华为防火墙企业双出口专线,配置策略路由实现多个ISP出接口的智能选路和双向NAT | 您所在的位置:网站首页 › 绿盟防火墙默认地址怎么设置 › 华为防火墙企业双出口专线,配置策略路由实现多个ISP出接口的智能选路和双向NAT |
一、组网需求 1:企业有二条专线接入,当其中一条出现故障时,自动切换至另外一条,保障网络访问正常。 (a)要求PC1从dx专线(1.1.1.2/24)访问外网PC,PC2从yd专线(2.2.2.2/24)访问外网PC。 (b)当dx或yd 任意一条出口线路出现故障时,所有的流量访问都自动切换到另外一条正常的线路上,保障出口流量正常。 2:http SERVER服务器放置在TRUST区域,通过NAT发布到外网。要求外网PC能访问此服务器,同时内网也可以通过公网IP访问企业内部的http服务器。FTP服务器位于DMZ区域。 NAT SERVER规划如下 二、来回路径不一致问题 出口防火墙有多个ISP出口,如果部署了负载均衡方式,会同时存在多条优先级相同的路由,在外部用户访问企业内部http服务时,会有来回路径不一致问题。如外网PC通过dx线路访问进来,而回包的线路可能是通过yd线路出去。解决方法:启用防火墙上的源进源出功能。 三、网络拓扑图 一、防火墙配置 1.接口配置 # interface GigabitEthernet0/0/0 undo shutdown ip binding vpn-instance default ip address 192.168.100.100 255.255.255.0 alias GE0/METH service-manage http permit service-manage https permit service-manage ping permit service-manage enble # interface GigabitEthernet1/0/0 undo shutdown ip address 172.21.100.2 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/1 description LINK_DX undo shutdown ip address 1.1.1.1 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/2 description LINK_YD undo shutdown ip address 2.2.2.1 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/3 undo shutdown ip address 172.21.101.2 255.255.255.0 service-manage ping permit # 2.区域配置 ,将接口划分到区域中。 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/0 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/3 #创建dx区域,并设置该区域优先级为10。将G1/0/1口加入该区域。 firewall zone name dx set priority 10 add interface GigabitEthernet1/0/1 #创建yd区域,并设置该区域优先级为11。将G1/0/2口加入该区域。 firewall zone name yd set priority 11 add interface GigabitEthernet1/0/2 # 3.配置路由 配置二条默认路由,分别指向1.1.1.2和2.2.2.2。再配置到内网的静态路由。如果需要外网任何一条线路断了,自动切换,可采用通过与ip-link绑定的方法。 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 ip route-static 0.0.0.0 0.0.0.0 2.2.2.2 ip route-static 172.16.0.0 255.255.0.0 172.21.100.254 # 4.配置安全策略,允许区域内流量互通 # security-policy rule name dmz_to_untrust source-zone dmz destination-zone dx destination-zone yd source-address 172.21.101.80 mask 255.255.255.255 action permit rule name untrust_to_dmz source-zone dx source-zone yd destination-zone dmz destination-address 172.21.101.80 mask 255.255.255.255 action permit rule name trust2dmz source-zone dmz source-zone trust destination-zone dmz destination-zone trust action permit rule name trust_dx2yd source-zone trust destination-zone dx destination-zone yd action permit rule name untrust_to_trust source-zone dx source-zone yd destination-zone trust destination-address address-set HTTP_SERVER01 action permit # 5.创建NAT地址池 # nat address-group DX_SERVER 0 mode pat section 0 1.1.1.5 1.1.1.6 # nat address-group YD_SERVER 1 mode pat section 0 2.2.2.5 2.2.2.6 # 6.配置用于域内NAT的地址池 # nat address-group server01 mode pat section 0 2.2.2.10 2.2.2.11 # 7.