PIX防火牆NAT

                        PIX防火牆NAT

一 實驗拓撲

二 實驗要求

 1）完成防火牆的基本配置

 2）熟悉防火牆的訪問規則

 3）熟悉防火牆的路由配置

 4）理解防火牆的NAT的工作過程以及熟悉配置命令

     A) R1的lo0去往R2的lo0的報文使用動態NAT

     B）R1的lo1去往R2的lo1的報文使用PAT

     C）R3的lo0的報文去往outside方向使用靜態路由

 5）理解特殊NAT和策略NAT

三 實驗步驟

  1）路由器的基本配置和接口配置

  2）PIX防火牆的基本配置和接口配置

FW4(config)# int e0

FW4(config-if)# ip add 192.168.1.2 255.255.255.0

FW4 (config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

FW4 (config-if)# no shu

FW4 (config-if)# int e2

FW4 (config-if)# ip add 202.202.202.2 255.255.255.0

FW4 (config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

FW4 (config-if)# no shu

FW4 (config-if)# int e3

FW4 (config-if)# ip add 192.168.3.2 255.255.255.0

FW4(config-if)# nameif dmz

INFO: Security level for "dmz" set to 0 by default.

FW4 (config-if)# security-level 50

FW4 (config-if)# no shu

  3）測試直連鏈路的連通性

  4）配置靜態路由，實現全網連通，R2模擬公網路由器不配置路由

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2

R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.2

FW4(config)#    route inside 192.168.10.0 255.255.255.0 192.168.1.1

FW4(config)# route inside 192.168.20.0 255.255.255.0 192.168.1.1

FW4(config)# route dmz 192.168.30.0 255.255.255.0 192.168.3.1

FW4(config)# route outside 0.0.0.0 0.0.0.0 202.202.202.2    

5）按實驗要求完成防火漆的NAT配置，以及理解其工作過程

A）測試動態NAT

在做動態NAT之前，inside的R1不能訪問outside的R2.原因是沒有回來的路由。做了動態NAT之後，回來的路由即是直連路由（因爲轉換成了202.202.202.0網段的地址），可以訪問

FW4(config)# access-list outacl extended permit icmp host 200.200.200.200 202.202.202.0 255.255.255.0 //允許主機202.202.202.202的基於icmp的數據訪問202.202.202.0網段(命名的擴展ACL？)

FW4(config)# access-group outacl in int outside //應用到outside接口

FW4(config)# nat ?

configure mode commands/options:

 (  Open parenthesis for the name of the network interface where the

    hosts/network designated by the local IP address are accessed

FW4(config)# nat (inside) 1 192.168.10.0 255.255.255.0

FW4(config)# global (outside) 1 202.202.202.3-202.202.202.5 netmask 255.255.255.0   //用動態NAT實現私網訪問公網，nat與global要一起用

測試結果：

R1#ping 200.200.200.200 so 192.168.10.1//注意要帶源，因爲是允許轉換192.168.10.0網段的地址，不帶源的話默認是使用出口地址

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 20/28/44 ms

B)測試PAT（PAT：將一段私網地址映射成一個全局地址）

FW4(config)# nat (inside) 2 192.168.20.0 255.255.255.0

FW4(config)# global (outside) 2 int

INFO: outside interface address added to PAT pool

測試結果：

R1#ping 200.200.200.200 so 192.168.20.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.20.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/68 ms

C）靜態NAT測試

FW4(config)# static (dmz,outside) 202.202.202.8 192.168.30.1 netmask 255.255.255.255  //實現私網訪問公網，192.168.30.1轉換成202.202.202.8

FW4(config)# access-list dmzacl permit icmp 192.168.30.1 255.255.255.255 200.200.200.200 255.255.255.255//這裏沒有應用到具體的接口？

測試結果：

R3#ping 200.200.200.200 so 192.168.30.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.200, timeout is 2 seconds:

Packet sent with a source address of 192.168.30.1

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 16/33/48 ms

6）測試特殊NAT和策略NAT；

A）特殊NAT

當啓用nat-control命令時，內個內部地址必須具有一個對應的內部NAT規則。同樣，在允許通過安全設備進行通信之前，如果一個接口上啓用了一個外部動態NAT則每個外部地址必須具有一個對應的外部NAT規則

測試：

注意要讓R1 ping通R3需要

FW4(config)#fixup protocol icmp

或

FW4(config)#no fixup protocol icmp

FW4(config)#access-list dmz-inside extended permit icmp 192.168.3.1 255.255.255.0 192.168.1.0 255.255.255.0 echo-reply

