多出口下的源NAT配置实验

image-20230526212204108

目标:PC1和PC2实现通信,FW1提供两个出口,ISP1和ISP2.

思路:FW1配置静态默认路由,出接口为G1/0/1和G1/0/2. 两个出口做基于地址池的NAT即可。

橙色区域做动态路由即可,这里是OSPF,忽略其合理性。

基础配置:

FW1:防火墙初始化后配置思路,基础配置包括:IP地址、路由和安全策略。

# IP地址

interface GigabitEthernet1/0/0
 ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
 ip address 198.51.100.1 255.255.255.252
#
interface GigabitEthernet1/0/2
 ip address 203.0.113.1 255.255.255.252

# 路由
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 198.51.100.2
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2 203.0.113.2

# 安全区域
[FW1]display current-configuration configuration zone 
2023-05-26 13:29:56.620 

firewall zone trust
 add interface GigabitEthernet1/0/0

firewall zone name isp1 
 set priority 10
 add interface GigabitEthernet1/0/1
#
firewall zone name isp2 
 set priority 20
 add interface GigabitEthernet1/0/2

地址池配置:

#
nat address-group addgroup1 
 mode pat
 route enable
 section 0 198.51.100.10 198.51.100.12
#
nat address-group addgroup2 
 route enable
 mode pat
 section 0 203.0.113.10 203.0.113.12

NAT策略:

nat-policy
 rule name policy_nat1
  source-zone trust
  destination-zone isp1
  source-address 192.168.1.0 mask 255.255.255.0
  action source-nat address-group addgroup1
 rule name policy_nat2
  source-zone trust
  destination-zone isp2
  source-address 192.168.1.0 mask 255.255.255.0
  action source-nat address-group addgroup2

安全策略:

security-policy
 rule name policy1
  source-zone trust
  destination-zone isp1
  destination-zone isp2
  source-address 192.168.1.0 mask 255.255.255.0
  action permit

外部三台路由器配置:

# ISP1
# ## IP地址
#
interface GigabitEthernet0/0/0
 ip address 198.51.100.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 200.1.1.1 255.255.255.0 

# ## 路由
#
ospf 1 
 import-route static
 area 0.0.0.0 
  network 198.51.100.0 0.0.0.255 
  network 200.1.1.0 0.0.0.255 
#
ip route-static 198.51.100.10 255.255.255.255 GigabitEthernet0/0/0 198.51.100.1
ip route-static 198.51.100.11 255.255.255.255 GigabitEthernet0/0/0 198.51.100.1
ip route-static 198.51.100.12 255.255.255.255 GigabitEthernet0/0/0 198.51.100.1


# ISP2
# ## IP地址
interface GigabitEthernet0/0/0
 ip address 203.0.113.2 255.255.255.252 
#
interface GigabitEthernet0/0/1
 ip address 201.1.1.1 255.255.255.0 
 
# ## 路由
#
ospf 1 
 import-route static
 area 0.0.0.0 
  network 201.1.1.0 0.0.0.255 
  network 203.0.113.0 0.0.0.255 
#
ip route-static 203.0.113.10 255.255.255.255 GigabitEthernet0/0/0 203.0.113.1
ip route-static 203.0.113.11 255.255.255.255 GigabitEthernet0/0/0 203.0.113.1
ip route-static 203.0.113.12 255.255.255.255 GigabitEthernet0/0/0 203.0.113.1



# AR3
# ## IP地址
#
interface GigabitEthernet0/0/0
 ip address 200.1.1.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 202.1.1.2 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 201.1.1.2 255.255.255.0 

# ## 路由
#
ospf 1 
 area 0.0.0.0 
  network 200.1.1.0 0.0.0.255 
  network 201.1.1.0 0.0.0.255 
  network 202.1.1.0 0.0.0.255 

此时PC1和PC2通信测试:

image-20230526213937407

防火墙前后接口抓包:

地址转换前:

image-20230526214100124

地址转换后:

image-20230526214123749

此实验遗留问题:

能否将两个出接口配置到一个相同的安全区域,如untrust,会不会又问题?

  • 0
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 1
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值