防火墙双机热备与NAT Server结合使用

一、NAT Server知识回顾

NAT配置之目的NAT详解https://blog.csdn.net/Mario_Ti/article/details/135175030?spm=1001.2014.3001.5502

二、NAT Server公网地址与虚拟IP地址不在同一网段

1、分析过程

按照双机热备的配置方式开启双机热备之主备模式，在FW1即主用设备配置NAT Server，将内网服务器10.0.0.4转换成公网地址10.10.10.10，且与VRRP备份组2的虚拟IP地址不在同一网段（10.0.1.1），该配置会备份到FW2即备用设备，外网路由器一般情况下会配置一条默认路由下一跳为虚拟IP10.0.1.1。

当外网客户端访问内网服务器的报文到达外网路由器AR4，查看路由表发现下一跳为10.0.1.1，路由器发送广播ARP报文请求10.0.1.1的MAC地址，此时只有VRRP备份组为Master的防火墙会回应虚拟MAC地址，路由器使用虚拟MAC地址作为目的MAC地址封装报文，发送到交换机，交换机根据MAC地址表找到对应的接口发送给FW1即主用设备。

2、配置过程

[FW1]interface g1/0/0
[FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.0.0.1 active 
 
//配置VRRP备份组2
[FW1-GigabitEthernet1/0/0]interface g1/0/1
[FW1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.0.1.1 active
 
//配置心跳接口
[FW1-GigabitEthernet1/0/1]interface g1/0/2
[FW1-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.2
[FW1-GigabitEthernet1/0/3]hrp interface g1/0/3 remote 10.10.1.2
 
//划分区域
[FW1]firewall zone name dmz
[FW1-zone-dmz]add interface g1/0/2
[FW1-zone-dmz]add interface g1/0/3
 
//开启双机热备
[FW1]hrp enable
 
 
 
[FW2]interface g1/0/0	
[FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.0.0.1 standby 
 
[FW2-GigabitEthernet1/0/0]interface g1/0/1
[FW2-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.0.1.1 standby 
 
[FW2-GigabitEthernet1/0/1]interface g1/0/2
[FW2-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.1
[FW2-GigabitEthernet1/0/3]hrp interface g1/0/3 remote 10.10.1.1
 
[FW2]firewall zone name dmz
[FW2-zone-dmz]add interface g1/0/2
[FW2-zone-dmz]add interface g1/0/3
 
[FW2]hrp enable

[AR4]ip route-static 0.0.0.0 0 10.0.1.1

HRP_M[FW1-policy-security-rule-policy1]display this
2024-02-01 09:31:22.160 
#
 rule name policy1
  source-zone untrust
  destination-zone trust
  destination-address 10.0.0.4 mask 255.255.255.255
  service http
  action permit
#
return

HRP_S[FW2]display security-policy rule name policy1
2024-02-01 09:32:23.910 
 (0 times matched)
 rule name policy1
  source-zone untrust
  destination-zone trust
  destination-address 10.0.0.4 mask 255.255.255.255
  service http
  action permit

HRP_M[FW1]display ip routing-table 
2024-02-01 09:33:30.340 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 13       Routes : 13       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   10.0.1.4        GigabitEthernet
1/0/1


HRP_S[FW2]display ip routing-table 
2024-02-01 09:34:58.930 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 11       Routes : 11       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   10.0.1.4        GigabitEthernet
1/0/1

HRP_M[FW1]nat server protocol tcp global 10.10.10.10 9980 inside 10.0.0.4 80

HRP_S[FW2]display nat server 
2024-02-01 09:37:31.140 
Server in private network information:
  Total   1 NAT server(s)
 server name   : 0                      
 id            : 0                      zone          : ---                    
 global-start-addr : 10.10.10.10        global-end-addr   : 10.10.10.10        
 inside-start-addr : 10.0.0.4           inside-end-addr   : 10.0.0.4           
 global-start-port : 9980               global-end-port   : 9980               
 inside-start-port : 80(www)            inside-end-port   : 80                 
 globalvpn     : public                 insidevpn     : public                 
 vsys          : public                 protocol      : tcp                    
 no-revers     : 0                      interface     : ---                    
 unr-route     : 0                      description   : ---                    
 nat-disable   : 0                      

HRP_M[FW1]display firewall server-map 
2024-02-01 09:40:19.930 
 Current Total Server-map : 2
 Type: Nat Server,  ANY -> 10.10.10.10:9980[10.0.0.4:80],  Zone:---,  protocol:t
cp
 Vpn: public -> public

 Type: Nat Server Reverse,  10.0.0.4[10.10.10.10] -> ANY,  Zone:---,  protocol:t
cp
 Vpn: public -> public,  counter: 1

HRP_M[FW1]

在主用设备上配置NAT Server，会备份到备用设备。

HRP_M[FW1]display firewall session table 
2024-02-01 09:55:37.760 
 Current Total Sessions : 6
 udp  VPN: public --> public  10.10.0.2:16384 --> 10.10.0.1:18514
 http  VPN: public --> public  1.1.1.2:2056 --> 10.10.10.10:9980[10.0.0.4:80]

