1.实验一 防火墙IPSec NAT穿越实验
实验拓扑及需求
1.1 用防火墙搭建IPSec VPN(FW1采用CLI命令行配置,FW2上采用网页配置)
FW1配置过程:
对防火墙接口进行安全域的划分,和相关流量的放行
[FW1]security-zone name trust ---进入FW1防火墙trust区域
[FW1-security-zone-Trust]import interface g2/0 ---将FW1的g2/0接口划分进trust安全域
[FW1-security-zone-Trust]security-zone name untrust ---进入FW1防火墙untrust区域
[FW1-security-zone-Untrust]import interface g3/0 ---将FW1的g3/0接口划分进untrust安全域
[FW1-security-zone-Untrust]qu
[FW1]int g2/0
[FW1-GigabitEthernet2/0]manage ping outbound
[FW1-GigabitEthernet2/0]manage ping inbound
[FW1]int g3/0
[FW1-GigabitEthernet3/0]manage ping outbound ---放行g3/0接口ping包流量的放行
[FW1-GigabitEthernet3/0]manage ping inbound ---放行g3/0接口ping包流量的接收
[FW2]security-zone name trust
[FW2-security-zone-Trust]import interface g2/0
[FW2-security-zone-Trust]security-zone name untrust
[FW2-security-zone-Untrust]import interface g3/0
[FW2-security-zone-Untrust]qu
[FW2]int g2/0
[FW2-GigabitEthernet2/0]manage ping outbound
[FW2-GigabitEthernet2/0]manage ping inbound
[FW2]int g3/0
[FW2-GigabitEthernet3/0]manage ping inbound
[FW2-GigabitEthernet3/0]manage ping outbound 1.通公网
[FW1]ip route-static 0.0.0.0 0.0.0.0 202.101.10.2
[FW2]ip route-static 0.0.0.0 0.0.0.0 202.101.20.2
2.IPSec第一阶段
Step1:创建IKE提议
[FW1]ike proposal 1 ---创建IKE提议1
( [FW1-ike-proposal-1]authentication-method pre-share ---设置认证方式为预共享密钥
[FW1-ike-proposal-1]authentication-algorithm md5 ---认证采用md5算法
[FW1-ike-proposal-1]encryption-algorithm 3des-cbc ---封装采用3des算法
[FW1-ike-proposal-1]dh group5 ---dh组改为5
[FW1-ike-proposal-1]sa duration 86400 ---sa存活时间设置为86400
)
PS:当创建完IKE提议时,设备会自动生成默认相关参数,因此上面参数可以根据实际需求进行修改,
查看默认参数信息和创建的IKE提议的信息的命令如下
[FW1]dis ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
1 PRE-SHARED-KEY MD5 3DES-CBC Group 5 86400
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
Step2:创建IKE钥匙
[FW1-ike-proposal-1]qu
[FW1-ike-keychain-FW1]pre-shared-key address 202.101.20.1 key simple h3c
---指定该预共享密钥的对端设备为202.101.20.1,密钥值为h3c,采用明文形式
Step3:创建IKE提案
[FW1-ike-keychain-FW1]qu
[FW1]ike profile FW1 ---创建IKE提案FW1
[FW1-ike-profile-FW1]keychain FW1 ---绑定钥匙串FW1
[FW1-ike-profile-FW1]match remote identity address 202.101.20.1 255.255.255.0 ---绑定对端设备
[FW1-ike-profile-FW1]proposal 1 ---绑定IKE提议1
3.IPSec第二阶段
[FW1]ipsec transform-set myset ---创建IPSec转换集myset
[FW1-ipsec-transform-set-myset]encapsulation-mode tunnel ---封装模式采用tunnel模式
[FW1-ipsec-transform-set-myset]esp encryption-algorithm 3des-cbc ---封装算法采用3des
[FW1-ipsec-transform-set-myset]esp authentication-algorithm md5 ---认证算法采用MD54.匹配感兴趣流量
[FW1]access-list advanced 3000
[FW1-acl-ipv4-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination
192.168.20.0 0.0.0.2555.创建IPSec策略关联以上信息并调用
[FW1]ipsec policy FW1 1 isakmp ---创建一个IPSec策略FW1,序列号为1,采用Isakmp框架进行协商密钥
[FW1-ipsec-policy-isakmp-FW1-1]transform-set myset ---绑定转换集myset
[FW1-ipsec-policy-isakmp-FW1-1]security acl 3000 ---匹配感兴趣流量
[FW1-ipsec-policy-isakmp-FW1-1]remote-address 202.101.20.1 ---绑定对端IP地址
[FW1-ipsec-policy-isakmp-FW1-1]ike-profile FW1 ---绑定IKE策略FW1
[FW1-ipsec-policy-isakmp-FW1-1]int g3/0
[FW1-GigabitEthernet3/0]ipsec apply policy FW1 ---在接口上调用IPSec策略FW1
6.创建安全策略,放行IPSec相关流量
[FW1]security-policy ip
[FW1-security-policy-ip]rule 0 name IPSec_FW1_IN ---创建安全策略IPSec_FW1_IN
