防火墙NAT地址组NAT策略安全策略

 本文仅供学习交流，所涉及的知识技术产权归属华为技术有限公司所有！！！ 

本文仅供学习交流，所涉及的知识技术产权归属华为技术有限公司所有！！！

本文仅供学习交流，所涉及的知识技术产权归属华为技术有限公司所有！！！

127.0.0.0~127.255.255.255可测试本机的网卡是否连通

0.0.0.0最小网址，任意地址 

ipconfid查看本地 IPv4 地址

出去时私网转公网，回来时公网转私网 

AR1
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R1
[R1]INT GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24

AR2

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.1.2 24

AR3

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R3
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[R3-GigabitEthernet0/0/0]q
[R3]display ip interface brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 2
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 2
The number of interface that is DOWN in Protocol is 2

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              192.168.1.254/24     up         up        
GigabitEthernet0/0/1              unassigned           down       down      
GigabitEthernet0/0/2              unassigned           down       down      
NULL0                             unassigned           up         up(s)      

<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sysname FW1
[FW1]interface GigabitEthernet 1/0/0   
[FW1-GigabitEthernet1/0/0]ip address 192.168.1.254 24
[FW1-GigabitEthernet1/0/0]q
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 1.1.1.1 24

AR4

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R4
[R4]int GigabitEthernet 0/0/0
[R4-GigabitEthernet0/0/0]ip address 1.1.1.2 24
[R4-GigabitEthernet0/0/0]q
[R4]interface LoopBack 0
[R4-LoopBack0]ip address 4.4.4.4 32
[R4-LoopBack0]q
[R4]display ip interface brief 
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 2

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              1.1.1.2/24           up         up        
GigabitEthernet0/0/1              unassigned           down       down      
GigabitEthernet0/0/2              unassigned           down       down      
LoopBack0                         4.4.4.4/32           up         up(s)     
NULL0                             unassigned           up         up(s)     

配ip地址

[FW1]user-interface console 0  
[FW1-ui-console0]idle-timeout 0 0
Warning: Idle time-out is configured as 0, so session will never be disconnected
 because of timeout.
[FW1-ui-console0]q
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]service-manage ping permit 
[FW1-GigabitEthernet1/0/0]q
[FW1]int g1/0/1 
[FW1-GigabitEthernet1/0/1]service-manage ping permit 

加安全区域
[FW1-GigabitEthernet1/0/1]q
[FW1]firewall zone trust   
[FW1-zone-trust]add interface GigabitEthernet 1/0/0
[FW1-zone-trust]q
[FW1]firewall zone untrust 
[FW1-zone-untrust]add interface GigabitEthernet 1/0/1
[FW1-zone-untrust]q

<R1>ping 192.168.1.254
  PING 192.168.1.254: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=255 time=160 ms
    Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=255 time=60 ms
    Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=255 time=50 ms
    Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=255 time=40 ms
    Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=255 time=40 ms

  --- 192.168.1.254 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/70/160 ms

<R4>ping 1.1.1.1
  PING 1.1.1.1: 56  data bytes, press CTRL_C to break
    Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=255 time=30 ms
    Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=255 time=10 ms
    Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=255 time=10 ms
    Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=255 time=10 ms
    Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=255 time=10 ms

  --- 1.1.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 10/14/30 ms

[FW1]display ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 4        Routes : 4        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.0/24  Direct  0    0           D   1.1.1.1         GigabitEthernet
1/0/1
        1.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
1/0/1
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0  
[FW1]ip route-static 4.4.4.4 32 1.1.1.2

配置静态路由
[FW1]display ip routing-table 4.4.4.4
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        4.4.4.4/32  Static  60   0          RD   1.1.1.2         GigabitEthernet
1/0/1

<R4>sys
Enter system view, return user view with Ctrl+Z.
[R4]ip route-static 201.1.1.0 29 1.1.1.1

回由

[FW1]nat address-group test
[FW1-address-group-test]mode no-pat global 
[FW1-address-group-test]section 201.1.1.1 201.1.1.6
[FW1-address-group-test]dis th
#
nat address-group test 0
 mode no-pat global
 section 0 201.1.1.1 201.1.1.6
#
return
[FW1-address-group-test]q
[FW1-policy-nat]rule name test
[FW1-policy-nat-rule-test]source-zone trust 
[FW1-policy-nat-rule-test]destination-zone untrust 
[FW1-policy-nat-rule-test]source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-nat-rule-test]dis th
#
 rule name test
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 24
  (not configure the action)
#
return
[FW1-policy-nat-rule-test]destination-address 4.4.4.4 mask 255.255.255.255
[FW1-policy-nat-rule-test]dis th
#
 rule name test
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 24
  destination-address 4.4.4.4 32
  (not configure the action)
#
return 
[FW1-policy-nat-rule-test]action nat address-group test

 安全策略

[FW1-policy-nat-rule-test]q
[FW1-policy-nat]q
[FW1]security-policy 
[FW1-policy-security]rule name test
[FW1-policy-security-rule-test]source-zone trust 
[FW1-policy-security-rule-test]destination-zone untrust 
[FW1-policy-security-rule-test]source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-security-rule-test]destination-address 4.4.4.4 mask 255.255.255.255 
[FW1-policy-security-rule-test]service icmp 
[FW1-policy-security-rule-test]action permit 
[FW1-policy-security-rule-test]dis th
#
 rule name test
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 24
  destination-address 4.4.4.4 32
  service icmp
  action permit
#
return

<R1>ping 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 4.4.4.4 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
[R1]ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
[R1]ping 4.4.4.4
  PING 4.4.4.4: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 4.4.4.4 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

......无语了，不知哪一步错了，[R1]ping 4.4.4.4不通