防火墙双机热备与NAT Server结合使用

一、NAT Server知识回顾

NAT配置之目的NAT详解https://blog.csdn.net/Mario_Ti/article/details/135175030?spm=1001.2014.3001.5502

二、NAT Server公网地址与虚拟IP地址不在同一网段

1、分析过程

按照双机热备的配置方式开启双机热备之主备模式,在FW1即主用设备配置NAT Server,将内网服务器10.0.0.4转换成公网地址10.10.10.10,且与VRRP备份组2的虚拟IP地址不在同一网段(10.0.1.1),该配置会备份到FW2即备用设备,外网路由器一般情况下会配置一条默认路由下一跳为虚拟IP10.0.1.1。

当外网客户端访问内网服务器的报文到达外网路由器AR4,查看路由表发现下一跳为10.0.1.1,路由器发送广播ARP报文请求10.0.1.1的MAC地址,此时只有VRRP备份组为Master的防火墙会回应虚拟MAC地址,路由器使用虚拟MAC地址作为目的MAC地址封装报文,发送到交换机,交换机根据MAC地址表找到对应的接口发送给FW1即主用设备。

2、配置过程

java 复制代码
[FW1]interface g1/0/0
[FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.0.0.1 active 
 
//配置VRRP备份组2
[FW1-GigabitEthernet1/0/0]interface g1/0/1
[FW1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.0.1.1 active
 
//配置心跳接口
[FW1-GigabitEthernet1/0/1]interface g1/0/2
[FW1-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.2
[FW1-GigabitEthernet1/0/3]hrp interface g1/0/3 remote 10.10.1.2
 
//划分区域
[FW1]firewall zone name dmz
[FW1-zone-dmz]add interface g1/0/2
[FW1-zone-dmz]add interface g1/0/3
 
//开启双机热备
[FW1]hrp enable
 
 
 
[FW2]interface g1/0/0	
[FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.0.0.1 standby 
 
[FW2-GigabitEthernet1/0/0]interface g1/0/1
[FW2-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.0.1.1 standby 
 
[FW2-GigabitEthernet1/0/1]interface g1/0/2
[FW2-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.1
[FW2-GigabitEthernet1/0/3]hrp interface g1/0/3 remote 10.10.1.1
 
[FW2]firewall zone name dmz
[FW2-zone-dmz]add interface g1/0/2
[FW2-zone-dmz]add interface g1/0/3
 
[FW2]hrp enable
java 复制代码
[AR4]ip route-static 0.0.0.0 0 10.0.1.1

HRP_M[FW1-policy-security-rule-policy1]display this
2024-02-01 09:31:22.160 
#
 rule name policy1
  source-zone untrust
  destination-zone trust
  destination-address 10.0.0.4 mask 255.255.255.255
  service http
  action permit
#
return

HRP_S[FW2]display security-policy rule name policy1
2024-02-01 09:32:23.910 
 (0 times matched)
 rule name policy1
  source-zone untrust
  destination-zone trust
  destination-address 10.0.0.4 mask 255.255.255.255
  service http
  action permit

HRP_M[FW1]display ip routing-table 
2024-02-01 09:33:30.340 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 13       Routes : 13       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   10.0.1.4        GigabitEthernet
1/0/1


HRP_S[FW2]display ip routing-table 
2024-02-01 09:34:58.930 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 11       Routes : 11       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   10.0.1.4        GigabitEthernet
1/0/1
java 复制代码
HRP_M[FW1]nat server protocol tcp global 10.10.10.10 9980 inside 10.0.0.4 80

HRP_S[FW2]display nat server 
2024-02-01 09:37:31.140 
Server in private network information:
  Total   1 NAT server(s)
 server name   : 0                      
 id            : 0                      zone          : ---                    
 global-start-addr : 10.10.10.10        global-end-addr   : 10.10.10.10        
 inside-start-addr : 10.0.0.4           inside-end-addr   : 10.0.0.4           
 global-start-port : 9980               global-end-port   : 9980               
 inside-start-port : 80(www)            inside-end-port   : 80                 
 globalvpn     : public                 insidevpn     : public                 
 vsys          : public                 protocol      : tcp                    
 no-revers     : 0                      interface     : ---                    
 unr-route     : 0                      description   : ---                    
 nat-disable   : 0                      

HRP_M[FW1]display firewall server-map 
2024-02-01 09:40:19.930 
 Current Total Server-map : 2
 Type: Nat Server,  ANY -> 10.10.10.10:9980[10.0.0.4:80],  Zone:---,  protocol:t
cp
 Vpn: public -> public

 Type: Nat Server Reverse,  10.0.0.4[10.10.10.10] -> ANY,  Zone:---,  protocol:t
cp
 Vpn: public -> public,  counter: 1

HRP_M[FW1]

在主用设备上配置NAT Server,会备份到备用设备。

java 复制代码
HRP_M[FW1]display firewall session table 
2024-02-01 09:55:37.760 
 Current Total Sessions : 6
 udp  VPN: public --> public  10.10.0.2:16384 --> 10.10.0.1:18514
 http  VPN: public --> public  1.1.1.2:2056 --> 10.10.10.10:9980[10.0.0.4:80]
java 复制代码
HRP_M[FW1]ip route-static 10.10.10.10 32 NULL 0
HRP_S[FW2]ip route-static 10.10.10.10 32 NULL 0

开启黑洞路由,在不同网段可以起到防环的效果。

三、NAT Server公网地址与虚拟IP地址在同一网段

1、分析过程

1.1、主备备份

按照双机热备的配置方式开启双机热备之主备模式,在FW1即主用设备配置NAT Server,将内网服务器10.0.0.4转换成公网地址10.0.1.10,且与VRRP备份组2的虚拟IP地址在同一网段(10.0.1.1),该配置会备份到FW2即备用设备。

