一、NAT Server知识回顾
NAT配置之目的NAT详解https://blog.csdn.net/Mario_Ti/article/details/135175030?spm=1001.2014.3001.5502
二、NAT Server公网地址与虚拟IP地址不在同一网段
1、分析过程
按照双机热备的配置方式开启双机热备之主备模式,在FW1即主用设备配置NAT Server,将内网服务器10.0.0.4转换成公网地址10.10.10.10,且与VRRP备份组2的虚拟IP地址不在同一网段(10.0.1.1),该配置会备份到FW2即备用设备,外网路由器一般情况下会配置一条默认路由下一跳为虚拟IP10.0.1.1。
当外网客户端访问内网服务器的报文到达外网路由器AR4,查看路由表发现下一跳为10.0.1.1,路由器发送广播ARP报文请求10.0.1.1的MAC地址,此时只有VRRP备份组为Master的防火墙会回应虚拟MAC地址,路由器使用虚拟MAC地址作为目的MAC地址封装报文,发送到交换机,交换机根据MAC地址表找到对应的接口发送给FW1即主用设备。
2、配置过程
java
[FW1]interface g1/0/0
[FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.0.0.1 active
//配置VRRP备份组2
[FW1-GigabitEthernet1/0/0]interface g1/0/1
[FW1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.0.1.1 active
//配置心跳接口
[FW1-GigabitEthernet1/0/1]interface g1/0/2
[FW1-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.2
[FW1-GigabitEthernet1/0/3]hrp interface g1/0/3 remote 10.10.1.2
//划分区域
[FW1]firewall zone name dmz
[FW1-zone-dmz]add interface g1/0/2
[FW1-zone-dmz]add interface g1/0/3
//开启双机热备
[FW1]hrp enable
[FW2]interface g1/0/0
[FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.0.0.1 standby
[FW2-GigabitEthernet1/0/0]interface g1/0/1
[FW2-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.0.1.1 standby
[FW2-GigabitEthernet1/0/1]interface g1/0/2
[FW2-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.1
[FW2-GigabitEthernet1/0/3]hrp interface g1/0/3 remote 10.10.1.1
[FW2]firewall zone name dmz
[FW2-zone-dmz]add interface g1/0/2
[FW2-zone-dmz]add interface g1/0/3
[FW2]hrp enable
java
[AR4]ip route-static 0.0.0.0 0 10.0.1.1
HRP_M[FW1-policy-security-rule-policy1]display this
2024-02-01 09:31:22.160
#
rule name policy1
source-zone untrust
destination-zone trust
destination-address 10.0.0.4 mask 255.255.255.255
service http
action permit
#
return
HRP_S[FW2]display security-policy rule name policy1
2024-02-01 09:32:23.910
(0 times matched)
rule name policy1
source-zone untrust
destination-zone trust
destination-address 10.0.0.4 mask 255.255.255.255
service http
action permit
HRP_M[FW1]display ip routing-table
2024-02-01 09:33:30.340
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 10.0.1.4 GigabitEthernet
1/0/1
HRP_S[FW2]display ip routing-table
2024-02-01 09:34:58.930
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 10.0.1.4 GigabitEthernet
1/0/1
java
HRP_M[FW1]nat server protocol tcp global 10.10.10.10 9980 inside 10.0.0.4 80
HRP_S[FW2]display nat server
2024-02-01 09:37:31.140
Server in private network information:
Total 1 NAT server(s)
server name : 0
id : 0 zone : ---
global-start-addr : 10.10.10.10 global-end-addr : 10.10.10.10
inside-start-addr : 10.0.0.4 inside-end-addr : 10.0.0.4
global-start-port : 9980 global-end-port : 9980
inside-start-port : 80(www) inside-end-port : 80
globalvpn : public insidevpn : public
vsys : public protocol : tcp
no-revers : 0 interface : ---
unr-route : 0 description : ---
nat-disable : 0
HRP_M[FW1]display firewall server-map
2024-02-01 09:40:19.930
Current Total Server-map : 2
Type: Nat Server, ANY -> 10.10.10.10:9980[10.0.0.4:80], Zone:---, protocol:t
cp
Vpn: public -> public
Type: Nat Server Reverse, 10.0.0.4[10.10.10.10] -> ANY, Zone:---, protocol:t
cp
Vpn: public -> public, counter: 1
HRP_M[FW1]
在主用设备上配置NAT Server,会备份到备用设备。
java
HRP_M[FW1]display firewall session table
2024-02-01 09:55:37.760
Current Total Sessions : 6
udp VPN: public --> public 10.10.0.2:16384 --> 10.10.0.1:18514
http VPN: public --> public 1.1.1.2:2056 --> 10.10.10.10:9980[10.0.0.4:80]
java
HRP_M[FW1]ip route-static 10.10.10.10 32 NULL 0
HRP_S[FW2]ip route-static 10.10.10.10 32 NULL 0
开启黑洞路由,在不同网段可以起到防环的效果。
三、NAT Server公网地址与虚拟IP地址在同一网段