FW4(config)# access-group dmz-inside in int dmz

此時：

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/33/72 ms

啓用nat-control

FW4(config)# nat-control

測試：

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

B）身份NAT

轉換後的IP就是原來真實的IP相當於沒有轉換，只能用在出站流量。與動態NAT類似，只是動態NAT要映射在全局地址。身份NAT是單向的。即下面例子中R3不能ping 通R1（192.168.3.1 ping 192.168.1.1）

FW4(config)# nat-control

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

FW4(config)# nat (inside) 0 192.168.1.1 255.255.255.255

nat 0 192.168.1.1 will be identity translated for outbound

//只有nat而沒有global,聯繫身份NAT的特點

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/31/68 ms

注意：上面的這兩個實驗都要建立在

讓R1 ping通R3

FW4(config)#fixup protocol icmp

或

FW4(config)#no fixup protocol icmp

FW4(config)#access-list dmz-inside extended permit icmp 192.168.3.1 255.255.255.0 192.168.1.0 255.255.255.0 echo-reply

FW4(config)# access-group dmz-inside in int dmz

疑問：防火牆刪除ACL會同時把應用在接口上的命令也刪了？

 C）NAT豁免（帶ACL的nat 0）

 與身份NAT相似，主要區別是NAT豁免允許雙向通信，同時允許轉換和遠程主機發起連接

FW4(config)# no nat (inside) 0 192.168.1.1 255.255.255.255

FW4(config)# nat-control

FW4(config)# access-list nonat permit ip 192.168.1.1 255.255.255.255 192.168.3$

FW4(config)# nat (inside) 0 access-list nonat

R1#ping 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/52 ms

注意：上面的這三個實驗都要建立在

讓R1 ping通R3

FW4(config)#fixup protocol icmp

或

FW4(config)#no fixup protocol icmp

FW4(config)#access-list dmz-inside extended permit icmp 192.168.3.1 255.255.255.0 192.168.1.0 255.255.255.0 echo-reply

FW4(config)# access-group dmz-inside in int dmz

D）策略NAT

與靜態NAT相似，然而，策略NAT允許定義一個有條件的標準來檢測源地址和目的地址，以此來確定地址轉換。有了這個特性，源地址轉換就可以改變爲不同的目的地址

FW4(config)# access-list NAT1 permit ip 192.168.10.0 255.255.255.0 192.168.30.1 255.255.255.255

FW4(config)# access-list NAT2 permit ip 192.168.10.0 255.255.255.0 192.168.30.2 255.255.255.255

FW4(config)# nat (inside) 1 access-list NAT1

FW4(config)# global (outside) 1 192.168.3.2

INFO: Global 192.168.3.2 will be Port Address Translated

FW4(config)# nat (inside) 2 access-list NAT2

FW4(config)# global (outside) 2 192.168.3.3

INFO: Global 192.168.3.3 will be Port Address Translated

7）總結防火牆的訪問規則以及對流量的處理

A）NAT選擇順序

根據對防火牆性能資源消耗佔有程度來選擇：

NAT exemptions (nat 0 access-list commands) 帶ACL的nat 0

Policy NAT (static access-list commands)

Static NAT (static commands without port numbers)

Static PAT (static commands with port numbers)

NAT 0 or Policy NAT (nat nat_id access-list commands)

Dynamic NAT and PAT (nat nat_id commands)

如果處於同一級別就需要比較訪問控制列表的明細程度和網段地址的明細程度，如果前面都一樣則寫在前面的優先

FW4#  sh conn

0 in use, 2 most used

FW4# sh local-host

Interface dmz: 0 active, 1 maximum active, 0 denied

Interface outside: 0 active, 1 maximum active, 0 denied

Interface inside: 2 active, 2 maximum active, 0 denied

local host: <192.168.10.1>,

   TCP flow count/limit = 0/unlimited

   TCP embryonic count to host = 0

   TCP intercept watermark = unlimited

   UDP flow count/limit = 0/unlimited

 Xlate:

   Global 202.202.202.3 Local 192.168.10.1

local host: <192.168.1.1>,

   TCP flow count/limit = 0/unlimited

   TCP embryonic count to host = 0

   TCP intercept watermark = unlimited

   UDP flow count/limit = 0/unlimited

Xlate:

   Global 192.168.1.1 Local 192.168.1.1

FW4# sh xlate

3 in use, 3 most used

Global 202.202.202.8 Local 192.168.30.1

Global 202.202.202.3 Local 192.168.10.1

Global 192.168.1.1 Local 192.168.1.1