Sanibonani! Siyakwamukela esifundweni sesihlanu sesifundo . Kuvuliwe Sithole ukuthi izinqubomgomo zokuphepha zisebenza kanjani. Manje sekuyisikhathi sokukhulula abasebenzisi bendawo ku-inthanethi. Ukwenza lokhu, kulesi sifundo sizobheka ukusebenza komshini we-NAT.
Ngokungeziwe ekukhipheni abasebenzisi ku-inthanethi, sizophinde sibheke indlela yokushicilela amasevisi angaphakathi. Ngezansi kokusikwa kukhona ithiyori emfushane evela kuvidiyo, kanye nesifundo sevidiyo uqobo.
Ubuchwepheshe be-NAT (Network Address Translation) buyindlela yokuguqula amakheli e-IP wamaphakethe enethiwekhi. Ngokwemigomo ye-Fortinet, i-NAT ihlukaniswe yaba izinhlobo ezimbili: Umthombo we-NAT kanye ne-Destination NAT.
Amagama ayazikhulumela - uma usebenzisa Umthombo we-NAT, ikheli lomthombo liyashintsha, uma usebenzisa Indawo okuyiwa kuyo NAT, ikheli lendawo liyashintsha.
Ngaphezu kwalokho, kukhona nezinketho ezimbalwa zokusetha i-NAT - Inqubomgomo Yokuvikela i-NAT kanye ne-Central NAT.
Uma usebenzisa inketho yokuqala, Umthombo kanye Nendawo okuyiwa kuyo i-NAT kufanele ilungiselelwe inqubomgomo yokuphepha ngayinye. Kulokhu, Umthombo we-NAT usebenzisa ikheli le-IP lesixhumi esibonakalayo esiphumayo noma i-IP Pool elungiselelwe ngaphambilini. Indawo ye-NAT isebenzisa into emiswe ngaphambilini (okuthiwa i-VIP - Virtual IP) njengekheli okuyiwa kulo.
Uma usebenzisa i-Central NAT, ukulungiselelwa komthombo kanye nendawo okuyiwa kuyo ye-NAT kwenziwa kuyo yonke idivayisi (noma isizinda esibonakalayo) ngesikhathi esisodwa. Kulokhu, izilungiselelo ze-NAT zisebenza kuzo zonke izinqubomgomo, kuye ngomthombo we-NAT kanye nemithetho Yendawo Ye-NAT.
Umthombo Imithetho ye-NAT imisiwe kunqubomgomo yomthombo omaphakathi we-NAT. Indawo okuyiwa kuyo i-NAT ilungiselelwe kusukela kumenyu ye-DNAT kusetshenziswa amakheli e-IP.
Kulesi sifundo, sizocubungula kuphela iNqubomgomo ye-Firewall NAT - njengoba umkhuba ubonisa, le nketho yokumisa ivame kakhulu kune-Central NAT.
Njengoba bese ngishilo, lapho ulungiselela Umthombo Wenqubomgomo Ye-Firewall, kunezindlela ezimbili zokumisa: ukufaka ikheli le-IP ngekheli lesixhumi esibonakalayo esiphumayo, noma ikheli le-IP elisuka endaweni elungiselelwe ngaphambilini yamakheli e-IP. Ibukeka into efana nale eboniswe emfanekisweni ongezansi. Okulandelayo, ngizokhuluma kafushane ngamachibi angenzeka, kodwa ekusebenzeni sizocabangela kuphela inketho ngekheli le-interface ephumayo - ekuhlelweni kwethu, asidingi amachibi amakheli e-IP.
I-IP pool ichaza ikheli le-IP elilodwa noma amaningi azosetshenziswa njengekheli lomthombo phakathi neseshini. Lawa makheli e-IP azosetshenziswa esikhundleni sekheli le-IP eliphumayo le-FortiGate.
Kunezinhlobo ezi-4 zamachibi e-IP angalungiswa ku-FortiGate:
- Ukulayisha ngaphezulu
- One-to-one
- I-Port Range Egxilile
- Isabelo se-port block
Ukulayisha ngokweqile kuyichibi le-IP eliyinhloko. Iguqula amakheli e-IP isebenzisa isikimu sokuningi kokukodwa noma kokuningi kuya kokuningi. Ukuhumusha ngembobo nakho kuyasetshenziswa. Cabangela umjikelezo oboniswe esithombeni esingezansi. Sinephakheji elinezinkambu ezichaziwe zoMthombo kanye nendawo oya kuyo. Uma ingena ngaphansi kwenqubomgomo ye-firewall evumela leli phakethe ukuthi lifinyelele inethiwekhi yangaphandle, umthetho we-NAT usetshenziswa kuyo. Ngenxa yalokho, kuleli phakethe inkambu Yomthombo ithathelwa indawo elinye lamakheli e-IP ashiwo ku-IP pool.
