Bayan ɗan gajeren hutu za mu koma NSX. A yau zan nuna muku yadda ake saita NAT da Firewall.
A cikin tab Administration je zuwa cibiyar bayanan ku - Albarkatun gajimare - Ma'aikatan Bayanai na Farko.
Zaɓi shafin Ƙofar Gate kuma danna dama akan NSX Edge da ake so. A cikin menu da ya bayyana, zaɓi zaɓi Edge Gateway Services. NSX Edge Control Panel zai buɗe a cikin wani shafin daban.
Kafa dokokin Firewall
Ta hanyar tsoho a cikin abu tsohuwar ƙa'idar don zirga-zirgar shiga An zaɓi zaɓin Deny, watau Firewall zai toshe duk zirga-zirga.
Don ƙara sabuwar doka, danna +. Sabuwar shigarwa zata bayyana tare da sunan Sabuwar doka. Shirya filayen sa bisa ga buƙatun ku.
A cikin filin sunan ba da sunan suna, misali Intanet.
A cikin filin source Shigar da adiresoshin tushen da ake buƙata. Yin amfani da maɓallin IP, zaku iya saita adireshin IP guda ɗaya, kewayon adiresoshin IP, CIDR.
Yin amfani da maɓallin + zaka iya ƙayyade wasu abubuwa:
- Ƙofar musaya. Duk hanyoyin sadarwa na ciki (Na ciki), duk hanyoyin sadarwa na waje (Na waje) ko Kowane.
- Injin gani da ido. Muna ɗaure ƙa'idodin zuwa takamaiman injin kama-da-wane.
- OrgVdcNetworks. Hanyoyin sadarwar matakin ƙungiya.
- Saitunan IP. Ƙungiya mai amfani da aka riga aka ƙirƙira na adiresoshin IP (wanda aka ƙirƙira a cikin abin Ƙungiya).
A cikin filin manufa nuna adireshin mai karɓa. Zaɓuɓɓukan nan iri ɗaya ne da a cikin filin Tushen.
A cikin filin Service za ka iya zaɓar ko da hannu ka saka tashar jiragen ruwa (Destination Port), ƙa'idar da ake buƙata (Protocol), da tashar mai aikawa (Port Source). Danna Ci gaba.
A cikin filin Action zaɓi aikin da ake buƙata: ba da izini ko hana zirga-zirgar da ta dace da wannan doka.
Aiwatar da tsarin da aka shigar ta zaɓi Ajiye canje-canje.
Misalin doka
Doka ta 1 don Firewall (Internet) yana ba da damar shiga Intanet ta kowace yarjejeniya zuwa sabar mai IP 192.168.1.10.
Doka ta 2 don Firewall (Sabar yanar gizo) yana ba da damar shiga Intanet ta hanyar (TCP Protocol, Port 80) ta adireshin ku na waje. A wannan yanayin - 185.148.83.16:80.
Saitin NAT
NAT (Fassarar adireshin cibiyar sadarwa) - fassarar adiresoshin IP masu zaman kansu (launin toka) zuwa na waje (fararen fata), kuma akasin haka. Ta wannan tsari, na'ura mai kama da kwamfuta tana samun damar shiga Intanet. Don saita wannan tsarin, kuna buƙatar saita dokokin SNAT da DNAT.
Muhimmanci! NAT yana aiki ne kawai lokacin da aka kunna Firewall kuma an saita ƙa'idodin ba da izini da suka dace.
Ƙirƙiri tsarin SNAT. SNAT (Source Network Address Translation) wata hanya ce wacce asalinta shine maye gurbin adireshin tushen lokacin aika fakiti.
Da farko muna buƙatar gano adireshin IP na waje ko kewayon adiresoshin IP da ke wurinmu. Don yin wannan, je zuwa sashin Administration kuma danna sau biyu akan cibiyar bayanan kama-da-wane. A cikin menu na saitunan da ya bayyana, je zuwa shafin Ƙofar Edges. Zaɓi NSX Edge da ake so kuma danna-dama akansa. Zaɓi wani zaɓi Properties.
A cikin taga da ya bayyana, a cikin shafin Ƙarƙashin Ƙarƙashin Ƙarƙashin IP Pools zaka iya duba adireshin IP na waje ko kewayon adiresoshin IP. Rubuta ko tuna shi.
Na gaba, danna-dama akan NSX Edge. A cikin menu da ya bayyana, zaɓi zaɓi Edge Gateway Services. Kuma mun dawo cikin kwamitin kula da NSX Edge.
A cikin taga da ya bayyana, buɗe shafin NAT kuma danna Ƙara SNAT.
A cikin sabon taga muna nuna:
- a cikin Aiwatar akan filin - hanyar sadarwa ta waje (ba cibiyar sadarwar matakin kungiya ba!);
- Asalin Tushen IP/kewaye - kewayon adireshi na ciki, misali, 192.168.1.0/24;
- Tushen IP/kewayon Fassara – adireshi na waje wanda ta inda za a shiga Intanet kuma wanda kuka duba a cikin Sub-Allocate IP Pools tab.
Danna Ci gaba.
Ƙirƙiri tsarin DNAT. DNAT wata hanya ce da ke canza adireshin wurin fakiti da kuma tashar tashar da za ta nufa. Ana amfani da shi don tura fakiti masu shigowa daga adireshin waje/tashar ruwa zuwa adireshin IP/tashar ruwa mai zaman kansa a cikin hanyar sadarwa mai zaman kansa.
Zaɓi shafin NAT kuma danna Ƙara DNAT.
A cikin taga da ya bayyana, saka:
- a cikin Aiwatar akan filin - hanyar sadarwa ta waje (ba cibiyar sadarwar matakin kungiya ba!);
- Adireshin IP na asali / kewayon - adireshin waje (adireshi daga shafin Sub-Allocate IP Pools tab);
- yarjejeniya - yarjejeniya;
- Port ta asali - tashar jiragen ruwa don adireshin waje;
- Fassara IP/kewayon - adireshin IP na ciki, misali, 192.168.1.10
- Fassara Port - tashar jiragen ruwa don adireshin ciki wanda za a fassara tashar tashar adireshin waje.
Danna Ci gaba.
Aiwatar da tsarin da aka shigar ta zaɓi Ajiye canje-canje.
Anyi.
Na gaba a layi akwai umarni akan DHCP, gami da saita DHCP Bindings da Relay.
source: www.habr.com