# access-group dmz-inside in int dmz

疑問:防火墻刪除ACL會同時把應(yīng)用在接口上的命令也刪了?

 C)NAT豁免(帶ACL的nat 0)

 與身份NAT相似,主要區(qū)別是NAT豁免允許雙向通信,同時允許轉(zhuǎn)換和遠(yuǎn)程主機發(fā)起連接

FW4(config)# no nat (inside) 0 192.168.1.1 255.255.255.255

FW4(config)# nat-control

FW4(config)# access-list nonat permit ip 192.168.1.1 255.255.255.255 192.168.3$

FW4(config)# nat (inside) 0 access-list nonat

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/52 ms

注意:上面的這三個實驗都要建立在

讓R1 ping通R3

FW4(config)#fixup protocol icmp

FW4(config)#no fixup protocol icmp

FW4(config)#access-list dmz-inside extended permit icmp 192.168.3.1 255.255.255.0 192.168.1.0 255.255.255.0 echo-reply

FW4(config)# access-group dmz-inside in int dmz

D)策略NAT

與靜態(tài)NAT相似,然而,策略NAT允許定義一個有條件的標(biāo)準(zhǔn)來檢測源地址和目的地址,以此來確定地址轉(zhuǎn)換。有了這個特性,源地址轉(zhuǎn)換就可以改變?yōu)椴煌哪康牡刂?/p>

FW4(config)# access-list NAT1 permit ip 192.168.10.0 255.255.255.0 192.168.30.1 255.255.255.255

FW4(config)# access-list NAT2 permit ip 192.168.10.0 255.255.255.0 192.168.30.2 255.255.255.255

FW4(config)# nat (inside) 1 access-list NAT1

FW4(config)# global (outside) 1 192.168.3.2

INFO: Global 192.168.3.2 will be Port Address Translated

FW4(config)# nat (inside) 2 access-list NAT2

FW4(config)# global (outside) 2 192.168.3.3

INFO: Global 192.168.3.3 will be Port Address Translated

7)總結(jié)防火墻的訪問規(guī)則以及對流量的處理

A)NAT選擇順序

根據(jù)對防火墻性能資源消耗占有程度來選擇:

NAT exemptions (nat 0 access-list commands) 帶ACL的nat 0

Policy NAT (static access-list commands)

Static NAT (static commands without port numbers)

Static PAT (static commands with port numbers)

NAT 0 or Policy NAT (nat nat_id access-list commands)

Dynamic NAT and PAT (nat nat_id commands)

如果處于同一級別就需要比較訪問控制列表的明細(xì)程度和網(wǎng)段地址的明細(xì)程度,如果前面都一樣則寫在前面的優(yōu)先

FW4#  sh conn

0 in use, 2 most used

FW4# sh local-host

Interface dmz: 0 active, 1 maximum active, 0 denied

Interface outside: 0 active, 1 maximum active, 0 denied

Interface inside: 2 active, 2 maximum active, 0 denied

local host: <192.168.10.1>,

  TCP flow count/limit = 0/unlimited

  TCP embryonic count to host = 0

  TCP intercept watermark = unlimited

  UDP flow count/limit = 0/unlimited

 Xlate:

  Global 202.202.202.3 Local 192.168.10.1

local host: <192.168.1.1>,

  TCP flow count/limit = 0/unlimited

  TCP embryonic count to host = 0

  TCP intercept watermark = unlimited

  UDP flow count/limit = 0/unlimited

Xlate:

  Global 192.168.1.1 Local 192.168.1.1

FW4# sh xlate

3 in use, 3 most used

Global 202.202.202.8 Local 192.168.30.1

Global 202.202.202.3 Local 192.168.10.1

Global 192.168.1.1 Local 192.168.1.1

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)scvps.cn,海內(nèi)外云服務(wù)器15元起步,三天無理由+7*72小時售后在線,公司持有idc許可證,提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機、免備案服務(wù)器”等云主機租用服務(wù)以及企業(yè)上云的綜合解決方案,具有“安全穩(wěn)定、簡單易用、服務(wù)可用性高、性價比高”等特點與優(yōu)勢,專為企業(yè)上云打造定制,能夠滿足用戶豐富、多元化的應(yīng)用場景需求。

當(dāng)前文章:PIX防火墻NAT-創(chuàng)新互聯(lián)
文章路徑:http://muchs.cn/article12/phigc.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供網(wǎng)站策劃、Google、移動網(wǎng)站建設(shè)、響應(yīng)式網(wǎng)站網(wǎng)頁設(shè)計公司、營銷型網(wǎng)站建設(shè)

廣告

聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請盡快告知,我們將會在第一時間刪除。文章觀點不代表本網(wǎng)站立場,如需處理請聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時需注明來源: 創(chuàng)新互聯(lián)

成都app開發(fā)公司