Kwaziwai! Kugamuchirwa kuchidzidzo chechishanu chekosi ... Vhura Takaona kuti mitemo yekuchengetedza inoshanda sei. Iye zvino yave nguva yekusunungura vashandisi venzvimbo paInternet. Kuti tiite izvi, muchidzidzo chino tichatarisa kushanda kweNAT mechanism.
Pamusoro pekusunungura vashandisi kuInternet, isu tichatarisawo nzira yekuburitsa masevhisi emukati. Pazasi pekucheka pane dzidziso pfupi kubva muvhidhiyo, pamwe neiyo vhidhiyo chidzidzo pachayo.
NAT (Network Kero Dudziro) tekinoroji inzira yekushandura IP kero yetiweki mapaketi. Mumashoko eFortinet, NAT yakakamurwa kuita mhando mbiri: Source NAT uye Destination NAT.
Mazita anozvitaurira - kana uchishandisa Source NAT, iyo sosi kero inoshanduka, kana uchishandisa Destination NAT, kero yekuenda inoshanduka.
Uye zvakare, kune zvakare akati wandei sarudzo yekumisikidza NAT - Firewall Policy NAT uye Central NAT.
Paunenge uchishandisa yekutanga sarudzo, Kwakabva uye Kuenda NAT inofanirwa kugadzirwa kune yega yega chengetedzo mutemo. Muchiitiko ichi, Source NAT inoshandisa chero IP kero yeinobuda interface kana pre-yakagadzirirwa IP Pool. Kunoenda NAT inoshandisa chinhu chakafanogadzirirwa (iyo inonzi VIP - Virtual IP) sekero yekuenda.
Paunenge uchishandisa Central NAT, iyo Source uye Destination NAT kumisikidzwa inoitirwa iyo yese mudziyo (kana chaiyo domain) kamwechete. Muchiitiko ichi, marongero eNAT anoshanda kune ese marongero, zvichienderana neKwakabva NAT uye Kwekuenda NAT mitemo.
Source NAT mitemo inogadziriswa mukati meiyo Source NAT mutemo. Nzvimbo yekuenda NAT inogadziriswa kubva kuDNAT menyu uchishandisa IP kero.
Muchidzidzo chino, isu tichatarisa chete Firewall Policy NAT - sezvinoratidza maitiro, iyi sarudzo yekumisikidza yakajairika kupfuura Central NAT.
Sezvandambotaura, kana uchigadzira Firewall Policy Source NAT, pane maviri ekugadzirisa sarudzo: kutsiva IP kero nekero yeinobuda interface, kana ne IP kero kubva kune yakafanorongwa dziva re IP kero. Inotaridzika sechinhu chakaratidzwa mumufananidzo uri pasi apa. Tevere, ini ndichataura muchidimbu nezvezvingabvira madziva, asi mukuita isu tichangofunga nezve sarudzo nekero yeinobuda interface - muhurongwa hwedu, hatidi IP kero madziva.
Dziva reIP rinotsanangura kero imwe kana anopfuura eIP ayo achashandiswa seyero kero panguva yechikamu. Aya IP kero achashandiswa pachinzvimbo cheFortiGate inobuda interface IP kero.
Kune mana emhando dzeIP madziva anogona kugadzirwa paFortiGate:
- zadzisa
- Mumwe-kune-mumwe
- Yakagadziriswa Port Range
- Port block allocation
Overload ndiyo huru IP dziva. Inoshandura IP kero uchishandisa akawanda-kune-imwe kana akawanda-kune-akawanda chirongwa. Kushandura kwePort kunoshandiswawo. Funga nezvedunhu rinoratidzwa mumufananidzo uri pasi apa. Isu tine pasuru ine yakatsanangurwa Source uye Destination minda. Kana ikauya pasi pemutemo wefirewall unobvumira pakiti iyi kuwana yekunze network, mutemo weNAT unoshandiswa kwairi. Nekuda kweizvozvo, mupaketi iyi iyo Source munda inotsiviwa neimwe yeIP kero inotsanangurwa muIP dziva.
