华为HCIA(HCNA)认证培训考试作业-NAT应用和IPSEC VPN
-乾颐堂安德(周亚军)HCIE#2198
1.NAT
静态NAT
nat static global 202.100.1.251 inside 10.1.1.250 netmask 255.255.255.255 //整个IP协议栈全部做了转换
1.1
作业1
NAT server(转换某个特定的协议和端口),用于把服务器的某种应用映射到公网
202.100.1.254-->202.100.1.X:2323转换成10.1.1.250:23
nat server protocol tcp global 202.100.1.251 2323 inside 10.1.1.250 23
测试:
<Server-R2>telnet 202.100.1.251 2323 //在外网访问公网地址的对外公布的端口
Press CTRL_] to quit telnet mode
Trying 202.100.1.251 ...
Connected to 202.100.1.251 ...
Login authentication
Password:
<R3>
验证:
[R1-Gateway]display nat session protocol tcp
NAT Session Table Information:
Protocol : TCP(6)
SrcAddr Port Vpn : 202.100.1.1 6599
DestAddr Port Vpn : 202.100.1.251 4873
NAT-Info
New SrcAddr : ----
New SrcPort : ----
New DestAddr : 10.1.1.250
New DestPort : 5888
Protocol : TCP(6)
SrcAddr Port Vpn : 202.100.1.1 52929
DestAddr Port Vpn : 202.100.1.251 4873
NAT-Info
New SrcAddr : ----
New SrcPort : ----
New DestAddr : 10.1.1.250
New DestPort : 5888
Total : 2
<R3>dis tcp status
TCPCB Tid/Soid Local Add:port Foreign Add:port VPNID State
b4b7df58 6 /1 0.0.0.0:23 0.0.0.0:0 23553 Listening
b4b7e324 6 /4 10.1.1.250:23 202.100.1.1:49614 0 Established
R3首先需要有路由表去往202.100.1.254,如果没有路由,数据包被丢弃
1.2 easy IP(PAT,端口和地址转换)
作业2
定义一个ACL,其作用是定义哪些主机可以被转换,只有被转换的主机才可以访问互联网,不被定义的不能访问,然后在出接口上应用easy IP
作用:公网地址和端口的复用
acl number 2000
description NAT
rule 10 permit source 10.1.1.250 0
[R1-Gateway-Dialer1]nat outbound 2000//接口下应用easy IP
[R1-Gateway]dis nat outbound
NAT Outbound Information:
--------------------------------------------------------------------------
Interface Acl Address-group/IP/Interface Type
--------------------------------------------------------------------------
Dialer1 2000 202.100.1.254 easyip
--------------------------------------------------------------------------
Total : 1
[R1-Gateway]dis acl 2000
Basic ACL 2000, 1 rule
NAT
Acl's step is 5
rule 10 permit source 10.1.1.250 0
一个报文的源目IP不做变化,源目MAC(如果跨越网络)会重新封装
10.1.1.250->202.100.1.1
转换后
202.100.1.254->202.100.1.1
2.ACL
很多应用:a对流量的应用 b对路由表的应用
华为的ACL在对流量进行匹配的时候,最后一行隐含允许所有流量通过(思科最后一行隐含拒绝所有流量,deny any)
interface GigabitEthernet0/0/2
ip address 10.1.1.254 255.255.255.0
traffic-filter inbound acl 2001
3.IPSEC VPN
Lan2Lan IPSEC VPN
基本的模式:隧道模式和传输模式
3.1 路由最重要!
加解密点:
a.到达对端加解密点(直连)
b.到达本端的通信点(直连)
c.到达对端的通信点(静态默认路由)
3.2 IPSEC的SPD、提议(proposal)和IPSEC 策略
[R1-Gateway-acl-adv-3000]rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
!
ipsec proposal QYT
esp authentication-algorithm sha1
!
ipsec policy QYT-VPN 10 manual
security acl 3000
proposal QYT
tunnel local 202.100.1.1
tunnel remote 202.100.1.254
sa spi inbound esp 54321
sa string-key inbound esp simple huawei
sa spi outbound esp 12345
sa string-key outbound esp simple huawei
[Server-R2]dis ipsec sa
===============================
Interface: GigabitEthernet0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "QYT-VPN"
Sequence number : 10
Acl Group : 3000
Acl rule : 0
Mode : Manual
-----------------------------
Encapsulation mode: Tunnel
Tunnel local : 202.100.1.1
Tunnel remote : 202.100.1.254
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 12345 (0x3039)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
No duration limit for this SA
[Inbound ESP SAs]
SPI: 54321 (0xd431)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
No duration limit for this SA
[R1-Gateway]display ipsec statistics esp
Inpacket count : 0
Inpacket auth count : 0
Inpacket decap count : 0
Outpacket count : 12
Outpacket auth count : 0
Outpacket encap count : 0
Inpacket drop count : 0
Outpacket drop count : 0
BadAuthLen count : 0
AuthFail count : 0
InSAAclCheckFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count: 0
PktInSAMissDrop count : 0
NAT和IPSEC同时如何应用?
3.3 应用
int dial 1
ipsec policy QYT-VPN //接口应用
华为HCIA(HCNA)认证培训考试作业-NAT应用和IPSEC VPN
HCIA考试详情可咨询官网客服
乾颐堂客服热线:400-618-8070
乾颐堂官网:www.qytang.com
乾颐堂网络实验室 我们为您想的更多
姓名:
Q Q:
电话:
|