[FW1-security-policy-ip-0-IPSec_FW1_IN]action pass ---执行操作为通过
[FW1-security-policy-ip-0-IPSec_FW1_IN]source-zone Local --指定源安全域
[FW1-security-policy-ip-0-IPSec_FW1_IN]destination-zone untrust ---指定目的安全域
[FW1-security-policy-ip-0-IPSec_FW1_IN]service ike ---放行IPSec相关服务流量
[FW1-security-policy-ip-0-IPSec_FW1_IN]service ipsec-ah
[FW1-security-policy-ip-0-IPSec_FW1_IN]service ipsec-esp
[FW1-security-policy-ip-0-IPSec_FW1_IN]service nat-t-ipsec
[FW1-security-policy-ip]rule 1 name IPSec_FW1_Out
[FW1-security-policy-ip-1-IPSec_FW1_Out]action pass
[FW1-security-policy-ip-1-IPSec_FW1_Out]source-zone untrust
[FW1-security-policy-ip-1-IPSec_FW1_Out]destination-zone Local
[FW1-security-policy-ip-1-IPSec_FW1_Out]service ike
[FW1-security-policy-ip-1-IPSec_FW1_Out]service ipsec-ah
[FW1-security-policy-ip-1-IPSec_FW1_Out]service ipsec-esp
[FW1-security-policy-ip-1-IPSec_FW1_Out]service nat-t-ipsec
[FW1-security-policy-ip]rule 2 name t2u -创建t2u安全策略放行PC1到PC2通信流量(默认放行所有)
[FW1-security-policy-ip-2-t2u]action pass
[FW1-security-policy-ip-2-t2u]source-zone trust
[FW1-security-policy-ip-2-t2u]destination-zone untrust
[FW1-security-policy-ip]rule 3 name u2t -创建u2t安全策略放行PC2到PC1通信流量(默认放行所有)
[FW1-security-policy-ip-3-u2t]action pass
[FW1-security-policy-ip-3-u2t]source-zone untrust
[FW1-security-policy-ip-3-u2t]destination-zone trust
FW2上配置过程
1.接口安全域的划分和相关流量的放行
2.通公网
3.IPSec第一阶段
4.IPSec第二阶段
5.匹配感兴趣流量
6.配置安全策略放行IPSec相关流量
因为防火墙默认不同区域间流量相互隔绝,因此需要配置安全策略放行相关流量
①首先需要放行IPSec相关服务流量
②通过安全策略放行通信所需IP流量
FW2上的安全策略
FW1上的安全策略
1.2抓包发现成功实现IPSec加密
1.3 实现NAT穿越功能
在PC1可以通过IPSec隧道与PC2进行通信的基础上确保PC1和PC2都可以实现上网功能,其中在FW1上采用CLI命令行配置,FW2上采用网页配置。
方法一:通过ACL地址排除
因为NAT策略优先级大于IPSec策略优先级,因此为避免PC1通过IPSec策略来访问PC2时数据包的源IP先被NAT策略所转换,可以通过acl排除NAT策略中所包含的IPSec流量,进而实现PC1通过IPSec策略来访问PC2时数据包的源IP不被NAT策略所转换,而不影响其他数据包的传递
[FW1]access-list advanced 3001
[FW1-acl-ipv4-adv-3001]rule deny ip source 192.168.10.0 0.0.0.255 destination 19
2.168.20.0 0.0.0.255
[FW1-acl-ipv4-adv-3001]rule permit ip source any destination any
[FW1-acl-ipv4-adv-3001]int g3/0
[FW1-GigabitEthernet3/0]nat outbound 3001
方法二:让NAT地址不转换
和方法一核心思路是一样的,本质就是地址排除,下面是FW2通过网页进行配置的过程
通过网页配置完后在FW2的CLI命令行上进行相关代码的查看
nat policy
rule name IPSec
source-ip PC2
destination-ip PC1
outbound-interface GigabitEthernet3/0
action no-nat
rule name PC2_nat
source-ip PC2
outbound-interface GigabitEthernet3/0
action easy-ip
1.4配置文档
[FW1]dis cur
sysname FW1
interface GigabitEthernet2/0
port link-mode route
ip address 192.168.10.254 255.255.255.0
manage ping inbound
manage ping outbound
#
interface GigabitEthernet3/0
port link-mode route
ip address 202.101.10.1 255.255.255.0
nat outbound 3001
manage ping inbound
manage ping outbound
ipsec apply policy FW1
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet2/0
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet3/0
#
security-zone name Management
import interface GigabitEthernet1/0
#
zone-pair security source Trust destination Untrust
ip route-static 0.0.0.0 0 202.101.10.2
#
acl advanced 3000
rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#
acl advanced 3001
rule 0 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 5 permit ip
#
ipsec transform-set FW1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec transform-set myset
