飞塔防火墙 fortigate 配置DNAT和SNAT（飞塔防火墙设置中文）

飞塔防火墙 fortigate 配置DNAT和SNAT（飞塔防火墙设置中文）

一、实验拓扑 实验的目的：配置SNAT后，内部服务器可以成功访问外部服务器，同时外部服务器看到的源IP是SNAT后的IP，56.56.56.1配置DNAT后，外部服务器通过Virtual IP-56.56.56.52来访问内部服务器的服务。

二、SNAT的配置a.配置NAT 地址池(IP POOL)

config firewall ippool edit "56.56.56.1_overload" set startip 56.56.56.1 set endip 56.56.56.1 next end

b.配置内部服务器访问外部时的策略，并调用NAT地址池

edit 2 set name "to-all-permit" set uuid 8d96be5c-6b90-51eb-aa29-9b7fc34ca6ca set srcintf "port2" //内部接口 set dstintf "port3" //外部接口 set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set ippool enable // 开启NAT地址池功能 set poolname "56.56.56.1_overload" // 调用NAT地址池 set nat enable // 开启NAT功能 next

c.外部服务器配置到NAT地址段的静态路由

[root@c6 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 56.56.56.0 6.6.6.1 255.255.255.0 UG 0 0 0 eth5

d.验证SNAT配置是否正常

1.内部服务器网络配置 [root@localhost ~]# ifconfig ens39 ens39: flags=4163 mtu 1500 inet 5.5.5.1 netmask 255.255.255.0 broadcast 5.5.5.255 inet6 fe80::20c:29ff:fe00:8058 prefixlen 64 scopeid 0x20 ether 00:0c:29:00:80:58 txqueuelen 1000 (Ethernet) RX packets 5870 bytes 474480 (463.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 426 bytes 36317 (35.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 5.5.5.2 0.0.0.0 UG 0 0 0 ens39 2.内部服务器Ping 外部服务器 [root@localhost ~]# ping 6.6.6.2 PING 6.6.6.2 (6.6.6.2) 56(84) bytes of data. 64 bytes from 6.6.6.2: icmp_seq=1 ttl=63 time=1.50 ms 64 bytes from 6.6.6.2: icmp_seq=2 ttl=63 time=1.53 ms 3.在外部服务器抓包 [root@c6 ~]# ifconfig eth5 eth5 Link encap:Ethernet HWaddr 00:0C:29:5B:93:45 inet addr:6.6.6.2 Bcast:6.6.6.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe5b:9345/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:443 errors:0 dropped:0 overruns:0 frame:0 TX packets:583 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:44908 (43.8 KiB) TX bytes:52443 (51.2 KiB) [root@c6 ~]# tcpdump -i eth5 -nnn -vvv tcpdump: listening on eth5, link-type EN10MB (Ethernet), capture size 65535 bytes 11:58:34.460576 IP (tos 0x0, ttl 63, id 65514, offset 0, flags [DF], proto ICMP (1), length 84) 56.56.56.1 > 6.6.6.2: ICMP echo request, id 9543, seq 1, length 64 11:58:34.460638 IP (tos 0x0, ttl 64, id 15653, offset 0, flags [none], proto ICMP (1), length 84) 6.6.6.2 > 56.56.56.1: ICMP echo reply, id 9543, seq 1, length 64 11:58:35.461347 IP (tos 0x0, ttl 63, id 814, offset 0, flags [DF], proto ICMP (1), length 84) 56.56.56.1 > 6.6.6.2: ICMP echo request, id 9543, seq 2, length 64

e.SNAT实验结论:实验符合预期，内部服务器可以成功访问外部服务器，同时外部服务器看到的源IP是SNAT后的IP 56.56.56.1。

三、配置DNATa.创建DNAT的Virtual IP（也就是外部网络访问内部服务时使用的目的IP）

config firewall vip edit "56.56.56.52-5.5.5.1" set uuid 34a97bc8-6b8a-51eb-8808-b94f5cd25dba set extip 56.56.56.52 set extintf "port3" set portforward enable set mappedip "5.5.5.1" set extport 515 set mappedport 515 next end

b.创建策略，并调用VIP

config firewall policy edit 1 set name "test" set uuid 4f007e72-6b8a-51eb-3e87-d1cfe35c0b71 set srcintf "port3" // 外部接口 set dstintf "port2" // 内部接口 set srcaddr "all" set dstaddr "56.56.56.52-5.5.5.1" set action accept set schedule "always" set service "ALL" next

c.<配置SNAT>中，外部服务器已经配置了到NAT地址段的路由，这里就不赘述了

d.验证DNAT是否正常

1.内部服务器开启515端口 [root@localhost ~]# python -m SimpleHTTPServer 515 Serving HTTP on 0.0.0.0 port 515 ... 2.外部网络服务器telnet VIP的515 端口 [root@c6 ~]# telnet 56.56.56.52 515 Trying 56.56.56.52... Connected to 56.56.56.52. Escape character is '^]'. ^] Error response

Error code 400.

Message: Bad request syntax ('^]').

Error code explanation: 400 = Bad request syntax or unsupported method. Connection closed by foreign host. 3.内部服务器上抓包 [root@localhost ~]# tcpdump -i ens39 -nnn -vvv host 6.6.6.2 tcpdump: listening on ens39, link-type EN10MB (Ethernet), capture size 65535 bytes 16:37:24.291051 IP (tos 0x10, ttl 63, id 42541, offset 0, flags [DF], proto TCP (6), length 57) 6.6.6.2.34980 > 5.5.5.1.515: Flags [P.], cksum 0x98df (correct), seq 2296234720:2296234725, ack 743420663, win 115, options [nop,nop,TS val 25389246 ecr 21012527], length 5 16:37:24.295944 IP (tos 0x0, ttl 64, id 4806, offset 0, flags [DF], proto TCP (6), length 52) 5.5.5.1.515 > 6.6.6.2.34980: Flags [.], cksum 0x1634 (incorrect -> 0x9a9c), seq 1, ack 5, win 227, options [nop,nop,TS val 21079036 ecr 25389246], length 0

e.DNAT结论符合预期。外部网络服务器通过VIP-56.56.56.52来访问内部IP-5.5.5.1的服务.

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。