当前位置:网站首页>Source NAT address translation and server mapping web page configuration of firewall Foundation
Source NAT address translation and server mapping web page configuration of firewall Foundation
2022-06-27 15:57:00 【51CTO】
Firewall configuration NAT
Principle overview :
Source NAT address translation :
Based on the source IP Address of the NAT Refers to the request for initiating a connection IP The source address in the message header is converted . It can achieve the purpose of internal users accessing the external network . By converting the private address of the internal host to the public address , Make multiple hosts in a LAN use a few legal addresses to access external resources , Effectively hide the host of internal LAN IP Address , Played a role in security protection . Because the security level of the general intranet area is higher than that of the extranet , So this application is also called NAT Outbound.
To configure NAT No-pat
NAT No-pat It refers to the process of not converting ports NAT. To configure No-pat After the parameter , The device will make one-to-one correspondence between all ports of the address before and after conversion . The advantage of this application is that all ports of the intranet address are not converted , The disadvantage is that the public address cannot be used by other intranet addresses .
To configure NAPT
NAPT It's in progress NAT transformation IP Address at the same time , Port numbers are also converted . This application can enable multiple intranet users to share a public network IP. stay NAPT In the way , You can also directly borrow the interface between the equipment and the external network IP Address as translated IP Address , This borrowing interface IP do NAT The application of is also called easy-ip.
A firewall ( English :Firewall) Technology is through the organic combination of all kinds of software and hardware equipment for safety management and screening , Help the computer network in it 、 Build a relatively isolated protective barrier between the external networks , A technology to protect user data and information security .
Server mapping :
Based on purpose IP Address of the NAT It means right IP The destination address in the message header is converted . It is usually used to hide the real information of a network device providing services to the outside world IP Address , Enable clients to access these servers by accessing a public network address .
To configure NAT Server:
NAT Server Is the most commonly used destination address based NAT. When a server is deployed on the intranet , Its reality IP It's a private address , But public users can only access the server through one public address , You can configure NAT Server, Enable the device to automatically forward the message that the public network user accesses the public network address to the internal network server .
Configuration purpose NAT
When the mobile terminal accesses the wireless network , If it defaults to WAP The gateway address is the same as that of the local operator WAP When the gateway addresses are inconsistent , The terminal can be connected with WAP A device is deployed in the middle of the gateway , And configure the purpose NAT function , Enable the device to automatically send the terminal to error WAP The message of the gateway address is automatically forwarded to the correct WAP gateway .
The function of firewall technology is to discover and deal with the possible security risks when the computer network is running 、 Data transmission and so on , The treatment measures include isolation and protection , At the same time, it can record and test all operations in computer network security , To ensure the security of computer network operation , Guarantee the integrity of user data and information , Better for users 、 More secure computer network experience .
So-called “ A firewall ” It refers to an intranet and public access network ( Such as Internet) The way of separation , It is actually an applied security technology based on modern communication network technology and information security technology , Isolation technology . It is more and more used in the interconnection environment of private network and public network , Especially with access Internet The Internet is the most important .
Firewall is a protective barrier between the internal and external network environment with the help of hardware and software , So as to block the unsafe network factors of the computer . Only with the consent of the firewall , Users can enter the computer , If you don't agree, you'll be blocked out , The alarm function of firewall technology is very powerful , When an external user wants to enter the computer , The firewall will quickly send out the corresponding alarm , And remind users of their behavior , And make self judgment to decide whether to allow external users to enter the interior , As long as the user is in the network environment , This kind of firewall can carry out effective query , At the same time, the information found will be displayed to the user , Then users need to implement corresponding settings for the firewall according to their own needs , Block the disallowed user behavior . Through the firewall, you can also effectively view the traffic of information data , And it can also master the speed of uploading and downloading data information , It is convenient for users to have good control judgment on the use of computers , The internal situation of the computer can also be viewed through this firewall , It also has the function of starting and closing the program , And the internal log function of the computer system , In fact, it is also a summary of the real-time situation of the firewall and the internal security of the computer system .
