地址comodo防火墙设置

知NAT卢鹏2019-12-06发表防火墙两次NAT典型配置组网及说明某公司两个部门由于需要业务隔离而分属不同的VPN实例,且两个部门内部使用了相同的子网地址空间.
现在要求这两个部门的主机PCA和PCB之间能够通过NAT地址互相访问.
实验组网如图所示,PCA、PCB分别接在防火墙FW的GE1/0/1和GE1/0/2接口.
配置步骤步骤一:搭建实验环境依照上图搭建实验环境,配置主机PCA、PCB上的IP地址分别为192.
168.
1.
2和192.
168.
1.
2.

步骤二:基本配置创建VPN实例:[H3C]ipvpn-instancevpn1[H3C-vpn-instance-vpn1]quit[H3C]ipvpn-instancevpn2[H3C-vpn-instance-vpn2]quit完成FW的接口地址和VPN实例配置.
[H3C]interfaceGigabitEthernet1/0/1[H3C-GigabitEthernet1/0/1]ipaddress192.
168.
1.
124[H3C-GigabitEthernet1/0/1]ipbindingvpn-instancevpn1[H3C-GigabitEthernet1/0/1]quit[H3C]interfaceGigabitEthernet1/0/2[H3C-GigabitEthernet1/0/2]ipaddress192.
168.
1.
124[H3C-GigabitEthernet1/0/2]ipbindingvpn-instancevpn2[H3C-GigabitEthernet1/0/2]quit配置FW接口所属的安全域:[H3C]security-zonenametrust[H3C-security-zone-Trust]importinterfaceGigabitEthernet1/0/1[H3C-security-zone-Trust]quit[H3C]security-zonenameuntrust[H3C-security-zone-Untrust]importinterfaceGigabitEthernet1/0/2[H3C-security-zone-Untrust]quit配置VPN1内的IP地址192.
168.
1.
2到VPN2内的IP地址172.
16.
1.
2之间的静态地址转换映射:[H3C]natstaticoutbound192.
168.
1.
2vpn-instancevpn1172.
16.
1.
2vpn-instancevpn2配置VPN2内的IP地址192.
168.
1.
2到VPN1内的IP地址172.
16.
2.
2之间的静态地址转换映射:[H3C]natstaticoutbound192.
168.
1.
2vpn-instancevpn2172.
16.
2.
2vpn-instancevpn1配置安全策略:[H3C]security-policyip[H3C-security-policy-ip]rule0nametrust-untrust[H3C-security-policy-ip-0-trust-untrust]source-zonetrust[H3C-security-policy-ip-0-trust-untrust]destination-zoneuntrust[H3C-security-policy-ip-0-trust-untrust]vrfvpn2[H3C-security-policy-ip-0-trust-untrust]actionpass[H3C-security-policy-ip-0-trust-untrust]quit[H3C-security-policy-ip]rule1nameuntrust-trust[H3C-security-policy-ip-1-untrust-trust]source-zoneuntrust[H3C-security-policy-ip-1-untrust-trust]destination-zonetrust[H3C-security-policy-ip-1-untrust-trust]vrfvpn2[H3C-security-policy-ip-1-untrust-trust]actionpass[H3C-security-policy-ip-1-untrust-trust]quit[H3C-security-policy-ip]quit在接口上配置静态地址转换:[H3C]interfaceGigabitEthernet1/0/1[H3C-GigabitEthernet1/0/1]natstaticenable[H3C-GigabitEthernet1/0/1]quit[H3C]interfaceGigabitEthernet1/0/2[H3C-GigabitEthernet1/0/2]natstaticenable[H3C-GigabitEthernet1/0/2]quit步骤三:验证配置在PCA上执行ping命令,观察是否可以与PCB正常联通.
正常情况下,PCA和PCB可以互通,且PCA的对外地址为172.
16.
1.
2,PCB的对外地址为172.
16.
2.
2.
PCA上ping测试应显示如下:C:\Users\PCA>ping172.
16.
2.
2正在Ping172.
16.
2.
2具有32字节的数据:来自172.
16.
2.
2的回复:字节=32时间Responder:4packets240bytesResponder->Initiator:4packets240bytesTotalsessionsfound:1或者通过命令displaynatsessionsource-ip192.
168.
1.
2destination-ip172.
16.
2.
2verbose查看:[H3C]displaynatsessionsource-ip192.
168.
1.
2destination-ip172.
16.
2.
2verboseSlot1:Initiator:SourceIP/port:192.
168.
1.
2/1DestinationIP/port:172.
16.
2.
2/2048DS-Litetunnelpeer:-VPNinstance/VLANID/InlineID:vpn1/-/-Protocol:ICMP(1)Inboundinterface:GigabitEthernet1/0/1Sourcesecurityzone:TrustResponder:SourceIP/port:192.
168.
1.
2/1DestinationIP/port:172.
16.
1.
2/0DS-Litetunnelpeer:-VPNinstance/VLANID/InlineID:vpn2/-/-Protocol:ICMP(1)Inboundinterface:GigabitEthernet1/0/2Sourcesecurityzone:UntrustState:ICMP_REPLYApplication:ICMPRuleID:0Rulename:trust-untrustStarttime:2018-09-0311:18:43TTL:28sInitiator->Responder:4packets240bytesResponder->Initiator:4packets240bytesTotalsessionsfound:1从以上会话信息可以看出,VPN实例vpn1里的主机PCA192.
168.
1.
2访问172.
16.
1.
2,从VPN实例vpn2里的主机PCB192.
168.
1.
2回应报文的目的地址是172.
16.
1.
2,说明双向的地址转换已经成功.