Iphuli ye-One to One iphinda ichaze amakheli amaningi e-IP angaphandle. Uma iphakethe liwela ngaphansi kwenqubomgomo yohlelo lokuvikela ngomthetho we-NAT onikwe amandla, ikheli le-IP kunkambu yomthombo lishintshelwa kwelinye lamakheli aleli chibi. Ukumiselela kulandela umthetho othi βowokuqala ungene, kuphume kuqalaβ. Ukuze sikwenze kucace kakhudlwana, ake sibheke isibonelo.
Ikhompyutha kunethiwekhi yendawo enekheli le-IP 192.168.1.25 ithumela iphakethe kunethiwekhi yangaphandle. Iwela ngaphansi komthetho we-NAT, futhi inkambu yoMthombo ishintshelwa ekhelini lokuqala le-IP ukusuka echibini, esimweni sethu ngu-83.235.123.5. Kuyaqapheleka ukuthi uma usebenzisa leli chibi le-IP, ukuhumusha kwechweba akusetshenzisiwe. Uma ngemva kwalokhu ikhompuyutha evela kunethiwekhi efanayo yendawo, enekheli elithi, 192.168.1.35, ithumela iphakethe kunethiwekhi yangaphandle futhi futhi iwela ngaphansi kwalo mthetho we-NAT, ikheli le-IP kunkambu yoMthombo yaleli phakethe lizoshintshela ku- 83.235.123.6. Uma engasekho amakheli asele endaweni yokubhukuda, ukuxhumeka okulandelayo kuzonqatshwa. Okusho ukuthi, kulesi simo, amakhompyutha angu-4 angawela ngaphansi komthetho wethu we-NAT ngesikhathi esifanayo.
I-Fixed Port Range ixhuma ububanzi bangaphakathi nabangaphandle bamakheli e-IP. Ukuhumusha ngembobo nakho kukhutshaziwe. Lokhu kukuvumela ukuthi uhlobanise unomphela isiqalo noma isiphetho seqoqo lamakheli e-IP angaphakathi nesiqalo noma isiphetho seqoqo lamakheli e-IP angaphandle. Esibonelweni esingezansi, iphuli yamakheli angaphakathi 192.168.1.25 - 192.168.1.28 ifakwe kumephu yekheli langaphandle 83.235.123.5 - 83.235.125.8.
I-Port Block Allocation - le pool ye-IP isetshenziselwa ukwaba ibhulokhi yamachweba kubasebenzisi be-IP pool. Ngaphezu kwe-IP pool ngokwayo, imingcele emibili kufanele futhi icaciswe lapha - usayizi webhulokhi kanye nenani lamabhulokhi abelwe umsebenzisi ngamunye.
Manje ake sibheke ubuchwepheshe be-Destination NAT. Isekelwe kumakheli we-IP (VIP). Kumaphakethe awela ngaphansi kwemithetho yendawo okuyiwa kuyo ye-NAT, ikheli lasesizindeni se-inthanethi enkambini Yendawo liyashintsha: ngokuvamile ikheli le-inthanethi lomphakathi lishintshela ekhelini eliyimfihlo leseva. Amakheli we-Virtual IP asetshenziswa kuzinqubomgomo zokuvikela njengenkundla Yendawo.
Uhlobo olujwayelekile lwamakheli e-IP abonakalayo yi-Static NAT. Lokhu ukuxhumana phakathi kwamakheli angaphandle nawangaphakathi.
Esikhundleni se-Static NAT, amakheli abonakalayo anganqunyelwa ngokudlulisela izimbobo ezithile. Isibonelo, hlobanisa ukuxhumeka ekhelini langaphandle ku-port 8080 ngoxhumano lwekheli le-IP langaphakathi ku-port 80.
Esibonelweni esingezansi, ikhompuyutha enekheli elithi 172.17.10.25 izama ukufinyelela ikheli 83.235.123.20 ku-port 80. Lokhu kuxhumana kuwela ngaphansi komthetho we-DNAT, ngakho ikheli le-IP okuyiwa kulo lishintshelwa ku-10.10.10.10.
Ividiyo idingida ithiyori futhi ihlinzeka ngezibonelo ezisebenzayo zokumisa Umthombo kanye nendawo oya kuyo i-NAT.
Ezifundweni ezilandelayo sizodlulela ekuqinisekiseni ukuphepha kwabasebenzisi ku-inthanethi. Ngokukhethekile, isifundo esilandelayo sizoxoxa ngokusebenza kokuhlunga iwebhu nokulawula uhlelo lokusebenza. Ukuze ungaphuthelwa, landela izibuyekezo eziteshini ezilandelayo:
Source: www.habr.com