防火墙配置NAT 多出口

防火墙配置NAT多出口

配置实例

某企业的网络拓扑如下

部门A:vlan11:192.168.11.1 /24
部门B:vlan12:192.168.12.1/24
两个部门均通过vlan10接入防火墙,从而访问外部网络。内部服务器开启了web服务以及ftp服务,外部客户端只能访问内部的web服务和ftp服务。防火墙有联通和电信两个出口。

网络topo

设备配置

防火墙配置
interface GigabitEthernet0/0/2
 ip address 192.168.1.1 255.255.255.0 
 
interface GigabitEthernet0/0/3
 ip address 192.168.10.2 255.255.255.0 
 
interface GigabitEthernet0/0/7

 ip address 1.1.1.2 255.255.255.0 
interface GigabitEthernet0/0/8

 ip address 8.8.8.2 255.255.255.0 
 
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet0/0/3
 
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/2
 
firewall zone name dx
 set priority 15
 add interface GigabitEthernet0/0/7
 
firewall zone name lt
 set priority 20
 add interface GigabitEthernet0/0/8
 
firewall interzone dmz dx
 detect ftp
 
firewall interzone dmz lt
 detect ftp
 
 ip route-static 2.2.2.0 255.255.255.0 1.1.1.1 
 ip route-static 9.9.9.0 255.255.255.0 8.8.8.1 
 ip route-static 192.168.0.0 255.255.0.0 192.168.10.1 
 ###将内网的服务通过两个运营商的接口映射到外网
 nat server 0 zone dx protocol tcp global interface GigabitEthernet0/0/7 www inside 192.168.1.10 www
 nat server 1 zone dx protocol tcp global interface GigabitEthernet0/0/7 ftp inside 192.168.1.10 ftp
 nat server 2 zone lt protocol tcp global interface GigabitEthernet0/0/8 www inside 192.168.1.10 www
 nat server 3 zone lt protocol tcp global interface GigabitEthernet0/0/8 ftp inside 192.168.1.10 ftp

policy interzone trust dx outbound
 policy 1 
  action permit 
  
policy interzone trust lt outbound
 policy 1 
  action permit 
  
policy interzone dmz dx inbound
 policy 1 
  action permit 
  policy service service-set http
  policy service service-set ftp
  policy destination 192.168.1.10 0
  
policy interzone dmz lt inbound
 policy 1 
  action permit 
  policy service service-set http
  policy service service-set ftp
  policy destination 192.168.1.10 0
  
nat-policy interzone trust dx outbound 
 policy 1 
  action source-nat 
  easy-ip GigabitEthernet0/0/7
  
nat-policy interzone trust lt outbound 
 policy 1 
  action source-nat 
  easy-ip GigabitEthernet0/0/8
S1交换机配置
sysname S1
vlan batch 10 to 12
interface Vlanif10									#连接防火墙的接口
 ip address 192.168.10.1 255.255.255.0 
interface Vlanif11
 ip address 192.168.11.1 255.255.255.0 
interface Vlanif12
 ip address 192.168.12.1 255.255.255.0 
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
interface GigabitEthernet0/0/23
 port link-type access
 port default vlan 11
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 12
 
ip route-static 0.0.0.0 0.0.0.0 192.168.10.2
S2交换机配置
sysname S2
vlan batch 11 to 12
interface Vlanif11
 ip address 2.2.2.1 255.255.255.0 
interface Vlanif12
 ip address 9.9.9.1 255.255.255.0 
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 11
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 12
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 11
interface GigabitEthernet0/0/4
 port link-type access
 port default vlan 12
 
ip route-static 1.1.1.0 255.255.255.0 2.2.2.2
ip route-static 8.8.8.0 255.255.255.0 9.9.9.2
电信路由配置
sysname dx
interface GigabitEthernet0/0/0
 ip address 2.2.2.2 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
联通路由器配置
sysname LT
interface GigabitEthernet0/0/0
 ip address 9.9.9.2 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 8.8.8.1 255.255.255.0 
ip route-static 0.0.0.0 0.0.0.0 9.9.9.1

测试连接

内网访问公网的web服务

在这里插入图片描述

查看防火墙的会话详情

在这里插入图片描述

外部网络访问内部的服务
外部访问内部的web服务

在这里插入图片描述

外部访问内部的ftp

在这里插入图片描述

查看防火墙的会话详情

在这里插入图片描述