可通过命令debuggingippacket可以查看具体报文上送过程:debuggingippacketterminalmonitorThecurrentterminalisenabledtodisplaylogs.
terminaldebuggingdebuggingippacketThecurrentterminalisenabledtodisplaydebugginglogs*Sep715:16:26:1792018H3CIPFW/7/IPFW_PACKET:-COntext=1;Receiving,interface=GigabitEthernet1/0/1version=4,headlen=20,tos=0pktlen=84,pktid=14,offset=0,ttl=255,protocol=1checksum=19422,s=192.
168.
1.
2,d=172.
16.
2.
2channelID=0,vpn-InstanceIn=1,vpn-InstanceOut=1.
prompt:ReceivingIPpacketfrominterfaceGigabitEthernet1/0/1.
Payload:ICMPtype=8,code=0,checksum=0xad48.
*Sep715:16:26:1802018H3CIPFW/7/IPFW_PACKET:-COntext=1;Sending,interface=GigabitEthernet1/0/2version=4,headlen=20,tos=0pktlen=84,pktid=14,offset=0,ttl=254,protocol=1checksum=19934,s=172.
16.
1.
2,d=192.
168.
1.
2channelID=0,vpn-InstanceIn=2,vpn-InstanceOut=2.
prompt:SendingIPpacketreceivedfrominterfaceGigabitEthernet1/0/1atinterfaceGigabitEthernet1/0/2.
Payload:ICMPtype=8,code=0,checksum=0xad48.
*Sep715:16:26:1812018H3CIPFW/7/IPFW_PACKET:-COntext=1;Receiving,interface=GigabitEthernet1/0/2version=4,headlen=20,tos=0pktlen=84,pktid=14,offset=0,ttl=255,protocol=1checksum=19678,s=192.
168.
1.
2,d=172.
16.
1.
2channelID=0,vpn-InstanceIn=2,vpn-InstanceOut=2.
prompt:ReceivingIPpacketfrominterfaceGigabitEthernet1/0/2.
Payload:ICMPtype=0,code=0,checksum=0xb548.
*Sep715:16:26:1812018H3CIPFW/7/IPFW_PACKET:-COntext=1;Sending,interface=GigabitEthernet1/0/1version=4,headlen=20,tos=0pktlen=84,pktid=14,offset=0,ttl=254,protocol=1checksum=19678,s=172.
16.
2.
2,d=192.
168.
1.
2channelID=0,vpn-InstanceIn=1,vpn-InstanceOut=1.
prompt:SendingIPpacketreceivedfrominterfaceGigabitEthernet1/0/2atinterfaceGigabitEthernet1/0/1.
Payload:ICMPtype=0,code=0,checksum=0xb548.
从以上debugging信息可以看出,防火墙收到的PCA发来的报文源地址为s=192.
168.
1.
2,目的地址d=172.
16.
2.
2,经过防火墙地址转换处理后,转发给PCB的报文源地址s=172.
16.
1.
2,目的地址d=192.
168.
1.
2,完成了源地址和目的地址的双向转换,之后收到PCB发来的回应报文,源地址s=192.
168.
1.
2,目的地址d=172.
16.
1.
2,经过防火墙之后,防火墙转发的报文,s=172.
16.
2.
2,d=192.
168.
1.
2,完成了源地址和目的地址的双向转换,这和最开始PCA发来的报文源目地址刚好匹配.

也可通过debuggingnatpacket命令查看具体地址转换过程:防火墙入接口收到报文后,目的地址变为192.
168.
1.
2,从出接口转发给PCB的报文源地址变为172.
16.
1.
2,报文在防火墙上完成了源地址和目的地址的双向转换;防火墙收到PCB发来的回应报文,源地址192.
168.
1.
2,目的地址172.
16.
1.
2;经过防火墙入接口转换,报文目的地址变为192.
168.
1.
2,从防火墙出接口转发的报文源地址变为172.