A One to One pool inotsanangurawo akawanda ekunze IP kero. Kana pakiti ikawira pasi pemutemo wefirewall ine mutemo weNAT wakagoneswa, iyo IP kero muSource ndima inochinjirwa kune imwe yemakero edziva iri. Kutsiva kunotevera mutemo we "kutanga mukati, wekutanga kubuda". Kuti zvijeke, ngatitarisei muenzaniso.
Kombiyuta pane network yemunharaunda ine IP kero 192.168.1.25 inotumira pakiti kune yekunze network. Inowira pasi pemutemo weNAT, uye Nzvimbo yeChitubu inoshandurwa kuva yekutanga IP kero kubva padziva, munyaya yedu ndeye 83.235.123.5. Zvakakosha kuziva kuti kana uchishandisa iyi IP dziva, shanduro yechiteshi haishandiswi. Kana mushure meizvi komputa kubva kune imwecheteyo network network, ine kero ye, taura, 192.168.1.35, inotumira pakiti kune yekunze network uye zvakare inowira pasi pemutemo uyu weNAT, iyo IP kero muSime munda wepaketi ino ichachinja kuita. 83.235.123.6. Kana kusisina kero dzasara mudziva, zvinozobatanidza zvinozorambwa. Ndiko, mune iyi kesi, makomputa mana anogona kuwira pasi pemutemo wedu weNAT panguva imwe chete.
Fixed Port Range inobatanidza mukati uye kunze kwezvikamu zve IP kero. Kushandura chiteshi kwakavharwawo. Izvi zvinokutendera kuti ubatanidze zvachose kutanga kana kupera kwedziva remukati IP kero nekutanga kana kupera kwedziva rekunze IP kero. Mumuenzaniso uri pazasi, iyo yemukati kero dziva 192.168.1.25 - 192.168.1.28 inoiswa kune yekunze kero dziva 83.235.123.5 - 83.235.125.8.
Port Block Allocation - iyi IP dziva rinoshandiswa kugovera chivharo chezviteshi kune IP pool vashandisi. Pamusoro peiyo IP dziva pachayo, maviri paramita anofanirwawo kutsanangurwa pano - saizi yebhuroka uye nhamba yezvivharo zvakagoverwa kune mumwe nemumwe mushandisi.
Zvino ngatitarisei tekinoroji yekuenda NAT. Iyo yakavakirwa pane virtual IP kero (VIP). Kune mapaketi anowira pasi peMitemo Yekuenda NAT, iyo IP kero mundima Yekuenda inoshanduka: kazhinji kero yeruzhinji yeInternet inochinja kuita kero yakavanzika yeseva. Virtual IP kero dzinoshandiswa mu firewall marongero senzvimbo Yekuenda.
Mhando yakajairwa yeadhiresi yeIP ndeye Static NAT. Uku ndiko kunyorerana kweumwe-kune-mumwe pakati pekero dzekunze nedzemukati.
Panzvimbo peStatic NAT, kero chaiyo inogona kudzikiswa nekutumira chaiwo madoko. Semuenzaniso, batanidza zvinongedzo kune kero yekunze pachiteshi 8080 ine chinongedzo kune yemukati IP kero pachiteshi 80.
Mumuenzaniso uri pazasi, komputa ine kero inoti 172.17.10.25 iri kuedza kuwana kero 83.235.123.20 pachiteshi 80. Kubatana uku kunowira pasi pemutemo weDNAT, saka kero ye IP inoshandurwa kuita 10.10.10.10.
Vhidhiyo inokurukura dzidziso uye inopawo mienzaniso inoshanda yekumisikidza Source uye Destination NAT.
Muzvidzidzo zvinotevera tichaenderera mberi nekuona kuchengetedzwa kwevashandisi paInternet. Kunyanya, chidzidzo chinotevera chichakurukura mashandiro ewebhu kusefa uye kutonga kwekushandisa. Kuti usarasikirwe, tevera zvigadziriso pazviteshi zvinotevera:
Source: www.habr.com