Kayan Haber Alanı
Başlangıç / Huawei / Network Address Translation (NAT) Huawei

Network Address Translation (NAT) Huawei

  1. Cihaz isim ve ip address yapılandırması.
    [Huawei]sysname Router1
    [Router1]interface GigabitEthernet 0/0/1
    [Router1-GigabitEthernet0/0/1]ip address 10.0.4.1 24
[Huawei]sysname Router3
[Router3]interface GigabitEthernet 0/0/2
[Router3-GigabitEthernet0/0/2]ip address 10.0.6.3 24

[Huawei]sysname Switch1
[Switch1]vlan 4
[Switch1-vlan4]quit
[Switch1]interface vlanif 4
[Switch1-Vlanif4]ip address 10.0.4.254 24
[Switch1-Vlanif4]quit

[Huawei]sysname Switch2
[Switch2]vlan 6
[Switch2-vlan6]quit
[Switch2]interface vlanif 6
[Switch2-Vlanif6]ip address 10.0.6.254 24
[Switch2-Vlanif6]quit

  1. Switch1 ve Switch2 için Vlan oluşturalım.
    [Switch1]interface GigabitEthernet 0/0/1
    [Switch1-GigabitEthernet0/0/1]port link-type trunk
    [Switch1-GigabitEthernet0/0/1]port trunk pvid vlan 4
    [Switch1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
    [Switch1-GigabitEthernet0/0/1]quit
[Switch2]interface GigabitEthernet 0/0/2
[Switch2-GigabitEthernet0/0/2]port link-type trunk
[Switch2-GigabitEthernet0/0/2]port trunk pvid vlan 6
[Switch2-GigabitEthernet0/0/2]port trunk allow-pass vlan all

[Router1]interface GigabitEthernet 0/0/0
[Router1-GigabitEthernet0/0/0]ip address 119.84.111.1 24

[Router3]interface GigabitEthernet 0/0/0
[Router3-GigabitEthernet0/0/0]ip address 119.84.111.3 24

Router1’in Switch1 ve Router3 ile bağlantısını kontrol edelim.
ping 10.0.4.254
PING 10.0.4.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=255 time=150 ms
Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=255 time=30 ms
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=255 time=30 ms
— 10.0.4.254 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/62/150 ms

ping 119.84.111.3
PING 119.84.111.3: 56 data bytes, press CTRL_C to break
Reply from 119.84.111.3: bytes=56 Sequence=1 ttl=255 time=170 ms
Reply from 119.84.111.3: bytes=56 Sequence=2 ttl=255 time=70 ms
Reply from 119.84.111.3: bytes=56 Sequence=3 ttl=255 time=90 ms
Reply from 119.84.111.3: bytes=56 Sequence=4 ttl=255 time=90 ms
Reply from 119.84.111.3: bytes=56 Sequence=5 ttl=255 time=90 ms
— 119.84.111.3 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 70/102/170 ms

  1. Router1 ve Router3 cihazları için Access Control List konfigürasyonu oluşturalım.
    Router1 cihazı için advance bir ACL konfigürasyonu oluşturalım ve Switch1 source’unu data flow seçelim , Router3 destination ve telnet servis noktasına kadar izin verelim.
    [Router1]acl 3000
    [Router1-acl-adv-3000]rule 5 permit tcp source 10.0.4.254 0.0.0.0 destination 119.84.111.3 0.0.0.0 destination-port eq 23
    [Router1-acl-adv-3000]rule 10 permit ip source 10.0.4.0 0.0.0.255 destination any
    [Router1-acl-adv-3000]rule 15 deny ip

Router3 cihazı için basic bir ACL konfigürasyonu oluşturalım ve data flaw source IP address 10.0.6.0/24 yazalım.
[Router3]acl 2000
[Router3-acl-basic-2000]rule permit source 10.0.6.0 0.0.0.255

  1. Dynamic NAT konfigürasyonu.

Switch1 ve Switch2 cihazları için static route yapılandıralım.
[Switch1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.1

[Switch2]ip route-static 0.0.0.0 0.0.0.0 10.0.6.3

Router1 cihazı interface G0/0/0 için dynamic NAT’ı yapılandıralım.
[Router1]nat address-group 1 119.84.111.240 119.84.111.243
[Router1]interface GigabitEthernet 0/0/0
[Router1-GigabitEthernet0/0/0]nat outbound 3000 address-group 1

Router3 cihazınıda telnet server olarak yapılandıralım.
[Router3]user-interface vty 0 4
[Router3-ui-vty0-4]authentication-mode password
[Router3-ui-vty0-4]set authentication password cipher huawei
[Router3-ui-vty0-4]quit

Adres grubunun doğru yapılandırıldıgını kontrol edelim.

display nat address-groupNAT Address-Group Information:————————————–
Index Start-address End-address
————————————–
1 119.84.111.240 119.84.111.243
————————————–Total : 1

Konfigürasyonmuzun çalıştıgını kontrol edelim.
ping 119.84.111.3PING 119.84.111.3: 56 data bytes, press CTRL_C to breakReply from 119.84.111.3: bytes=56 Sequence=1 ttl=255 time=170 ms
Reply from 119.84.111.3: bytes=56 Sequence=2 ttl=255 time=70 ms
Reply from 119.84.111.3: bytes=56 Sequence=3 ttl=255 time=90 ms
Reply from 119.84.111.3: bytes=56 Sequence=4 ttl=255 time=90 ms
Reply from 119.84.111.3: bytes=56 Sequence=5 ttl=255 time=90 ms
— 119.84.111.3 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 70/102/170 ms

Sonuç..
display current-configuration#sysname Router1#
firewall-nat session icmp aging-time 300
#
nat address-group 1 119.84.111.240 119.84.111.243
#
acl number 3000
rule 5 permit tcp source 10.0.4.254 0 destination 119.84.111.3 0 destination-port eq telnet
rule 10 permit ip source 10.0.4.0 0.0.0.255
rule 15 deny ip
#
interface GigabitEthernet0/0/0
ip address 119.84.111.1 255.255.255.0
nat outbound 3000 address-group 1
#
interface GigabitEthernet0/0/1
ip address 10.0.4.1 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return

display current-configuration#sysname Switch1#
vlan batch 4
#
interface Vlanif4
ip address 10.0.4.254 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 4
port trunk allow-pass vlan 2 to 4094
#
ip route-static 0.0.0.0 0.0.0.0 10.0.4.1
#
user-interface con 0
user-interface vty 0 4
#
return

display current-configuration
#
sysname Switch2
#
vlan batch 6
#
interface Vlanif6
ip address 10.0.6.254 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 6
port trunk allow-pass vlan 2 to 4094
#
ip route-static 0.0.0.0 0.0.0.0 10.0.6.3
#
user-interface con 0
user-interface vty 0 4
#
return

disply current-configuration
#
sysname Router3
#
acl number 2000
rule 5 permit source 10.0.6.0 0.0.0.255
#
interface GigabitEthernet0/0/0
ip address 119.84.111.3 255.255.255.0
nat outbound 2000
#
interface GigabitEthernet0/0/2
ip address 10.0.6.3 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
set authentication password cipher BF8HNYzg(UajUn1vMEIBsZw#
user-interface vty 16 20
#
return

Hakkında: Cem Kemal Erbaş

Kontrol Ediliyor

Next Generation Firewall (NGFW) Huawei

Next Generation Firewall (NGFW) üzerinden geçen trafiği, Application identification, User identification ve Content identification temellerine …

Bir cevap yazın