1、分析过程
1.1、主备备份
按照双机热备的配置方式开启双机热备之主备模式,在FW1即主用设备配置NAT Server,将内网服务器10.0.0.4转换成公网地址10.0.1.10,且与VRRP备份组2的虚拟IP地址在同一网段(10.0.1.1),该配置会备份到FW2即备用设备。
当外网客户端访问内网服务器的报文到达外网路由器AR4,路由器直接发送广播ARP报文请求10.0.1.1的MAC地址,此时两台防火墙均配置有NAT Server,两台防火墙均会回应自身接口的MAC地址,路由器将会JO里JO气,反复横跳,时而以FW1的接口MAC地址封装报文,时而以FW2的接口MAC地址封装报文,从而影响业务的正常运行。
此时需要启动NAT Server与VRRP备份组绑定,只有VRRP备份组状态为Master的防火墙FW1才会应答路由器的ARP请求。华为USG6000E防火墙会自动将NAT Server与VRRP备份组绑定,若同一网段有多个VRRP备份组,则自动绑定VRID最小的VRRP备份组。
1.2、负载分担
以1.1为前提,需要手动配置NAT Server与VRRP备份组绑定,服务器10.0.0.5对应的NAT Server:10.0.1.20绑定VRRP备份组2,服务器10.0.0.6对应的NAT Server:10.0.1.30绑定VRRP备份组4。
2、配置过程(以负载分担为例)
java
HRP_M[FW1]display current-configuration interface
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.0.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.0.1 active
vrrp vrid 3 virtual-ip 10.0.0.4 standby
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.0.1.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.0.1.1 active
vrrp vrid 4 virtual-ip 10.0.1.10 standby
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.10.0.1 255.255.255.0
#
HRP_M[FW1-zone-dmz]display this
2024-02-01 11:38:00.770
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
return
HRP_S[FW2]display current-configuration interface
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.0.0.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.0.1 standby
vrrp vrid 3 virtual-ip 10.0.0.4 active
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.0.1.3 255.255.255.0
vrrp vrid 2 virtual-ip 10.0.1.1 standby
vrrp vrid 4 virtual-ip 10.0.1.10 active
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.10.0.2 255.255.255.0
#
java
[FW1-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.2
[FW2-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.1
[FW1]hrp enable
[FW2]hrp enable
java
HRP_M[FW1]display hrp state verbose
2024-02-01 11:36:20.280
Role: active, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 0 minutes
Last state change information: 2024-02-01 11:35:47 HRP core state changed, old_
state = abnormal(standby), new_state = normal, local_priority = 45000, peer_prio
rity = 45000.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/0 vrrp vrid 1: active
GigabitEthernet1/0/1 vrrp vrid 2: active
GigabitEthernet1/0/0 vrrp vrid 3: standby
GigabitEthernet1/0/1 vrrp vrid 4: standby
ospf-cost: +0
ospfv3-cost: +0
bgp-cost: +0
HRP_S[FW2]display hrp state verbose
2024-02-01 11:37:01.310
Role: active, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 1 minutes
Last state change information: 2024-02-01 11:35:46 HRP core state changed, old_
state = abnormal(active), new_state = normal, local_priority = 45000, peer_prior
ity = 45000.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/0 vrrp vrid 1: standby
GigabitEthernet1/0/1 vrrp vrid 2: standby
GigabitEthernet1/0/0 vrrp vrid 3: active
GigabitEthernet1/0/1 vrrp vrid 4: active
ospf-cost: +0
ospfv3-cost: +0
bgp-cost: +0
java
HRP_M[FW1-zone-dmz]firewall zone trust
HRP_M[FW1-zone-trust]display this
2024-02-01 11:39:10.900
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
return
HRP_M[FW1-zone-trust]firewall zone untrust
HRP_M[FW1-zone-untrust]display this
2024-02-01 11:39:25.290
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
return
HRP_M[FW1-policy-security-rule-policy1]display this
2024-02-01 11:42:05.470
#
rule name policy1
source-zone untrust
destination-zone trust
destination-address 10.0.0.5 mask 255.255.255.255
destination-address 10.0.0.6 mask 255.255.255.255
service http
action permit
#
return
可能是ENSP本身BUG问题,查看了一下以下配置方法,但是无法配置,但理论上配置是没有为你的。
此时配置即可完成,访问服务器10.0.0.5通过FW1,访问服务器10.0.0.6通过FW2,即负载分担。
参考资料:防火墙和VPN技术与实践------李学昭