溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
USG防火墻區域配置
學習目的
掌握防火墻安全區域的配置方法
掌握對安全區域的參數配置
掌握在區域之間進行包過濾的方法
拓撲圖
場景
你是公司網絡管理員。公司總部的網絡分成了三個區域,包括內部區域(Trust)外部區域(Untrust)和服務器區域(DMZ)。現在設計通過防火墻來實現對數據的控制。在交換機上將G0/0/1與G0/0/21接口定義到vlan11,將G0/0/2與G0/0/22接口定義到vlan12,將G0/0/3與G0/0/23接口定義到vlan13.分別規劃了三個網段。
現在滿足一下要求:
“Trust”區域的用戶可以訪問“Untrust”的用戶;
“Trust”和“Untrust”區域的用戶可以訪問“DMZ”區域的用戶;
“Untrust”區域用戶不能直接訪問“Trust”區域用戶;
“DMZ”區域用戶不能直接訪問“Trust”和“Untrust”區域的用戶。
學習任務
步驟一.基本配置與IP編址
首先給三個路由器配置地址信息
[Huawei]sysname R1
[R1]interface g0/0/1
[R1-GigabitEthernet0/0/1]ip add 10.0.10.124
[R1-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/1
[R1-GigabitEthernet0/0/1]interfaceloopback0
[R1-LoopBack0]ip add 10.0.1.1 24
[R1-LoopBack0]q
[Huawei]sysname R2
[R2]interface g0/0/1
[R2-GigabitEthernet0/0/1]ip add 10.0.20.224
[R2-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/2
[R2-GigabitEthernet0/0/1]interfaceloopback0
[R2-LoopBack0]ip add 10.0.2.2 24
[R2-LoopBack0]q
[Huawei]sysname R3
[R3]interface g0/0/1
[R3-GigabitEthernet0/0/1]ip add 10.0.30.324
[R3-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/3
[R3-GigabitEthernet0/0/1]interfaceloopback0
[R3-LoopBack0]ip add 10.0.3.3 24
[R3-LoopBack0]q
給防火墻配置地址,G0/0/1IP地址:10.0.20.254/24.作為Inside區域的網關。
[SRG]sysname FW
08:34:20 2014/07/05
[FW]interface g0/0/1
08:35:50 2014/07/05
[FW-GigabitEthernet0/0/1]ip add 10.0.20.25424
08:36:01 2014/07/05
[FW-GigabitEthernet0/0/1]description thisport connect to S1-G0/0/22
08:38:06 2014/07/05
[FW-GigabitEthernet0/0/1]interface g0/0/0
08:39:08 2014/07/05
[FW-GigabitEthernet0/0/0]ip add 10.0.10.25424
08:39:27 2014/07/05
Info: The DHCP server configuration on thisinterface will be deleted.
[FW-GigabitEthernet0/0/0]desc tihis portconnect to S1-G0/0/21
08:40:02 2014/07/05
[FW-GigabitEthernet0/0/0]interface G0/0/2
08:40:15 2014/07/05
[FW-GigabitEthernet0/0/2]ip add 10.0.30.25424
08:40:30 2014/07/05
[FW-GigabitEthernet0/0/2]desc this portconnect to S1-G0/0/23
08:41:05 2014/07/05
[FW-GigabitEthernet0/0/2]q
08:41:07 2014/07/05
在交換機上需要按照需求定義vlan。
[Huawei]sysname S1
[S1]vlan batch 11 to 13
Info: This operation may take a fewseconds. Please wait for a moment...done.
