运维开发网
广告位招商联系QQ:123077622
 
广告位招商联系QQ:123077622

华为路由交换由浅入深系列(十二):ENSP2.0模拟NAT+Firewall+DNS+DHCP功能

运维开发网 https://www.qedev.com 2021-03-24 11:43 出处:51CTO 作者:网络之路blo
说明ENSP2.0模拟NAT+Firewall+DNS+DHCP功能,主要涉及在华为路由器上面,如何实现防火墙特性、NAT、DNS、DHCP功能。掌握目标1、路由器DHCP客户端配置(模拟PC)2、防火墙特性配置3、NAT配置4、DNS与DHCP的配置掌握一、实验拓扑:二、PC的配置#sysname PCdhcp enabledns resolvedns server 8.8.8.8#interf

说明

ENSP2.0模拟NAT+Firewall+DNS+DHCP功能,主要涉及在华为路由器上面,如何实现防火墙特性、NAT、DNS、DHCP功能。

掌握目标

1、路由器DHCP客户端配置(模拟PC)

2、防火墙特性配置

3、NAT配置

4、DNS与DHCP的配置掌握

一、实验拓扑:

华为路由交换由浅入深系列(十二):ENSP2.0模拟NAT+Firewall+DNS+DHCP功能

二、PC的配置

#

sysname PC

dhcp enable

dns resolve

dns server 8.8.8.8

#

interface GigabitEthernet0/0/0

ip address dhcp-alloc

三、网关路由器的配置

#

sysname GW

#

dhcp enable

dns resolve

dns server 8.8.8.8

#

acl number 3000

rule 5 permit ip source 192.168.10.0 0.0.0.255

acl number 3001

rule 5 deny icmp icmp-type echo

rule 10 permit ip

#

firewall zone trust

priority 10

#

firewall zone untrust

priority 5

#

firewall zone Local

priority 15

#

firewall interzone trust untrust

firewall enable

packet-filter 3001 inbound

detect aspf ftp

detect aspf sip

detect aspf rtsp

detect aspf http

detect aspf http java-blocking

detect aspf http activex-blocking

#

interface GigabitEthernet0/0/0

ip address 192.168.10.1 255.255.255.0

zone trust

dhcp select interface

dhcp server dns-list 8.8.8.8

#

interface GigabitEthernet0/0/1

ip address 211.1.1.2 255.255.255.0

nat outbound 3000

zone untrust

#

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 211.1.1.1

#

user-interface vty 0 4

authentication-mode password

set authentication password cipher huawei

user privilege level 3

四、公网路由器的配置

#

sysname INTERNET

#

ip host www.baidu.com 100.100.100.100

ip host www.google.com 200.200.200.200

#

dns resolve

dns server 8.8.8.8

dns proxy enable

#

interface GigabitEthernet0/0/0

ip address 211.1.1.1 255.255.255.0

#

interface NULL0

#

interface LoopBack0

ip address 100.100.100.100 255.255.255.0

#

interface LoopBack1

ip address 200.200.200.200 255.255.255.0

#

interface LoopBack100

ip address 8.8.8.8 255.255.255.0

#

user-interface vty 0 4

authentication-mode password

set authentication password cipher huawei

user privilege level 3

#

五、测试PC上网

ping www.google.com

PING www.google.com: 56 data bytes, press CTRL_C to break

Reply from 200.200.200.200: bytes=56 Sequence=1 ttl=254 time=20 ms

Reply from 200.200.200.200: bytes=56 Sequence=2 ttl=254 time=20 ms

Reply from 200.200.200.200: bytes=56 Sequence=3 ttl=254 time=10 ms

Reply from 200.200.200.200: bytes=56 Sequence=4 ttl=254 time=10 ms

Reply from 200.200.200.200: bytes=56 Sequence=5 ttl=254 time=30 ms

— www.google.com ping statistics —

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 10/18/30 ms

telnet www.baidu.com

Press CTRL_] to quit telnet mode

Trying 100.100.100.100 …

Connected to 100.100.100.100 …

Login authentication

Password:huawei

dis access-user

Info: No online user.

dis ip inter bri

*down: administratively down

^down: standby

(l): loopback

(s): spoofing

The number of interface that is UP in Physical is 5

The number of interface that is DOWN in Physical is 1

The number of interface that is UP in Protocol is 5

The number of interface that is DOWN in Protocol is 1

Interface IP Address/Mask Physical Protocol

GigabitEthernet0/0/0 211.1.1.1/24 up up

GigabitEthernet0/0/1 unassigned down down

LoopBack0 100.100.100.100/24 up up(s)

LoopBack1 200.200.200.200/24 up up(s)

LoopBack100 8.8.8.8/24 up up(s)

NULL0 unassigned up up(s)

六、测试网关的状态

[GW]dis nat session all

NAT Session Table Information:

Protocol : ICMP(1)

SrcAddr *** : 192.168.10.254

DestAddr *** : 200.200.200.200

Type Code IcmpId : 0 8 43997

NAT-Info

New SrcAddr : 211.1.1.2

New DestAddr : —-

New IcmpId : 10255

Protocol : TCP(6)

SrcAddr Port *** : 192.168.10.254 46273

DestAddr Port *** : 100.100.100.100 5888

NAT-Info

New SrcAddr : 211.1.1.2

New SrcPort : 10253

New DestAddr : —-

New DestPort : —-

Protocol : UDP(17)

SrcAddr Port *** : 192.168.10.254 7109

DestAddr Port *** : 8.8.8.8 13568

NAT-Info

[GW]dis firewall session all

Firewall Session Table Information:

Protocol : TCP(6)

SrcAddr Port *** : 192.168.10.254 46273

DestAddr Port *** : 100.100.100.100 5888

Firewall-Info

InZone : trust

OutZone : untrust

Protocol : UDP(17)

SrcAddr Port *** : 192.168.10.254 7109

DestAddr Port *** : 8.8.8.8 13568

Firewall-Info

InZone : trust

OutZone : untrust

Protocol : UDP(17)

SrcAddr Port *** : 192.168.10.254 2245

DestAddr Port *** : 8.8.8.8 13568

Firewall-Info

InZone : trust

OutZone : untrust

Protocol : UDP(17)

SrcAddr Port *** : 192.168.10.254 33990

DestAddr Port *** : 8.8.8.8 13568

Firewall-Info

InZone : trust

OutZone : untrust

Protocol : UDP(17)

SrcAddr Port *** : 192.168.10.254 4806

DestAddr Port *** : 8.8.8.8 13568

Firewall-Info

InZone : trust

OutZone : untrust

Protocol : UDP(17)

SrcAddr Port *** : 192.168.10.254 4038

DestAddr Port *** : 8.8.8.8 13568

Firewall-Info

InZone : trust

OutZone : untrust

Protocol : TCP(6)

SrcAddr Port *** : 192.168.10.254 21700

DestAddr Port *** : 100.100.100.100 5888

Firewall-Info

本文首发于公众号:网络之路博客

扫码领视频副本.gif

0

精彩评论

暂无评论...
验证码 换一张
取 消