成都网站建设设计

将想法与焦点和您一起共享

PIX防火墙NAT

创新互联网站建设公司一直秉承“诚信做人,踏实做事”的原则,不欺瞒客户,是我们最起码的底线! 以服务为基础,以质量求生存,以技术求发展,成交一个客户多一个朋友!专注中小微企业官网定制,网站制作、网站建设,塑造企业网络形象打造互联网企业效应。

                        PIX防火墙NAT

一 实验拓扑

PIX防火墙NAT

二 实验要求

 1)完成防火墙的基本配置

 2)熟悉防火墙的访问规则

 3)熟悉防火墙的路由配置

 4)理解防火墙的NAT的工作过程以及熟悉配置命令

     A) R1的lo0去往R2的lo0的报文使用动态NAT

     B)R1的lo1去往R2的lo1的报文使用PAT

     C)R3的lo0的报文去往outside方向使用静态路由

 5)理解特殊NAT和策略NAT

三 实验步骤

  1)路由器的基本配置和接口配置

  2)PIX防火墙的基本配置和接口配置

FW4(config)# int e0

FW4(config-if)# ip add 192.168.1.2 255.255.255.0

FW4 (config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

FW4 (config-if)# no shu

FW4 (config-if)# int e2

FW4 (config-if)# ip add 202.202.202.2 255.255.255.0

FW4 (config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

FW4 (config-if)# no shu

FW4 (config-if)# int e3

FW4 (config-if)# ip add 192.168.3.2 255.255.255.0

FW4(config-if)# nameif dmz

INFO: Security level for "dmz" set to 0 by default.

FW4 (config-if)# security-level 50

FW4 (config-if)# no shu

  3)测试直连链路的连通性

  4)配置静态路由,实现全网连通,R2模拟公网路由器不配置路由

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2

R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2

FW4(config)#    route inside 192.168.10.0 255.255.255.0 192.168.1.1

FW4(config)# route inside 192.168.20.0 255.255.255.0 192.168.1.1

FW4(config)# route dmz 192.168.30.0 255.255.255.0 192.168.3.1

FW4(config)# route outside 0.0.0.0 0.0.0.0 202.202.202.2    

5)按实验要求完成防火漆的NAT配置,以及理解其工作过程

A)测试动态NAT

在做动态NAT之前,inside的R1不能访问outside的R2.原因是没有回来的路由。做了动态NAT之后,回来的路由即是直连路由(因为转换成了202.202.202.0网段的地址),可以访问

FW4(config)# access-list outacl extended permit icmp host 200.200.200.200 202.202.202.0 255.255.255.0//允许主机202.202.202.202的基于icmp的数据访问202.202.202.0网段(命名的扩展ACL?)

FW4(config)# access-group outacl in int outside //应用到outside接口

FW4(config)# nat ?

configure mode commands/options:

 (  Open parenthesis for the name of the network interface where the

    hosts/network designated by the local IP address are accessed

FW4(config)# nat (inside) 1 192.168.10.0 255.255.255.0

FW4(config)# global (outside) 1 202.202.202.3-202.202.202.5 netmask 255.255.255.0  //用动态NAT实现私网访问公网,nat与global要一起用

测试结果:

R1#ping 200.200.200.200 so 192.168.10.1//注意要带源,因为是允许转换192.168.10.0网段的地址,不带源的话默认是使用出口地址

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 20/28/44 ms

B)测试PAT(PAT:将一段私网地址映射成一个全局地址)

FW4(config)# nat (inside) 2 192.168.20.0 255.255.255.0

FW4(config)# global (outside) 2 int

INFO: outside interface address added to PAT pool

测试结果:

R1#ping 200.200.200.200 so 192.168.20.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.20.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/68 ms

C)静态NAT测试

FW4(config)# static (dmz,outside) 202.202.202.8 192.168.30.1 netmask 255.255.255.255  //实现私网访问公网,192.168.30.1转换成202.202.202.8

FW4(config)# access-list dmzacl permit icmp 192.168.30.1 255.255.255.255 200.200.200.200 255.255.255.255//这里没有应用到具体的接口?