[S1]interface g0/0/1
[S1-GigabitEthernet0/0/1]port link-typeaccess
[S1-GigabitEthernet0/0/1]port default vlan11
[S1-GigabitEthernet0/0/1]interface g0/0/2
[S1-GigabitEthernet0/0/2]port link-typeaccess
[S1-GigabitEthernet0/0/2]port default vlan12
[S1]interface g0/0/3
[S1-GigabitEthernet0/0/3]port link-typeaccess
[S1-GigabitEthernet0/0/3]port default vlan13
[S1-GigabitEthernet0/0/3]interface g0/0/21
[S1-GigabitEthernet0/0/21]port link-typeaccess
[S1-GigabitEthernet0/0/21]port default vlan11
[S1-GigabitEthernet0/0/21]interface g0/0/22
[S1-GigabitEthernet0/0/22]port link-typeaccess
[S1-GigabitEthernet0/0/22]port default vlan12
[S1-GigabitEthernet0/0/22]interface g0/0/23
[S1-GigabitEthernet0/0/23]port link-typeaccess
[S1-GigabitEthernet0/0/23]port default vlan13
步驟二.將接口配置到安全區域
防火墻上默認有四個區域,分別是“local”、“trust”“untrust”、“dmz”。
試驗中我們用到“trust”“untrust”、“dmz”三個區域。G0/0/0加入untrust區域,G0/0/2加入DMZ區域,G0/0/1加入trust區域。
[FW]firewall zone trust
09:09:15 2014/07/05
[FW-zone-trust]dis this
09:09:19 2014/07/05
#
firewall zone trust
setpriority 85
addinterface GigabitEthernet0/0/0
#
return
[FW-zone-trust]undo add inter
[FW-zone-trust]undo add interface g0/0/0
09:09:35 2014/07/05
[FW-zone-trust]add interface g0/0/1
09:10:01 2014/07/05
[FW]firewall zone untrust
09:11:24 2014/07/05
[FW-zone-untrust]add interface g0/0/0
09:11:36 2014/07/05
[FW-zone-untrust]q
[FW]firewall zone dmz
09:12:07 2014/07/05
[FW-zone-dmz]add interface g0/0/2
09:12:16 2014/07/05
[FW-zone-dmz]q
默認情況下,防火請并不允許除local區域外的其他區域之間的通信。為了方便于驗證配置的正確性,我們首先將防火墻區域之間的默認規則配置為允許所有區域之間通訊。配置完成后在FW設備上測試相同區域的連通性。
[FW]firewall packet-filter default permitall
09:17:33 2014/07/05
Warning:Setting the default packetfiltering to permit poses security risks. You
are advised to configure the securitypolicy based on the actual data flows. Are
you sure you want to continue?[Y/N]y
[FW]ping -c 1 10.0.10.1
09:18:04 2014/07/05
PING 10.0.10.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=180 ms
---10.0.10.1 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 180/180/180 ms
[FW]ping -c 1 10.0.20.2
09:18:11 2014/07/05
PING 10.0.20.2: 56 data bytes,press CTRL_C to break
Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=120 ms
---10.0.20.2 ping statistics ---
1packet(s) transmitted
1 packet(s) received
0.00% packet loss
round-trip min/avg/max = 120/120/120 ms
[FW]ping -c 1 10.0.30.3
09:18:16 2014/07/05
PING 10.0.30.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.30.3: bytes=56 Sequence=1 ttl=255 time=110 ms
---10.0.30.3 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-tripmin/avg/max = 110/110/110 ms
在R1、R2、R3上配置缺省路由,在FW上配置明確的靜態路由。實現三個loopback0接口連接的網段之間的互通。
[R1]ip route-static 0.0.0.0 0.0.0.010.0.10.254
[R2]ip route-static 0.0.0.0 0.0.0.010.0.20.254
[R3]ip route-static 0.0.0.0 0.0.0.010.0.30.254
[FW]ip route-static 10.0.1.0 24 10.0.10.1
09:24:57 2014/07/05
[FW]ip route-static 10.0.2.0 24 10.0.20.2
09:25:14 2014/07/05
[FW]ip route-static 10.0.3.0 24 10.0.30.3
09:25:29 2014/07/05
[FW]
配置完成后,測試個路由器loopback0接口的網段之間的通訊情況。
[R1]ping -a 10.0.1.1 10.0.2.2
PING 10.0.2.2: 56 data bytes,press CTRL_C to break
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=110 ms
Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=60 ms
Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=100 ms
Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=90 ms
Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=50 ms
---10.0.2.2 ping statistics ---
5packet(s) transmitted
5packet(s) received
0.00% packet loss
round-tripmin/avg/max = 50/82/110 ms
[R1]ping -a 10.0.1.1 10.0.3.3
PING 10.0.3.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=90 ms
Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=70 ms
Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=50 ms
Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=60 ms
---10.0.3.3 ping statistics ---
5packet(s) transmitted
5packet(s) received
0.00% packet loss
round-tripmin/avg/max = 40/62/90 ms
步驟四.配置區域安全策略
配置區域之間的策略,首先將防火墻的區域間默認過濾策略配置為拒絕所有通信,然后配置僅允許Trust區域訪問其他區域,不允許其他區域之間訪問。
[FW]firewall packet-filter default deny all
[FW]firewall packet-filter default permitinterzone trust untrust direction outbound
09:41:35 2014/07/05
Warning:Setting the default packetfiltering to permit poses security risks. You
are advised to configure the securitypolicy based on the actual data flows. Are
you sure you want to continue?[Y/N]y
[FW]firewall packet-filter default permitinterzone trust dmz direction outbound
Warning:Setting the default packet filteringto permit poses security risks. You
are advised to configure the securitypolicy based on the actual data flows. Are
