ProHoster > Блог > Gudanarwa > VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Kashi na daya
Bayan ɗan gajeren hutu za mu koma NSX. A yau zan nuna muku yadda ake saita NAT da Firewall.
A cikin tab Administration je zuwa cibiyar bayanan ku - Albarkatun gajimare - Ma'aikatan Bayanai na Farko.

Zaɓi shafin Ƙofar Gate kuma danna dama akan NSX Edge da ake so. A cikin menu da ya bayyana, zaɓi zaɓi Edge Gateway Services. NSX Edge Control Panel zai buɗe a cikin wani shafin daban.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Kafa dokokin Firewall

Ta hanyar tsoho a cikin abu tsohuwar ƙa'idar don zirga-zirgar shiga An zaɓi zaɓin Deny, watau Firewall zai toshe duk zirga-zirga.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Don ƙara sabuwar doka, danna +. Sabuwar shigarwa zata bayyana tare da sunan Sabuwar doka. Shirya filayen sa bisa ga buƙatun ku.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

A cikin filin sunan ba da sunan suna, misali Intanet.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

A cikin filin source Shigar da adiresoshin tushen da ake buƙata. Yin amfani da maɓallin IP, zaku iya saita adireshin IP guda ɗaya, kewayon adiresoshin IP, CIDR.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Yin amfani da maɓallin + zaka iya ƙayyade wasu abubuwa:

  • Ƙofar musaya. Duk hanyoyin sadarwa na ciki (Na ciki), duk hanyoyin sadarwa na waje (Na waje) ko Kowane.
  • Injin gani da ido. Muna ɗaure ƙa'idodin zuwa takamaiman injin kama-da-wane.
  • OrgVdcNetworks. Hanyoyin sadarwar matakin ƙungiya.
  • Saitunan IP. Ƙungiya mai amfani da aka riga aka ƙirƙira na adiresoshin IP (wanda aka ƙirƙira a cikin abin Ƙungiya).

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

A cikin filin manufa nuna adireshin mai karɓa. Zaɓuɓɓukan nan iri ɗaya ne da a cikin filin Tushen.
A cikin filin Service za ka iya zaɓar ko da hannu ka saka tashar jiragen ruwa (Destination Port), ƙa'idar da ake buƙata (Protocol), da tashar mai aikawa (Port Source). Danna Ci gaba.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

A cikin filin Action zaɓi aikin da ake buƙata: ba da izini ko hana zirga-zirgar da ta dace da wannan doka.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Aiwatar da tsarin da aka shigar ta zaɓi Ajiye canje-canje.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Misalin doka

Doka ta 1 don Firewall (Internet) yana ba da damar shiga Intanet ta kowace yarjejeniya zuwa sabar mai IP 192.168.1.10.

Doka ta 2 don Firewall (Sabar yanar gizo) yana ba da damar shiga Intanet ta hanyar (TCP Protocol, Port 80) ta adireshin ku na waje. A wannan yanayin - 185.148.83.16:80.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Saitin NAT

NAT (Fassarar adireshin cibiyar sadarwa) - fassarar adiresoshin IP masu zaman kansu (launin toka) zuwa na waje (fararen fata), kuma akasin haka. Ta wannan tsari, na'ura mai kama da kwamfuta tana samun damar shiga Intanet. Don saita wannan tsarin, kuna buƙatar saita dokokin SNAT da DNAT.
Muhimmanci! NAT yana aiki ne kawai lokacin da aka kunna Firewall kuma an saita ƙa'idodin ba da izini da suka dace.

Ƙirƙiri tsarin SNAT. SNAT (Source Network Address Translation) wata hanya ce wacce asalinta shine maye gurbin adireshin tushen lokacin aika fakiti.

Da farko muna buƙatar gano adireshin IP na waje ko kewayon adiresoshin IP da ke wurinmu. Don yin wannan, je zuwa sashin Administration kuma danna sau biyu akan cibiyar bayanan kama-da-wane. A cikin menu na saitunan da ya bayyana, je zuwa shafin Ƙofar Edges. Zaɓi NSX Edge da ake so kuma danna-dama akansa. Zaɓi wani zaɓi Properties.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

A cikin taga da ya bayyana, a cikin shafin Ƙarƙashin Ƙarƙashin Ƙarƙashin IP Pools zaka iya duba adireshin IP na waje ko kewayon adiresoshin IP. Rubuta ko tuna shi.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Na gaba, danna-dama akan NSX Edge. A cikin menu da ya bayyana, zaɓi zaɓi Edge Gateway Services. Kuma mun dawo cikin kwamitin kula da NSX Edge.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

A cikin taga da ya bayyana, buɗe shafin NAT kuma danna Ƙara SNAT.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

A cikin sabon taga muna nuna:

  • a cikin Aiwatar akan filin - hanyar sadarwa ta waje (ba cibiyar sadarwar matakin kungiya ba!);
  • Asalin Tushen IP/kewaye - kewayon adireshi na ciki, misali, 192.168.1.0/24;
  • Tushen IP/kewayon Fassara – adireshi na waje wanda ta inda za a shiga Intanet kuma wanda kuka duba a cikin Sub-Allocate IP Pools tab.

Danna Ci gaba.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Ƙirƙiri tsarin DNAT. DNAT wata hanya ce da ke canza adireshin wurin fakiti da kuma tashar tashar da za ta nufa. Ana amfani da shi don tura fakiti masu shigowa daga adireshin waje/tashar ruwa zuwa adireshin IP/tashar ruwa mai zaman kansa a cikin hanyar sadarwa mai zaman kansa.

Zaɓi shafin NAT kuma danna Ƙara DNAT.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

A cikin taga da ya bayyana, saka:

- a cikin Aiwatar akan filin - hanyar sadarwa ta waje (ba cibiyar sadarwar matakin kungiya ba!);
- Adireshin IP na asali / kewayon - adireshin waje (adireshi daga shafin Sub-Allocate IP Pools tab);
- yarjejeniya - yarjejeniya;
- Port ta asali - tashar jiragen ruwa don adireshin waje;
- Fassara IP/kewayon - adireshin IP na ciki, misali, 192.168.1.10
- Fassara Port - tashar jiragen ruwa don adireshin ciki wanda za a fassara tashar tashar adireshin waje.

Danna Ci gaba.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Aiwatar da tsarin da aka shigar ta zaɓi Ajiye canje-canje.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Anyi.

VMware NSX ga ƙananan yara. Part 2. Saita Firewall da NAT

Na gaba a layi akwai umarni akan DHCP, gami da saita DHCP Bindings da Relay.

source: www.habr.com

Add a comment