Firewall is a kind of access control scale which is executed when two networks communicate , It can prevent hackers from accessing your network to the maximum extent . It's set up on different networks ( Such as trusted intranet and untrusted public network ) Or a combination of components between network security domains . It is the only access to information between different networks or network security domains , Be able to control according to the safety policy of the enterprise ( allow 、 Refuse 、 monitoring ) Information flow in and out of the network , And it has strong anti attack ability . It's about providing information security services , Infrastructure for network and information security . Logically , The firewall is a separator , A limiter , It's also an analyzer , Effectively monitored the intranet and Internet Any activity between , Ensure the security of the internal network .
The firewall scans its network traffic , This will filter out some attacks , In case it is executed on the target computer . Firewalls can also shut down unused ports . And it can also disable outgoing traffic on specific ports , Block the Trojan horse . Last , It can disable access from special sites , To prevent all communications from unknown intruders .
The barrier of network security
A firewall ( As a blocking point 、 The control points ) It can greatly improve the security of an internal network , And reduce risk by filtering unsafe Services . Because only carefully selected application protocols can pass through the firewall , So the network environment becomes more secure . For example, firewalls can prohibit such as well-known unsafe NFS Protocol access to protected network , In this way, it is impossible for external attackers to use these fragile protocols to attack the internal network . Firewalls can also protect the network from routing based attacks , Such as IP Source routing attacks and ICMP Redirection path in redirection . The firewall should be able to reject all messages of the above types of attacks and notify the firewall administrator .
Strengthen network security strategy
Configure through a firewall centric security scheme , All security software ( Like a password 、 encryption 、 Identity Authentication 、 Audit, etc ) Configure on the firewall . Compared with dispersing network security issues to various hosts , Centralized security management of firewall is more economical . For example, during network access , The one-time password system and other identity authentication systems do not have to be scattered on each host , And focus on the firewall .
Monitoring audit
If all access passes through the firewall , that , The firewall can record these accesses and log them , At the same time, it can also provide statistical data of network usage . When something suspicious happens , The firewall can give appropriate alarm , And provide detailed information on whether the network is monitored and attacked . in addition , It is also very important to collect the usage and misuse of a network . The first reason is to know whether the firewall can resist the detection and attack of attackers , And know whether the control of firewall is sufficient . Network usage statistics are also very important for network demand analysis and threat analysis .
Prevent the leakage of internal information
By using firewall to divide the internal network , It can realize the isolation of key network segments of intranet , Thus, the impact of local key or sensitive network security issues on the global network is limited . also , Privacy is an issue of great concern to the intranet , An unnoticed detail in an internal network may contain clues about security and attract the interest of external attackers , Some security vulnerabilities of the internal network have even been exposed . Using a firewall, you can hide those internal details, such as Finger,DNS Etc .Finger Displays the registered names of all users of the host 、 real name , Last login time and use shell Type, etc . however Finger The information displayed is very easy for attackers to learn . An attacker can know how often a system is used , Whether there are users connecting to the Internet in this system , Whether the system is noticed when being attacked, etc . Firewalls can also block information about internal networks DNS Information , The domain name of such a host and IP The address will not be known to the outside world . In addition to safety , The firewall also supports Internet Service enterprise internal network technology system VPN( Virtual private network ).
Logging and event notification
All data entering and leaving the network must pass through the firewall , The firewall records it through logs , It can provide detailed statistical information of network use . When a suspicious event occurs , The firewall can alarm and notify according to the mechanism , Provide information on whether the network is threatened .