配置NAT POLICY # nat-policy rule name DX_NAT source-zone trust destination-zone dx source-address 172.16.10.0 mask 255.255.255.0 action source-nat address-group DX_SERVER rule name YD_NAT source-zone trust destination-zone yd source-address 172.16.20.0 mask 255.255.255.0 action source-nat address-group YD_SERVER rule name nat_policy1 description FOR_TRUST_HTTPSERVER source-zone trust destination-zone trust source-address 172.16.10.0 mask 255.255.255.0 source-address 172.16.20.0 mask 255.255.255.0 destination-address 172.16.20.80 mask 255.255.255.255 service http action source-nat address-group server01 # 8.配置策略路由 VLAN10段的用户上网从DX(1.1.1.2)出去,VLAN20段的用户上网从YD(2.2.2.2)出去。VLAN10、VLAN20和VLAN101的内网流量访问不执行pbr策略,要保证能相互访问。 # policy-based-route rule name pbr_5 ingress-interface GigabitEthernet1/0/0 source-address 172.16.10.0 mask 255.255.255.0 source-address 172.16.20.0 mask 255.255.255.0 destination-address 172.16.10.0 mask 255.255.255.0 destination-address 172.16.20.0 mask 255.255.255.0 destination-address 172.21.101.0 mask 255.255.255.0 action no-pbr rule name pbr_10 ingress-interface GigabitEthernet1/0/0 source-address 172.16.10.0 mask 255.255.255.0 action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.2 rule name pbr_15 ingress-interface GigabitEthernet1/0/0 source-address 172.16.20.0 mask 255.255.255.0 action pbr egress-interface GigabitEthernet1/0/2 next-hop 2.2.2.2 9.配置基于区域的NAT SERVERT 注:指定了区域的话,就表示只允许这个区域内的用户可以访问。 # nat server 0 zone dx protocol tcp global 1.1.1.3 8080 inside 172.21.101.80 www nat server 1 zone yd protocol tcp global 2.2.2.3 8080 inside 172.21.101.80 www nat server 2 zone trust protocol tcp global 1.1.1.3 8080 inside 172.21.101.80 www no-reverse nat server 3 zone trust protocol tcp global 2.2.2.3 8080 inside 172.21.101.80 www no-reverse # 10.基于全局的NAT SERVER /*做这个之前使用undon nat server all删除所有的nat server映射。 这个主要用于验证同一个域内内网用户通过公网IP访问http服务。 注:(1)配置nat server时加no-reverse参数,只生成正方向的Server-Map表项。如果没有指定no-reverse参数,将会生成正反两个方向的Server-Map表项(2)如果在企业中有多个出口ISP线路,同时需要将企业内部服务器发布到多个公网IP上时,如果不加no-reverse参数,将无法配置多个Global地址和同一个Inside地址建立映射关系。 # nat server http protocol tcp global 2.2.2.3 8080 inside 172.16.20.80 www no-reverse nat server http1 protocol tcp global 1.1.1.3 8080 inside 172.16.20.80 www no-reverse nat server ftp01 protocol tcp global 1.1.1.4 2121 inside 172.21.101.80 ftp no-reverse nat server ftp02 protocol tcp global 2.2.2.4 2121 inside 172.21.101.80 ftp no-reverse #11.配置地址集 # ip address-set HTTP_SERVER01 type object address 0 172.21.101.80 0 address 1 172.16.20.80 0 # 12.配置自定义服务集(配置未使用) # ip service-set server1_port type object service 0 protocol tcp destination-port 8888 # ip service-set server2_port type object service 0 protocol udp destination-port 6666 # 13.配置源进源出功能 为了保证流量来回路径一致,即从dx进来的外部流量访问,回包也从dx出去。从yd进来的外部流量访问,回包也从yd出去。 # interface GigabitEthernet1/0/1 description LINK_DX undo shutdown ip address 1.1.1.1 255.255.255.0 gateway 1.1.1.2------------配置默认网关 service-manage ping permit redirect-reverse next-hop 1.1.1.2------------配置接口的源进源出功能,外网用户从DX访问企业http或ftp服务器,防火墙就使用从该报文进入的接口(1.1.1.2)作为回包。 # interface GigabitEthernet1/0/2 description LINK_YD undo shutdown ip address 2.2.2.1 255.255.255.0 gateway 2.2.2.2------------配置默认网关 service-manage ping permit redirect-reverse next-hop 2.2.2.2------------配置接口的源进源出功能,外网用户从YD访问企业http或ftp服务器,防火墙就使用从该报文进入的接口(2.2.2.2)作为回包。 # 二、验证测试 查看防火墙server-map表 只显示正向server-map表(nat server后面加了no-reverse参数) display firewall server-map 2021-11-04 03:00:17.830 Current Total Server-map : 4 Type: Nat Server, ANY -> 2.2.2.3:8080[172.16.20.80:80], Zone:---, protocol:t cp Vpn: public -> public Type: Nat Server, ANY -> 2.2.2.4:2121[172.21.101.80:21], Zone:---, protocol: tcp Vpn: public -> public Type: Nat Server, ANY -> 1.1.1.3:8080[172.16.20.80:80], Zone:---, protocol:t cp Vpn: public -> public Type: Nat Server, ANY -> 1.1.1.4:2121[172.21.101.80:21], Zone:---, protocol: tcp Vpn: public -> public 显示正反方向server-map表(nat server后面没有no-reverse参数) [FW1]display firewall server-map 2021-10-28 08:33:48.950 Current Total Server-map : 4 Type: Nat Server, ANY -> 2.2.2.3:8080[172.21.101.80:80], Zone:---, protocol: tcp Vpn: public -> public Type: Nat Server Reverse, 172.21.101.80[2.2.2.3] -> ANY, Zone:---, protocol:t cp Vpn: public -> public, counter: 1 2.1 内、外网用户访问FTP服务测试 a.外网web用户访问FTP://2.2.2.4:2121和FTP://1.1.1.4:2121 查看防火墙会话表记录 display firewall session table 2021-11-04 03:10:53.590 Current Total Sessions : 2 ftp VPN: public --> public 50.1.1.253:2074 +-> 2.2.2.4:2121[172.21.101.80:21] ftp VPN: public --> public 50.1.1.253:2076 +-> 1.1.1.4:2121[172.21.101.80:21] b.内网web1用户访问FTP://2.2.2.4:2121和FTP://1.1.1.4:2121 登录防火墙web管理页面,查看会话记录 查看防火墙会话表记录 display firewall session table 2021-11-04 03:13:57.770 Current Total Sessions : 3 ftp VPN: public --> public 172.16.10.22:2053 +-> 1.1.1.4:2121[172.21.101.80:21] ftp VPN: public --> public 172.16.10.22:2055 +-> 2.2.2.4:2121[172.21.101.80:21] 查询指定的内网web1用户172.1.10.22的会话表记录 display firewall session table source inside 172.16.10.22 2021-11-04 03:25:56.990 Current Total Sessions : 2 ftp VPN: public --> public 172.16.10.22:2053 +-> 1.1.1.4:2121[172.21.101.80:21] ftp VPN: public --> public 172.16.10.22:2055 +-> 2.2.2.4:2121[172.21.101.80:21] 2.2 域内NAT访问测试 a.内网web1访问http://1.1.1.3:8080和http://2.2.2.3:8080 查看防火墙会话表,发现用户都通过NAT策略中的地址池将内网IP(172.16.10.22)转化成公网IP(2.2.2.10)。 [FW1]dis firewall session table 2021-11-01 08:55:35.580 Current Total Sessions : 1 http VPN: public --> public 172.16.10.22:2058[2.2.2.10:2058] --> 1.1.1.3:8080[172.16.20.80:80] [FW1]dis firewall session table 2021-11-01 08:56:00.570 Current Total Sessions : 1 http VPN: public --> public 172.16.10.22:2059[2.2.2.10:2059] --> 2.2.2.3:8080[172.16.20.80:80] b.内网web2访问http://1.1.1.3:8080和http://2.2.2.3:8080 查看防火墙会话表,发现用户都通过NAT策略中的地址池将内网IP(172.16.20.22)转化成公网IP(2.2.2.10)。 [FW1]dis firewall session table 2021-11-01 08:58:48.600 Current Total Sessions : 1 http VPN: public --> public 172.16.20.22:2059[2.2.2.10:2060] --> 1.1.1.3:8080[172.16.20.80:80] [FW1]dis firewall session table 2021-11-01 08:58:57.320 Current Total Sessions : 1 http VPN: public --> public 172.16.20.22:2060[2.2.2.10:2061] --> 2.2.2.3:8080[172.16.20.80:80] c.外网web访问http://1.1.1.3:8080和http://2.2.2.3:8080 查看防火墙会话表,发现用户都通过NAT策略中的地址池将公网IP(50.1.1.253)访问内网的http服务器的公网IP 1.1.1.3和2.2.2.3转化成内网IP(172.16.20.80)。 [FW1]display firewall session table 2021-11-01 09:10:06.500 Current Total Sessions : 1 http VPN: public --> public 50.1.1.253:2063 --> 1.1.1.3:8080[172.16.20.80:80] [FW1]display firewall session table 2021-11-01 09:10:35.410 Current Total Sessions : 1 http VPN: public --> public 50.1.1.253:2064 --> 2.2.2.3:8080[172.16.20.80:80] 三、验证策略路由 PC1按照配置的策略路由从1.1.1.2线路出去,然后到达50.1.1.253。 PC2按照配置的策略路由从2.2.2.2线路出去,然后到达50.1.1.253。 通过display firewall session table检查防火墙会话表 可以看到PC1访问外网时,使用地址池中的2.2.2.6进行了转换。PC2也使用了地址池中的1.1.1.6进行了转换访问外网。 [FW1]display firewall session table 2021-11-04 14:26:52.330 Current Total Sessions : 0 [FW1]dis firewall session table 2021-11-04 14:27:56.750 Current Total Sessions : 11 icmp VPN: public --> public 172.16.10.253:16319[1.1.1.6:2048] --> 8.8.8.8:2048 [FW1]display firewall session table 2021-11-04 14:28:45.650 Current Total Sessions : 12 icmp VPN: public --> public 172.16.20.253:27583[2.2.2.6:2049] --> 114.114.114.114:2048 四、出口线路故障模拟 要求:当dx线路出现故障后,所有的流量都从yd走。 线路故障之前的路由,只摘录配置的静态路由,可以看到有二条默认路由下一跳分别是1.1.1.2和2.2.2.2。另外一条是内网的回程路由。 display ip routing-table 2021-10-29 07:21:25.320 Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 10 Routes : 11 Destination/Mask Proto Pre Cost Flags NextHop Interface 0.0.0.0/0 Static 60 0 RD 1.1.1.2 GigabitEthernet1/0/1 Static 60 0 RD 2.2.2.2 GigabitEthernet1/0/2 172.16.0.0/16 Static 60 0 RD 172.21.100.254 GigabitEthernet1/0/0 在PC1先用ping命令测试与外网PC的连通性,然后通过tracert命令追踪包的路由。可以看到当DX线路出现故障后,PC1切换从YD(2.2.2.2)出去。 五、验证源进源出功能 在ISP上的路由配置如下,二条默认路由分别指向DX和YD。 dis current-configuration | include static ip route-static 0.0.0.0 0.0.0.0 30.1.1.2 track nqa test dxicmp ip route-static 0.0.0.0 0.0.0.0 40.1.1.2 track nqa test ydicmp NQA配置 # nqa test-instance dx 1 nqa test-instance test dxicmp test-type icmp destination-address ipv4 30.1.1.2 frequency 10 probe-count 2 start now nqa test-instance test ydicmp test-type icmp destination-address ipv4 40.1.1.2 frequency 10 probe-count 2 start now # 接口配置 # interface GigabitEthernet0/0/0 ip address 50.1.1.1 255.255.255.0 dhcp select interface # interface GigabitEthernet0/0/1 ip address 40.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 30.1.1.1 255.255.255.0 # a.测试外网web用户访问企业内部服务HTTP01 通过抓包查看外网用户是从YD出口进入,回包也从YD回来。如果没有配置源进源出的时候,进去可能是从DX,而回包却是从YD。这样子就会导致正常的业务访问会出问题,注意一点在实验中是能正常访问的,但如果是ISP商有做防护的话,会导致业务流量访问出现异常。 b. 测试外网web用户访问企业内部服务部FTP01 通过抓包查看外网用户是从YD出口进入,回包也从YD回来。 c. 测试外网web用户访问企业内部服务FTP://2.2.2.4:2121 通过抓包查看外网用户是从DX出口进入,回包也从DX回来。 |
CopyRight 2018-2019 实验室设备网 版权所有 |