测试结果:

R3#ping 200.200.200.200 so 192.168.30.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.30.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 16/33/48 ms

6)测试特殊NAT和策略NAT;

A)特殊NAT

当启用nat-control命令时,内个内部地址必须具有一个对应的内部NAT规则。同样,在允许通过安全设备进行通信之前,如果一个接口上启用了一个外部动态NAT则每个外部地址必须具有一个对应的外部NAT规则

测试:

注意要让R1 ping通R3需要

FW4(config)#fixup protocol icmp

FW4(config)#no fixup protocol icmp

FW4(config)#access-list dmz-inside extended permit icmp 192.168.3.1255.255.255.0192.168.1.0 255.255.255.0 echo-reply

FW4(config)# access-group dmz-inside in int dmz

此时:

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/33/72 ms

启用nat-control

FW4(config)# nat-control

测试:

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

B)身份NAT

转换后的IP就是原来真实的IP相当于没有转换,只能用在出站流量。与动态NAT类似,只是动态NAT要映射在全局地址。身份NAT是单向的。即下面例子中R3不能ping 通R1(192.168.3.1 ping 192.168.1.1)

FW4(config)# nat-control

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

FW4(config)# nat (inside) 0 192.168.1.1 255.255.255.255

nat 0 192.168.1.1 will be identity translated for outbound

//只有nat而没有global,联系身份NAT的特点

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/31/68 ms

注意:上面的这两个实验都要建立在

让R1 ping通R3

FW4(config)#fixup protocol icmp

FW4(config)#no fixup protocol icmp

FW4(config)#access-list dmz-inside extended permit icmp 192.168.3.1255.255.255.0192.168.1.0 255.255.255.0 echo-reply

FW4(config)# access-group dmz-inside in int dmz

疑问:防火墙删除ACL会同时把应用在接口上的命令也删了?

 C)NAT豁免(带ACL的nat 0)

 与身份NAT相似,主要区别是NAT豁免允许双向通信,同时允许转换和远程主机发起连接

FW4(config)# no nat (inside) 0 192.168.1.1 255.255.255.255

FW4(config)# nat-control

FW4(config)# access-list nonat permit ip 192.168.1.1 255.255.255.255 192.168.3$

FW4(config)# nat (inside) 0 access-list nonat

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/52 ms

注意:上面的这三个实验都要建立在

让R1 ping通R3

FW4(config)#fixup protocol icmp

FW4(config)#no fixup protocol icmp

FW4(config)#access-list dmz-inside extended permit icmp 192.168.3.1255.255.255.0192.168.1.0 255.255.255.0 echo-reply

FW4(config)# access-group dmz-inside in int dmz

D)策略NAT

与静态NAT相似,然而,策略NAT允许定义一个有条件的标准来检测源地址和目的地址,以此来确定地址转换。有了这个特性,源地址转换就可以改变为不同的目的地址

FW4(config)# access-list NAT1 permit ip 192.168.10.0 255.255.255.0 192.168.30.1 255.255.255.255

FW4(config)# access-list NAT2 permit ip 192.168.10.0 255.255.255.0 192.168.30.2 255.255.255.255

FW4(config)# nat (inside) 1 access-list NAT1

FW4(config)# global (outside) 1 192.168.3.2

INFO: Global 192.168.3.2 will be Port Address Translated

FW4(config)# nat (inside) 2 access-list NAT2

FW4(config)# global (outside) 2 192.168.3.3

INFO: Global 192.168.3.3 will be Port Address Translated

7)总结防火墙的访问规则以及对流量的处理

A)NAT选择顺序

根据对防火墙性能资源消耗占有程度来选择:

NAT exemptions (nat 0 access-list commands)带ACL的nat 0

Policy NAT (static access-list commands)

Static NAT (static commands without port numbers)

Static PAT (static commands with port numbers)

NAT 0 or Policy NAT(nat nat_id access-list commands)

Dynamic NAT and PAT(nat nat_id commands)

如果处于同一级别就需要比较访问控制列表的明细程度和网段地址的明细程度,如果前面都一样则写在前面的优先

FW4#  sh conn

0 in use, 2 most used

FW4# sh local-host

Interface dmz: 0 active, 1 maximum active, 0 denied

Interface outside: 0 active, 1 maximum active, 0 denied

Interface inside: 2 active, 2 maximum active, 0 denied

local host: <192.168.10.1>,

   TCP flow count/limit = 0/unlimited

   TCP embryonic count to host = 0

   TCP intercept watermark = unlimited

   UDP flow count/limit = 0/unlimited

 Xlate:

   Global 202.202.202.3 Local 192.168.10.1

local host: <192.168.1.1>,

   TCP flow count/limit = 0/unlimited

   TCP embryonic count to host = 0

   TCP intercept watermark = unlimited

   UDP flow count/limit = 0/unlimited

Xlate:

   Global 192.168.1.1 Local 192.168.1.1

FW4# sh xlate

3 in use, 3 most used

Global 202.202.202.8 Local 192.168.30.1

Global 202.202.202.3 Local 192.168.10.1

Global 192.168.1.1 Local 192.168.1.1


当前题目:PIX防火墙NAT
文章分享:http://chengdu.cdxwcx.cn/article/jjddhg.html