安全-防火墙旁路+PBR+状态检测

行走的网工

于 2024-06-22 23:44:34 发布

阅读量337

点赞数 7

分类专栏：安全文章标签：安全网络

本文链接：https://blog.csdn.net/2301_81259159/article/details/139890079

版权

安全专栏收录该内容

1 篇文章 0 订阅

订阅专栏

一、实验需求：

流量如图所示：
AR2->AR1（150.1.1.1/32）的流量路径：AR2->S1->AR2,AR1(150.1.1.1/32)->AR2的流量路径：AR1->S1->FW1->S1->AR2;其中经过防火墙的ping和ssh流量关闭状态检测，其余流量不关闭状态检测。

二、关键配置：

交换机MQC配置如下：

acl number 3000
	rule 5 permit ip source 150.1.1.1 0
#
traffic classifier PBR operator and
    if-match acl 3000
#
traffic behavior PBR
    redirect ip-nexthop 10.1.3.12
#
traffic policy PBR
	classifier PBR behavior PBR
#
interface GigabitEthernet0/0/1
    port link-type access
	port default vlan 4
	traffic-policy PBR inbound
#

防火墙关键配置如下：

acl number 3000
	rule 5 permit icmp source 150.1.1.1 0 destination 10.1.1.2 0
	rule 10 permit tcp source 150.1.1.1 0 source-port eq ssh destination 10.1.1.2 0
#
firewall session link-state exclude acl 3000

三、结果验证和防火墙会话表查看

AR2结果验证:

[AR2]ping 150.1.1.1
  PING 150.1.1.1: 56  data bytes, press CTRL_C to break
    Reply from 150.1.1.1: bytes=56 Sequence=1 ttl=253 time=50 ms
    Reply from 150.1.1.1: bytes=56 Sequence=2 ttl=253 time=50 ms
    Reply from 150.1.1.1: bytes=56 Sequence=3 ttl=253 time=60 ms
    Reply from 150.1.1.1: bytes=56 Sequence=4 ttl=253 time=40 ms
    Reply from 150.1.1.1: bytes=56 Sequence=5 ttl=253 time=40 ms

  --- 150.1.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/48/60 ms

[AR2]stelnet 150.1.1.1
Please input the username:admin
Trying 150.1.1.1 ...
Press CTRL+K to abort
Connected to 150.1.1.1 ...
Enter password:
  ----------------------------------------------------------------------------- 
    
  User last login information:     
  -----------------------------------------------------------------------------
  Access Type: SSH      
  IP-Address : 10.1.1.2 ssh     
  Time       : 2024-06-22 23:12:59-08:00     
  -----------------------------------------------------------------------------
<AR1>qui

  Configuration console exit, please retry to log on

[AR2]qui	
<AR2>telnet 150.1.1.1  //telnet失败且防火墙诊断中心如下图所示：
  Press CTRL_] to quit telnet mode
  Trying 150.1.1.1 ...
  Error: Can't connect to the remote host

防火墙会话表：

[FW]display  acl all 
2024-06-22 15:14:29.490 
Advanced ACL 3000, 2 rules ( Reference counter 0 ) 
Acl's step is 5
 rule 5 permit icmp source 150.1.1.1 0 destination 10.1.1.2 0 (2 times matched) 
 rule 10 permit tcp source 150.1.1.1 0 source-port eq ssh destination 10.1.1.2 0 (2 times matched) 

[FW]display  firewall session link-state 
2024-06-22 15:09:07.120 
 Current firewall session link-state:
 ------------------------------------
 TCP check:                        on
 ICMP check:                       on
 Exclude acl:                    3000
 ------------------------------------

[FW]display  firewall session table 
2024-06-22 15:12:40.070 
 Current Total Sessions : 1
 icmp  VPN: public --> public  150.1.1.1:2048 --> 10.1.1.2:52907

[FW]display  firewall session table 
2024-06-22 15:13:04.280 
 Current Total Sessions : 1
 tcp  VPN: public --> public  150.1.1.1:22 --> 10.1.1.2:49754