加解密原理实验

实验拓扑

实验准备

防火墙

防火墙的接口默认不允许ping，打开后该接口也必须划分到安全域内才能被ping通

FW1

<USG6000V1>undo ter mo
Info: Current terminal monitor is off.
<USG6000V1>sy
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sy fw1
[fw1]int g1/0/1
[fw1-GigabitEthernet1/0/1]ip addr 192.168.1.100 24
[fw1-GigabitEthernet1/0/1]
[fw1-GigabitEthernet1/0/1]int g1/0/0
[fw1-GigabitEthernet1/0/0]ip addr 200.1.1.1 24
[fw1-GigabitEthernet1/0/0]
[fw1-GigabitEthernet1/0/0]firewall zone trust
[fw1-zone-trust]add int g1/0/1
[fw1-zone-trust]
[fw1-zone-trust]firewall zone untrust
[fw1-zone-untrust]add int g1/0/0
[fw1-zone-untrust]
[fw1-zone-untrust]dis th
2020-07-31 01:21:28.930 
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
#
return
[fw1-zone-untrust]
[fw1-zone-untrust]
[fw1-zone-untrust]q
[fw1]
[fw1]int g1/0/0
[fw1-GigabitEthernet1/0/0]
[fw1-GigabitEthernet1/0/0]ser	
[fw1-GigabitEthernet1/0/0]service-m	
[fw1-GigabitEthernet1/0/0]service-manage  ping permit
[fw1-GigabitEthernet1/0/0]q
[fw1]
[fw1]
[fw1]ip route-s	
[fw1]ip route-static 0.0.0.0 0 200.1.1.100
[fw1]
[fw1]

FW2

<USG6000V1>undo ter mo
Info: Current terminal monitor is off.
<USG6000V1>sy 
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sy fw2
[fw2]
[fw2]int g1/0/0
[fw2-GigabitEthernet1/0/0]ip addr 200.1.2.1 24
[fw2-GigabitEthernet1/0/0]
[fw2-GigabitEthernet1/0/0]ser	
[fw2-GigabitEthernet1/0/0]service-	
[fw2-GigabitEthernet1/0/0]service-manage ping	
[fw2-GigabitEthernet1/0/0]service-manage ping permit
[fw2-GigabitEthernet1/0/0]
[fw2-GigabitEthernet1/0/0]
[fw2-GigabitEthernet1/0/0]q
[fw2]firewall zone untrust
[fw2-zone-untrust]
[fw2-zone-untrust]
[fw2-zone-untrust]add int g1/0/0
[fw2-zone-untrust]
[fw2-zone-untrust]q
[fw2]int g1/0/1
[fw2-GigabitEthernet1/0/1]ip addr 192.168.2.100 24
[fw2-GigabitEthernet1/0/1]
[fw2-GigabitEthernet1/0/1]
[fw2-GigabitEthernet1/0/1]q
[fw2]
[fw2]firewall zone trust
[fw2-zone-trust]
[fw2-zone-trust]add int g1/0/1
[fw2-zone-trust]
[fw2-zone-trust]
[fw2-zone-trust]q
[fw2]ip route-s	
[fw2]ip route-static 0.0.0.0 0 200.1.2.100
[fw2]
[fw2]

ISP路由

<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy isp
[isp]int g0/0/0
[isp-GigabitEthernet0/0/0]ip addr 200.1.1.100 24
[isp-GigabitEthernet0/0/0]
[isp-GigabitEthernet0/0/0]
[isp-GigabitEthernet0/0/0]q
[isp]int g0/0/1
[isp-GigabitEthernet0/0/1]ip addr 200.1.2.100 24
[isp-GigabitEthernet0/0/1]
[isp-GigabitEthernet0/0/1]
[isp-GigabitEthernet0/0/1]q
[isp]
[isp]in loo0
[isp-LoopBack0]ip addr 100.1.1.1 32
[isp-LoopBack0]
[isp-LoopBack0]

连通性测试

fw1：

[fw1]sec	
[fw1]security-policy 
[fw1-policy-security]rule name ping
[fw1-policy-security-rule-ping]source-zone local
[fw1-policy-security-rule-ping]destination-zone untrust
[fw1-policy-security-rule-ping]ser	
[fw1-policy-security-rule-ping]service icmp	
[fw1-policy-security-rule-ping]service icmp
[fw1-policy-security-rule-ping]
[fw1-policy-security-rule-ping]action permit
[fw1-policy-security-rule-ping]
[fw1-policy-security-rule-ping]ping 200.1.2.1    //这个是FW2端的接口，因为已经开启了ping服务，所以可以ping通
  PING 200.1.2.1: 56  data bytes, press CTRL_C to break
    Reply from 200.1.2.1: bytes=56 Sequence=1 ttl=254 time=11 ms
    Reply from 200.1.2.1: bytes=56 Sequence=2 ttl=254 time=11 ms
    Reply from 200.1.2.1: bytes=56 Sequence=3 ttl=254 time=10 ms
    Reply from 200.1.2.1: bytes=56 Sequence=4 ttl=254 time=10 ms
    Reply from 200.1.2.1: bytes=56 Sequence=5 ttl=254 time=10 ms

  --- 200.1.2.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received