■FortigateのInternal->DMZのDNATを試してみる。
Fortigate-80Cを使用して確認。
Version: FortiGate-80C v5.2.3,build0670,150318 (GA)
■送信元NATをIPプールで指定する場合の想定
172.31.31.254[Client] -> 172.31.31.252[internal]
-> 172.31.31.250[VIP] -> 192.168.102.252[DMZ]
-> 192.168.102.250[SNAT] -> 192.168.102.254[VIP/Cisco]
■コンフィグ
config firewall ippool
edit "VDMZ_SNAT" <---
set type one-to-one
set startip 192.168.102.250
set endip 192.168.102.250
next
end
config firewall vip
edit "VDMZ_DNAT" <---
set extip 172.31.31.250
set extintf "internal"
set mappedip "192.168.102.254"
next
end
config firewall policy
edit 3
set srcintf "internal"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "VDMZ_DNAT" <---
set action accept
set schedule "always"
set service "ALL_TCP"
set nat enable
set ippool enable
set poolname "VDMZ_SNAT" <---
next
end
■DMZ側のCiscoの解放ポートを確認
$ sudo nmap -sT 172.31.31.250
Starting Nmap 6.00 ( http://nmap.org ) at 2015-06-24 00:05 JST
Nmap scan report for 172.31.31.250
Host is up (0.00083s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
2000/tcp open cisco-sccp
5060/tcp open sip
MAC Address: 00:09:0F:D4:94:AF (Fortinet)
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds
■CiscoにTelnetでログインしてみる。
$ telnet 172.31.31.250
Trying 172.31.31.250...
Connected to 172.31.31.250.
Escape character is '^]'.
User Access Verification
Username: labunix
Password:
Router>show version | include IOS
Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.3(3)M1, RELEASE SOFTWARE (fc1)
■セッションフィルタを設定
diag sys session filter dport 23
diag sys session filter
session filter:
vd: any
sintf: any
dintf: any
proto: 6-6
proto-state: any
source ip: any
NAT'd source ip: any
dest ip: any
source port: any
NAT'd source port: any
dest port: 23-23
policy id: any
expire: any
duration: any
■セッションリストの確認
hook=pre dir=org act=noop 172.31.31.254:54567->172.31.31.252:23(0.0.0.0:0)
hook=post dir=reply act=noop 172.31.31.252:23->172.31.31.254:54567(0.0.0.0:0)
hook=pre dir=org act=dnat 172.31.31.254:37082->172.31.31.250:23(192.168.102.254:23)
hook=post dir=org act=snat 172.31.31.254:37082->192.168.102.254:23(192.168.102.250:37082)
hook=pre dir=reply act=dnat 192.168.102.254:23->192.168.102.250:37082(172.31.31.254:37082)
hook=post dir=reply act=snat 192.168.102.254:23->172.31.31.254:37082(172.31.31.250:23)
■パケットキャプチャの確認
interfaces=[dmz]
filters=[tcp port 23]
4.268188 192.168.102.250.37082 -> 192.168.102.254.23: psh 1019940800 ack 3541167463
4.268811 192.168.102.254.23 -> 192.168.102.250.37082: psh 3541167463 ack 1019940802
4.269037 192.168.102.250.37082 -> 192.168.102.254.23: ack 3541167465
4.269046 192.168.102.254.23 -> 192.168.102.250.37082: psh 3541167465 ack 1019940802
4.269181 192.168.102.250.37082 -> 192.168.102.254.23: ack 3541167472
interfaces=[internal]
filters=[tcp port 23]
1.733956 172.31.31.254.54567 -> 172.31.31.252.23: ack 1529724834
1.734058 172.31.31.252.23 -> 172.31.31.254.54567: psh 1529724834 ack 2091165519
1.734206 172.31.31.254.54567 -> 172.31.31.252.23: ack 1529724983
1.734349 172.31.31.252.23 -> 172.31.31.254.54567: psh 1529724983 ack 2091165519
1.734455 172.31.31.254.54567 -> 172.31.31.252.23: ack 1529725132
1.734642 172.31.31.252.23 -> 172.31.31.254.54567: psh 1529725132 ack 2091165519
■SNATはFortigateのIPで十分。IPを節約する[送信インターフェイスのアドレスを使用]に変更
172.31.31.254[Client] -> 172.31.31.252[internal]
-> 172.31.31.250[VIP] -> 192.168.102.252[DMZ]
-> 192.168.102.254[VIP/Cisco]
■コンフィグ
config firewall vip
edit "VDMZ_DNAT" <---
set extip 172.31.31.250
set extintf "internal"
set mappedip "192.168.102.254"
next
end
config firewall policy
edit 3
set srcintf "internal"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "VDMZ_DNAT" <---
set action accept
set schedule "always"
set service "ALL_TCP"
set nat enable
next
end
■セッションリストの確認
hook=pre dir=org act=dnat 172.31.31.254:39223->172.31.31.250:23(192.168.102.254:23)
hook=post dir=org act=snat 172.31.31.254:39223->192.168.102.254:23(192.168.102.252:39223)
hook=pre dir=reply act=dnat 192.168.102.254:23->192.168.102.252:39223(172.31.31.254:39223)
hook=post dir=reply act=snat 192.168.102.254:23->172.31.31.254:39223(172.31.31.250:23)
hook=pre dir=org act=noop 172.31.31.254:56706->172.31.31.252:23(0.0.0.0:0)
hook=post dir=reply act=noop 172.31.31.252:23->172.31.31.254:56706(0.0.0.0:0)
■パケットキャプチャの確認
interfaces=[dmz]
filters=[tcp port 23]
5.096063 192.168.102.252.39223 -> 192.168.102.254.23: psh 2752062705 ack 3315246893
5.096647 192.168.102.254.23 -> 192.168.102.252.39223: psh 3315246893 ack 2752062707
5.096786 192.168.102.252.39223 -> 192.168.102.254.23: ack 3315246895
5.096900 192.168.102.254.23 -> 192.168.102.252.39223: psh 3315246895 ack 2752062707
5.097056 192.168.102.252.39223 -> 192.168.102.254.23: ack 3315246902
interfaces=[internal]
filters=[tcp port 23]
10.341891 172.31.31.254.56706 -> 172.31.31.252.23: ack 252525460
10.341928 172.31.31.252.23 -> 172.31.31.254.56706: psh 252525460 ack 802023145
10.342143 172.31.31.254.56706 -> 172.31.31.252.23: ack 252525608
10.342244 172.31.31.252.23 -> 172.31.31.254.56706: psh 252525608 ack 802023145
10.342396 172.31.31.254.56706 -> 172.31.31.252.23: ack 252525756
10.342536 172.31.31.252.23 -> 172.31.31.254.56706: psh 252525756 ack 802023145