Preview Lab Huawei USG600V firewall eNSP NAT Policies

Configuración de FW1
<FW1>dis cu
!Software Version V500R001C10
#
sysname FW1
#
#
vlan batch 10 20 50 99
#
#
ip service-set serverweb type object
service 0 protocol tcp destination-port 80
#
ip service-set serverftp type object
service 0 protocol tcp destination-port 21
#
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.252
#
interface Vlanif50
ip address 10.10.50.1 255.255.255.248
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface Eth-Trunk1
portswitch
port link-type trunk
port trunk allow-pass vlan 10 20 50 99
#
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 201.186.167.158 255.255.255.248
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface Vlanif10
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface Vlanif50
#
firewall interzone dmz untrust
detect ftp
#
#
ip route-static 0.0.0.0 0.0.0.0 201.186.167.157
ip route-static 10.10.100.0 255.255.255.0 10.10.10.1
ip route-static 10.10.110.0 255.255.255.0 10.10.10.1
ip route-static 201.186.167.158 255.255.255.255 NULL0
ip route-static 201.186.167.159 255.255.255.255 NULL0
#
#
nat server mapeo-web1 0 protocol tcp global 201.186.167.155 www inside 10.10.50
.2 www no-reverse
nat server mapeo-ftp1 1 protocol tcp global 201.186.167.155 3422 inside 10.10.5
0.2 ftp no-reverse
nat server mapeo-web2 2 protocol tcp global 201.186.167.156 www inside 10.10.50
.3 www no-reverse
nat server mapeo-ftp2 3 protocol tcp global 201.186.167.156 3422 inside 10.10.5
0.3 ftp no-reverse
#
#
nat address-group poolnat 0
mode pat
section 0 201.186.167.153 201.186.167.154
#
nat address-group natdmz 1
mode pat
section 0 10.10.50.6 10.10.50.6
#
#
security-policy
rule name vlan100serverweb1
source-zone trust
destination-zone dmz
source-address 10.10.100.0 24
destination-address 10.10.50.2 32
service serverweb
action permit
rule name vlan100serverftp1
source-zone trust
destination-zone dmz
source-address 10.10.100.0 24
destination-address 10.10.50.2 32
service serverftp
action permit
rule name SalidaInternet
source-zone trust
destination-zone untrust
source-address 10.10.100.0 24
source-address 10.10.110.0 24
action permit
rule name InternetDMZ
source-zone untrust
destination-zone dmz
destination-address 10.10.50.0 29
action permit
rule name vlan110serverweb2
source-zone trust
destination-zone dmz
source-address 10.10.110.0 24
destination-address 10.10.50.3 32
service serverweb
 action permit
rule name vlan110serverftp2
source-zone trust
destination-zone dmz
source-address 10.10.110.0 24
destination-address 10.10.50.3 32
service serverftp
action permit
#
#
nat-policy
rule name NatLANInternet
source-zone trust
destination-zone untrust
source-address 10.10.100.0 24
source-address 10.10.110.0 24
action nat address-group poolnat
rule name NatLanDMZ
source-zone trust
egress-interface Vlanif50
source-address 10.10.100.0 24
source-address 10.10.110.0 24
action nat address-group natdmz
#
#
return
<FW1>

Configuración CORE

<CORE>dis cu
#
sysname CORE
#
vlan batch 10 20 50 99 to 100 110
#
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.252
#
interface Vlanif100
ip address 10.10.100.1 255.255.255.0
#
interface Vlanif110
ip address 10.10.110.1 255.255.255.0
#
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20 50 99
#
interface GigabitEthernet0/0/1
stp disable
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 50
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 50
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 100 110
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 100 110
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.2
ip route-static 10.10.50.0 255.255.255.248 10.10.10.2
#
#
return
<CORE>

Configuración de ACC1
ACC1>dis cu
#
sysname ACC1
#
vlan batch 99 to 100 110
#
#
interface Ethernet0/0/1
port link-type access
port default vlan 100
#
interface Ethernet0/0/2
port link-type access
port default vlan 100
#
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 99 to 100 110
#
#
return
<ACC1>

