Network Environment constructed by firewall nat + switch routing + system soft Routing

Background: The network environment of the existing business system is 172 CIDR blocks, and the network is connected to the public network through the firewall and routing of the uplink Huawei 8508. The business system is located in the data center on the third floor. Now, the entire business and core system need to be connected to the monitoring system PATROL host on the sixth floor. The monitoring system has 192 network segments.
Host IP Address: 192.168.165.89
Monitoring access network segment: 192.168.1.1-192.168.1.30
Monitoring access segment Gateway: 192.168.1.30. The monitoring access segment is connected to the monitoring host.

Environment: network equipment are Huawei, switch Huawei LS-S5328C, firewall Huawei Eudemon 200E, SERVER systems are SUSE 10 enterprise server 64bit version.

Requirement: the business environment is in the 172 CIDR block. The dual Nic binding server on the server is composed of four NICs, and the other two are not cabled ). In the absence of network cabling in the existing business environment or network deployment that changes the existing business environment, the two firewalls in the business environment are directed from the switch where the monitoring platform is located to the two firewalls, monitors the entire service area and core area.

Network Topology:

650) this. width = 650; "border =" 0 "alt =" "width =" 646 "height =" 788 "src =" http://www.bkjia.com/uploads/allimg/131227/02561341S-0.jpg "/>

Implementation process:
1. Firewall settings: two firewalls have similar configurations)
# Interface Ethernet2/0/0
Description link_to_jiankong
Ip address 192.168.192.1 too many hosts
# Firewall zone name jiankong
Set priority 70
Add interface Ethernet2/0/0
# Firewall interzone jiankong untrust
Packet-filter 3001 outbound
# Firewall interzone jiankong trust
Packet-filter 3002 inbound
Note: The access policies from the monitoring area to the service area and core area are omitted here)
# Nat server global 192.168.192.3 inside 172.29.141.253
Nat server global 192.168.192.4 inside 172.29.141.254
Nat server global 192.168.192.5 inside 172.29.141.66
Nat server global 192.168.192.6 inside 172.29.141.67
Nat server global 192.168.192.7 inside 172.29.141.12
Nat server global 192.168.192.8 inside 172.29.141.13
Nat server global 192.168.192.9 inside 172.29.141.14
Nat server global 192.168.192.10 inside 172.29.141.15
Nat server global 192.168.192.11 inside 172.29.141.16
Nat server global 192.168.192.12 inside 172.29.141.17
Nat server global 192.168.192.12 inside 172.29.141.18
Nat server global 192.168.192.12 inside 172.29.141.19
In addition to the two firewalls, the network devices and servers in the service area and core area are mapped to the 192 segment addresses in one NAT ing)
# Ip route-static 192.168.165.89 255.255.255.255 192.168.1.30 #192.168.192.30)
# Snmp-agent community read Jun01
# Snmp-agent target-host trap address udp-domain 192.168.165.89 params securityname Jun01

2. Set a layer-3 switch connected to the public network in the service zone: two layer-3 switches have similar configurations)
# Ip route-static 192.168.165.89 255.255.255.255 172.29.141.14
172.29.141.14 is the virtual address of VRRP on the two firewalls in the core area of the service zone.
# Snmp-agent community read Jun01
# Snmp-agent target-host trap address udp-domain 192.168.165.89 params securityname Jun01

3. Configure vswitches in the core area connected to the service area: the vswitches in the two core areas are similar)
# Ip route-static 192.168.165.89 255.255.255.255 172.29.141.19
172.29.141.19 is the virtual address of VRRP on the two firewalls connected to the service zone in the core area.
# Snmp-agent community read Jun01
# Snmp-agent target-host trap address udp-domain 192.168.165.89 params securityname Jun01
 

4. Soft route settings on the server:
# Yast (select a route entry after entering yast)
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0256133K2-1.jpg "/>

Press the Space key to select the expert configuration and add a new route

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/02561343O-2.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0256133010-3.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0256131455-4.jpg "/>

Finally, the selection is complete, and the soft route configuration is complete.

5. test:
# Netstat-nr: You can view the new route and test the connection to the monitoring host through PING. Log on to the network device and test the PING function.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0256131X3-5.jpg "/>

6. Monitoring System Client installation, overall monitoring system testing and joint debugging.
 

Conclusion: In the face of problems, as long as you think carefully, you will find another way to solve the problem. We need to carefully consider the flexible application of knowledge.

This article is from the "dripping water and stone" blog and will not be reposted!