The topology :
The experiment purpose :
The Intranet can access the Internet , The Internet can't access the intranet , The Internet can access the intranet server , Intranet server mapping , Internet users access intranet servers using public addresses 11,1,1,100;
The firewall is configured with corresponding security policies , Configuration source NAT address translation , Configure server mapping , Configure the default route
Basic configuration :
ISP:
Configure firewall interface :
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 10.1.1.1 255.255.255.0
alias GE0/METH
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.20.1 240.0.0.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.10.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 11.1.1.1 255.255.255.0
service-manage ping permit
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
Divide the security area :
To configure NAT Strategy :
To configure NAT Address pool :
Configure security policy :
#
security-policy
rule name trust-to-untrust
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action permit
rule name untrust-to-dmz
source-zone untrust
destination-zone dmz
destination-address 192.168.20.0 mask 255.255.255.0
service ftp
service http
action permit
rule name trust-to-dmz
source-zone trust
destination-zone dmz
source-address 192.168.10.0 mask 255.255.255.0
destination-address 192.168.20.0 mask 255.255.255.0
service ftp
service http
service https
action permit
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
Configure static routing :
View routing table :
View session :
display firewall session table verbose # Show brief session table entries
Display firewall server-map
Validation experiment :
PC2 visit PC4 ( Intranet access to extranet )
PC4 visit PC2( Internet access to intranet )
PC3 Access server ( Intranet access to intranet servers )
Internet access to intranet servers ( Intranet server mapping )
End of experiment ;
remarks : If there is a mistake , Please understand !
This article is my study notes , For reference only ! If there is a repetition !!! Please contact me
边栏推荐
- Eolink launched a support program for small and medium-sized enterprises and start-ups to empower enterprises!
- Problems encountered in vs compilation
- Jialichuang EDA professional edition all offline client release
- 利用Redis实现订单30分钟自动取消
- Create a database and use
- Basic configuration and usage of Jupiter notebook
- 域名绑定动态IP最佳实践
- Li Chuang EDA learning notes 16: array copy and array distribution
- 洛谷_P1008 [NOIP1998 普及组] 三连击_枚举
- 机械硬盘和ssd固态硬盘的原理对比分析
猜你喜欢
![[pyGame games] this](/img/3c/e573106ec91441a554cba18d5b2253.png)
[pyGame games] this "eat everything" game is really wonderful? Eat them all? (with source code for free)
洛谷入门2【分支结构】题单题解
List转Table
sql注入原理
About tensorflow using GPU acceleration
保留有效位数;保留小数点后n位;
Jialichuang EDA professional edition all offline client release
The role of the symbol @ in MySQL
![Luogu_ P1003 [noip2011 improvement group] carpet laying_ Violence enumeration](/img/65/413ac967cc8fc22f170c8c7ddaa106.png)
Luogu_ P1003 [noip2011 improvement group] carpet laying_ Violence enumeration
3.1 simple condition judgment
随机推荐
On traversal of tree nodes
About tensorflow using GPU acceleration
Google Earth Engine(GEE)——Export. image. The difference and mixing of toasset/todrive, correctly export classification sample data to asset assets and references
Keep valid digits; Keep n digits after the decimal point;
Knowledge map model
logstash排除特定文件或文件夹不采集上报日志数据
Bit.Store:熊市漫漫,稳定Staking产品或成主旋律
R language error
等保2.0密码要求是什么?法律依据有哪些?
Does polardb-x currently not support self-made database service Das?
MySQL中符号@的作用
面试半年,上个月成功拿到阿里P7offer,全靠我啃烂了这份2020最新面试题!
Leetcode daily practice (main elements)
带你认识图数据库性能和场景测试利器LDBC SNB
[interview questions] common interview questions (I)
SQL injection principle
Luogu_ P1008 [noip1998 popularization group] triple strike_ enumeration
The interview lasted for half a year. Last month, I successfully got Alibaba p7offer. It was all because I chewed the latest interview questions in 2020!
Sigkdd22 | graph generalization framework of graph neural network under the paradigm of "pre training, prompting and fine tuning"
熊市慢慢,Bit.Store提供稳定Staking产品助你穿越牛熊