Configuración de ACC2

<ACC2>dis cu
#
sysname ACC2
#
vlan batch 99 to 100 110
#
#
interface Ethernet0/0/1
port link-type access
port default vlan 110
#
interface Ethernet0/0/2
port link-type access
port default vlan 110
#
#
interface GigabitEthernet0/0/1
port link-type trunk
 port trunk allow-pass vlan 99 to 100 110
#
#
return
<ACC2>

Configuración de ISP

<ISP>dis cu
#
sysname ISP
#
vlan batch 20 30
#
#
interface Vlanif20
ip address 201.186.167.157 255.255.255.248
#
interface Vlanif30
ip address 199.250.113.45 255.255.255.252
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 201.186.167.158
#
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
stp disable
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 30
stp disable
#

#
return
<ISP>

Configuración server 1
Configuración server2
Configuración PC-1

PC>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe97:7526

IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 10.10.100.2
Subnet mask.......................: 255.255.255.0
Gateway...........................: 10.10.100.1
Physical address..................: 54-89-98-97-75-26
DNS server........................:

PC>
Configuración Client1
Configuración Client2
Configuración de PC2
Configuración de client3
Ping desde PC1 a client1

PC>ping 10.10.100.3

Ping 10.10.100.3: 32 data bytes, Press Ctrl_C to break

From 10.10.100.3: bytes=32 seq=1 ttl=255 time=31 ms
From 10.10.100.3: bytes=32 seq=2 ttl=255 time=16 ms
From 10.10.100.3: bytes=32 seq=3 ttl=255 time=16 ms
From 10.10.100.3: bytes=32 seq=4 ttl=255 time=32 ms
From 10.10.100.3: bytes=32 seq=5 ttl=255 time=31 ms

--- 10.10.100.3 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/25/32 ms

PC>

Ping desde PC2 a Client2

C>ping 10.10.110.2

Ping 10.10.110.2: 32 data bytes, Press Ctrl_C to break

From 10.10.110.2: bytes=32 seq=1 ttl=255 time=47 ms
From 10.10.110.2: bytes=32 seq=2 ttl=255 time=31 ms
From 10.10.110.2: bytes=32 seq=3 ttl=255 time=47 ms
From 10.10.110.2: bytes=32 seq=4 ttl=255 time=47 ms
From 10.10.110.2: bytes=32 seq=5 ttl=255 time=31 ms
--- 10.10.110.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/40/47 ms

PC>

Ping desde server1 a server2

Ping desde Client3 a 1.1.1.1

Conexión desde client3 a server1
Captura giga 1/0/2 de FW1

Captura en giga 0/0/4 de CORE

Captura en giga 0/0/2 de CORE, solo tráfico desde CORE a FW1 en Eth-trunk
Captura en giga 0/0/3 de CORE, solo tráfico desde FW1 a CORE en Eth-trunk

Captura en giga 0/0/2 de ISP

CONEXIÓN DESDE CLIENT1 A SERVER1

Captura en giga 0/0/4 de CORE, se ve las IP entregada por FW1 y el server1

Captura en giga 0/0/1 de ACC1, se ve las IP del Clien1 y server1

CONEXIÓN DESDE CLIENT1 A SERVER2 (debe ser negado)

Captura en la giga 0/0/6 de CORE

Captura en giga 0/0/2 de CORE (no contesta el server2) la otra giga esta sin trafico
Prueba desde PC1 a Internet ip 1.1.1.1
Captura en giga g1/0/0 de FW1, se ve solo trafico desde PC1 a internet

Captura en giga 1/0/1 de FW1, se ve solo trafico desde Internet a PC1

Captura en giga 1/0/2 de FW1, uso ip publica

Conexión desde client2 a server2 ok.

Captura en giga 0/0/7 CORE

Captura en giga 0/0/3 CORE, hay uso de la ip 10.10.50.6 hacia el FW1, LA OTRA GIGA
NO TIENE TRAFICO
Client2 a server2 ftp