当外网客户端访问内网服务器的报文到达外网路由器AR4,路由器直接发送广播ARP报文请求10.0.1.1的MAC地址,此时两台防火墙均配置有NAT Server,两台防火墙均会回应自身接口的MAC地址,路由器将会JO里JO气,反复横跳,时而以FW1的接口MAC地址封装报文,时而以FW2的接口MAC地址封装报文,从而影响业务的正常运行。

此时需要启动NAT Server与VRRP备份组绑定,只有VRRP备份组状态为Master的防火墙FW1才会应答路由器的ARP请求。华为USG6000E防火墙会自动将NAT Server与VRRP备份组绑定,若同一网段有多个VRRP备份组,则自动绑定VRID最小的VRRP备份组。

1.2、负载分担

以1.1为前提,需要手动配置NAT Server与VRRP备份组绑定,服务器10.0.0.5对应的NAT Server:10.0.1.20绑定VRRP备份组2,服务器10.0.0.6对应的NAT Server:10.0.1.30绑定VRRP备份组4。

2、配置过程(以负载分担为例)

java 复制代码
HRP_M[FW1]display current-configuration interface 
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.0.0.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.0.0.1 active
 vrrp vrid 3 virtual-ip 10.0.0.4 standby
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.0.1.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.0.1.1 active
 vrrp vrid 4 virtual-ip 10.0.1.10 standby
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.10.0.1 255.255.255.0
#

HRP_M[FW1-zone-dmz]display this
2024-02-01 11:38:00.770 
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/2
#
return

HRP_S[FW2]display current-configuration interface 
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.0.0.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.0.0.1 standby
 vrrp vrid 3 virtual-ip 10.0.0.4 active
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.0.1.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.0.1.1 standby
 vrrp vrid 4 virtual-ip 10.0.1.10 active
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.10.0.2 255.255.255.0
#
java 复制代码
[FW1-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.2
 
[FW2-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.1
 
[FW1]hrp enable
 
[FW2]hrp enable
java 复制代码
HRP_M[FW1]display hrp state verbose 
2024-02-01 11:36:20.280 
 Role: active, peer: active
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2024-02-01 11:35:47 HRP core state changed, old_
state = abnormal(standby), new_state = normal, local_priority = 45000, peer_prio
rity = 45000.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
           GigabitEthernet1/0/0 vrrp vrid 1: active
           GigabitEthernet1/0/1 vrrp vrid 2: active
           GigabitEthernet1/0/0 vrrp vrid 3: standby
           GigabitEthernet1/0/1 vrrp vrid 4: standby
                                  ospf-cost: +0
                                ospfv3-cost: +0
                                   bgp-cost: +0


HRP_S[FW2]display hrp state verbose 
2024-02-01 11:37:01.310 
 Role: active, peer: active
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 1 minutes
 Last state change information: 2024-02-01 11:35:46 HRP core state changed, old_
state = abnormal(active), new_state = normal, local_priority = 45000, peer_prior
ity = 45000.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
           GigabitEthernet1/0/0 vrrp vrid 1: standby
           GigabitEthernet1/0/1 vrrp vrid 2: standby
           GigabitEthernet1/0/0 vrrp vrid 3: active
           GigabitEthernet1/0/1 vrrp vrid 4: active
                                  ospf-cost: +0
                                ospfv3-cost: +0
                                   bgp-cost: +0
java 复制代码
HRP_M[FW1-zone-dmz]firewall zone trust
HRP_M[FW1-zone-trust]display this
2024-02-01 11:39:10.900 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
#
return
HRP_M[FW1-zone-trust]firewall zone untrust
HRP_M[FW1-zone-untrust]display this
2024-02-01 11:39:25.290 
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
return

HRP_M[FW1-policy-security-rule-policy1]display this
2024-02-01 11:42:05.470 
#
 rule name policy1
  source-zone untrust
  destination-zone trust
  destination-address 10.0.0.5 mask 255.255.255.255
  destination-address 10.0.0.6 mask 255.255.255.255
  service http
  action permit
#
return

可能是ENSP本身BUG问题,查看了一下以下配置方法,但是无法配置,但理论上配置是没有为你的。

此时配置即可完成,访问服务器10.0.0.5通过FW1,访问服务器10.0.0.6通过FW2,即负载分担。


参考资料:防火墙和VPN技术与实践------李学昭

相关推荐
ac.char2 分钟前
在 Ubuntu 上安装 Yarn 环境
linux·运维·服务器·ubuntu
敲上瘾3 分钟前
操作系统的理解
linux·运维·服务器·c++·大模型·操作系统·aigc
Koi慢热1 小时前
路由基础(全)
linux·网络·网络协议·安全
传而习乎1 小时前
Linux:CentOS 7 解压 7zip 压缩的文件
linux·运维·centos
soulteary1 小时前
突破内存限制:Mac Mini M2 服务器化实践指南
运维·服务器·redis·macos·arm·pika
运维&陈同学2 小时前
【zookeeper01】消息队列与微服务之zookeeper工作原理
运维·分布式·微服务·zookeeper·云原生·架构·消息队列
是阿建吖!2 小时前
【Linux】进程状态
linux·运维
hzyyyyyyyu3 小时前
内网安全隧道搭建-ngrok-frp-nps-sapp
服务器·网络·安全
明明跟你说过3 小时前
Linux中的【tcpdump】:深入介绍与实战使用
linux·运维·测试工具·tcpdump