you sure you want to continue?[Y/N]y
[FW]firewall session link-state check
09:43:20 2014/07/05
配置完成后,測試區域之間的連通性。
Untrust區域到Trust區域
<R1>ping -a 10.0.1.1 10.0.2.2
PING 10.0.2.2: 56 data bytes,press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
---10.0.2.2 ping statistics ---
5packet(s) transmitted
0packet(s) received
100.00% packetloss
Untrust區域到DMZ區域
<R1>ping -a 10.0.1.1 10.0.3.3
PING 10.0.3.3: 56 data bytes,press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
---10.0.3.3 ping statistics ---
5packet(s) transmitted
0packet(s) received
100.00% packetloss
Trust區域到Untrust區域
<R2>ping -a 10.0.2.2 10.0.1.1
PING 10.0.1.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=100 ms
Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=70 ms
Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=100 ms
Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=80 ms
Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=90 ms
---10.0.1.1 ping statistics ---
5packet(s) transmitted
5packet(s) received
0.00% packet loss
round-trip min/avg/max = 70/88/100 ms
Trust區域到DMZ區域
<R2>ping -a 10.0.2.2 10.0.3.3
PING 10.0.3.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=70 ms
Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=110 ms
Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=40 ms
Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=60 ms
---10.0.3.3 ping statistics ---
5packet(s) transmitted
5packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/66/110 ms
DMZ區域到Untrust區域
<R3>ping -a 10.0.3.3 10.0.1.1
PING 10.0.1.1: 56 data bytes,press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
---10.0.1.1 ping statistics ---
5packet(s) transmitted
0packet(s) received
100.00% packet loss
DMZ區域到Trust區域
<R3>ping -a 10.0.3.3 10.0.2.2
PING 10.0.2.2: 56 data bytes,press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
---10.0.2.2 ping statistics ---
5packet(s) transmitted
0packet(s) received
100.00% packet loss
步驟五.配置允許Untrust區域訪問DMZ區域的特定服務器
DMZ區域有一臺服務器,IP地址為10.0.3.3。需要對Untrust區域開放Telnet服務,同時為了測試網絡,需要開放ICMP ping測試功能。
[FW]policy interzone dmz untrust inbound
09:54:29 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound]policy1
09:54:39 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound-1]policyservice service-set icmp
09:54:58 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound-1]policydestination 10.0.3.3 0
09:55:19 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound-1]actionpermit
09:55:29 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound-1]q
09:55:30 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound]policy2
09:55:38 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound-2]policyservice service-set telnet
09:55:55 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound-2]policydestination 10.0.3.3 0
09:56:05 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound-2]actionpermit
09:56:25 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound-2]q
09:56:27 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound]policy3
09:56:30 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound-3]actiondeny
09:56:37 2014/07/05
[FW-policy-interzone-dmz-untrust-inbound-3]
為了能進行telnet測試,在R3上開啟telnet功能。
[R3]user-interface vty 0 4
[R3-ui-vty0-4]auth
[R3-ui-vty0-4]authentication-mode pass
[R3-ui-vty0-4]authentication-mode password
Please configure the login password(maximum length 16):16
[R3-ui-vty0-4]set auth
[R3-ui-vty0-4]set authentication pass
[R3-ui-vty0-4]set authentication password ?
cipher Set the password withcipher text
[R3-ui-vty0-4]set authentication passwordcp
[R3-ui-vty0-4]set authentication passwordci
[R3-ui-vty0-4]set authentication passwordcipher huawei
[R3-ui-vty0-4]user pri
[R3-ui-vty0-4]user privilege lev
[R3-ui-vty0-4]user privilege level 3
[R3-ui-vty0-4]
測試網絡連通性
<R1>ping -c 1 10.0.3.3
PING 10.0.3.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=60 ms
---10.0.3.3 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/60/60 ms
<R1>ping -c 1 -a 10.0.1.1 10.0.3.3
PING10.0.3.3: 56 data bytes, press CTRL_C tobreak
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=70 ms
---10.0.3.3 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 70/70/70 ms
<R1>ping 10.0.30.3
PING 10.0.30.3: 56 data bytes,press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
---10.0.30.3 ping statistics ---
5packet(s) transmitted
0packet(s) received
100.00% packetloss
<R1>telnet10.0.3.3
Press CTRL_] to quit telnet mode
Trying 10.0.3.3 ...
Connected to 10.0.3.3 ...
Loginauthentication
Password:
<R3>
如測試結果,顯示區域之間的過濾情況。除了特定放行的數據流外,其它數據流被過濾掉了。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