HRP_M[FW1]ip route-static 10.10.10.10 32 NULL 0
HRP_S[FW2]ip route-static 10.10.10.10 32 NULL 0

开启黑洞路由，在不同网段可以起到防环的效果。

三、NAT Server公网地址与虚拟IP地址在同一网段

1、分析过程

1.1、主备备份

按照双机热备的配置方式开启双机热备之主备模式，在FW1即主用设备配置NAT Server，将内网服务器10.0.0.4转换成公网地址10.0.1.10，且与VRRP备份组2的虚拟IP地址在同一网段（10.0.1.1），该配置会备份到FW2即备用设备。

当外网客户端访问内网服务器的报文到达外网路由器AR4，路由器直接发送广播ARP报文请求10.0.1.1的MAC地址，此时两台防火墙均配置有NAT Server，两台防火墙均会回应自身接口的MAC地址，路由器将会JO里JO气，反复横跳，时而以FW1的接口MAC地址封装报文，时而以FW2的接口MAC地址封装报文，从而影响业务的正常运行。

此时需要启动NAT Server与VRRP备份组绑定，只有VRRP备份组状态为Master的防火墙FW1才会应答路由器的ARP请求。华为USG6000E防火墙会自动将NAT Server与VRRP备份组绑定，若同一网段有多个VRRP备份组，则自动绑定VRID最小的VRRP备份组。

1.2、负载分担

以1.1为前提，需要手动配置NAT Server与VRRP备份组绑定，服务器10.0.0.5对应的NAT Server：10.0.1.20绑定VRRP备份组2，服务器10.0.0.6对应的NAT Server：10.0.1.30绑定VRRP备份组4。

2、配置过程（以负载分担为例）

HRP_M[FW1]display current-configuration interface 
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.0.0.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.0.0.1 active
 vrrp vrid 3 virtual-ip 10.0.0.4 standby
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.0.1.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.0.1.1 active
 vrrp vrid 4 virtual-ip 10.0.1.10 standby
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.10.0.1 255.255.255.0
#

HRP_M[FW1-zone-dmz]display this
2024-02-01 11:38:00.770 
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/2
#
return

HRP_S[FW2]display current-configuration interface 
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.0.0.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.0.0.1 standby
 vrrp vrid 3 virtual-ip 10.0.0.4 active
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.0.1.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.0.1.1 standby
 vrrp vrid 4 virtual-ip 10.0.1.10 active
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.10.0.2 255.255.255.0
#

[FW1-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.2
 
[FW2-GigabitEthernet1/0/2]hrp interface g1/0/2 remote 10.10.0.1
 
[FW1]hrp enable
 
[FW2]hrp enable

HRP_M[FW1]display hrp state verbose 
2024-02-01 11:36:20.280 
 Role: active, peer: active
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2024-02-01 11:35:47 HRP core state changed, old_
state = abnormal(standby), new_state = normal, local_priority = 45000, peer_prio
rity = 45000.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
           GigabitEthernet1/0/0 vrrp vrid 1: active
           GigabitEthernet1/0/1 vrrp vrid 2: active
           GigabitEthernet1/0/0 vrrp vrid 3: standby
           GigabitEthernet1/0/1 vrrp vrid 4: standby
                                  ospf-cost: +0
                                ospfv3-cost: +0
                                   bgp-cost: +0


HRP_S[FW2]display hrp state verbose 
2024-02-01 11:37:01.310 
 Role: active, peer: active
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 1 minutes
 Last state change information: 2024-02-01 11:35:46 HRP core state changed, old_
state = abnormal(active), new_state = normal, local_priority = 45000, peer_prior
ity = 45000.

 Configuration:
 hello interval:              1000ms
 preempt:                     60s
 mirror configuration:        off
 mirror session:              off
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                off

 Detail information:
           GigabitEthernet1/0/0 vrrp vrid 1: standby
           GigabitEthernet1/0/1 vrrp vrid 2: standby
           GigabitEthernet1/0/0 vrrp vrid 3: active
           GigabitEthernet1/0/1 vrrp vrid 4: active
                                  ospf-cost: +0
                                ospfv3-cost: +0
                                   bgp-cost: +0

HRP_M[FW1-zone-dmz]firewall zone trust
HRP_M[FW1-zone-trust]display this
2024-02-01 11:39:10.900 
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
#
return
HRP_M[FW1-zone-trust]firewall zone untrust
HRP_M[FW1-zone-untrust]display this
2024-02-01 11:39:25.290 
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
return

HRP_M[FW1-policy-security-rule-policy1]display this
2024-02-01 11:42:05.470 
#
 rule name policy1
  source-zone untrust
  destination-zone trust
  destination-address 10.0.0.5 mask 255.255.255.255
  destination-address 10.0.0.6 mask 255.255.255.255
  service http
  action permit
#
return

可能是ENSP本身BUG问题，查看了一下以下配置方法，但是无法配置，但理论上配置是没有为你的。

此时配置即可完成，访问服务器10.0.0.5通过FW1，访问服务器10.0.0.6通过FW2，即负载分担。

---

参考资料：防火墙和VPN技术与实践------李学昭