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy FW1 1 isakmp
transform-set FW1
security acl 3000
local-address 202.101.10.1
remote-address 202.101.20.1
ike-profile FW1
#
ike profile FW1
keychain FW1
local-identity address 202.101.10.1
match remote identity address 202.101.20.0 255.255.255.0
match local address GigabitEthernet3/0
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group5
authentication-algorithm md5
#
ike keychain FW1
match local address GigabitEthernet3/0
pre-shared-key address 202.101.20.0 255.255.255.0 key simple h3c
#
ip https enable
#
security-policy ip
rule 0 name IPSec_FW1_IN
action pass
source-zone Untrust
destination-zone Local
service ike
service ipsec-ah
service ipsec-esp
service nat-t-ipsec
rule 1 name IPSec_FW1_Out
action pass
source-zone Local
destination-zone Untrust
service ipsec-ah
service ipsec-esp
service ike
service nat-t-ipsec
rule 2 name t2u
action pass
source-zone Trust
destination-zone Untrust
rule 3 name u2t
action pass
source-zone Untrust
destination-zone Trust
#
return [FW2]dis cur
sysname FW2
object-group ip address PC1
0 network subnet 192.168.10.0 255.255.255.0
#
object-group ip address PC2
security-zone Trust
0 network subnet 192.168.20.0 255.255.255.0
#
interface GigabitEthernet2/0
port link-mode route
ip address 192.168.20.254 255.255.255.0
manage ping inbound
manage ping outbound
#
interface GigabitEthernet3/0
port link-mode route
ip address 202.101.20.1 255.255.255.0
manage ping inbound
manage ping outbound
ipsec apply policy FW2
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet2/0
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet3/0
#
security-zone name Management
import interface GigabitEthernet1/0
#
ip route-static 0.0.0.0 0 202.101.20.2
#
acl advanced name IPsec_FW2_IPv4_1
rule 0 permit ip source 192.168.20.1 0 destination 192.168.10.1 0
#
ipsec transform-set FW2_IPv4_1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy FW2 1 isakmp
transform-set FW2_IPv4_1
security acl name IPsec_FW2_IPv4_1
local-address 202.101.20.1
remote-address 202.101.10.1
ike-profile FW2_IPv4_1
#
nat policy
rule name IPSec
source-ip PC2
destination-ip PC1
outbound-interface GigabitEthernet3/0
action no-nat
rule name PC2_nat
source-ip PC2
outbound-interface GigabitEthernet3/0
action easy-ip
#
ike profile FW2_IPv4_1
keychain FW2_IPv4_1
match remote identity address 202.101.10.0 255.255.255.0
match local address GigabitEthernet3/0
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group5
authentication-algorithm md5
#
ike keychain FW2_IPv4_1
match local address GigabitEthernet3/0
pre-shared-key address 202.101.10.0 255.255.255.0 key simple h3c
#
ip https enable
#
security-policy ip
rule 1 name IPsec_FW2_1_20250401230517_IN
action pass
source-zone Untrust
destination-zone Local
service ike
service nat-t-ipsec
service ipsec-ah
service ipsec-esp
rule 0 name IPsec_FW2_1_20250401230517_OUT
action pass
source-zone Local
destination-zone Untrust
service ike
service nat-t-ipsec
service ipsec-ah
service ipsec-esp
rule 2 name t2u
action pass
source-zone Trust
destination-zone Untrust
rule 3 name u2t
action pass
source-zone Untrust
destination-zone Trust
#
return
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
