防火墙综合实验

最新推荐文章于 2024-08-07 22:12:43 发布

earthtoearth

最新推荐文章于 2024-08-07 22:12:43 发布

阅读量735

点赞数 10

文章标签：网络运维安全网络安全

本文链接：https://blog.csdn.net/earthtoearth/article/details/140850535

版权

一、实验目的及拓扑

实验目的：

1、内网设立两台防火墙实现双机热备

2、防火墙设置二个虚拟系统，VRF_A对应PC1和服务器，VRF_B对应PC2，虚拟防火墙内部实现对服务器的访问

3、PC1访问外网通过防火墙1，PC2访问外网通过防火墙2

4、将服务器向外网通过NAT SERVER进行地址映射，使外网能够访问内网服务器

5、在防火墙VRF_A虚墙上设置超级用户后设置相应功能

二、基础配置

（一）交换网络配置

1、在交换机1和交换机2之间设立trunk链路trunk12包含g/0/21和g/0/22，设置为trunk接口并允许所有VLAN通过

[S1-Eth-Trunk12]dis th
#
interface Eth-Trunk12
port link-type trunk
port trunk allow-pass vlan 2 to 4094
stp edged-port disable
mode lacp-static

trunkport g0/0/21

trunkport g0/0/22
#

2、将交换机1的g/0/23和交换机2的g/0/24设置为trunk接口并允许所有VLAN通过

3、将交换机3的g/0/23和g/0/24设置为trunk接口并允许所有VLAN通过

port-group group-member g0/0/23 g0/0/24
port link-type trunk

port trunk allow-pass vlan all

4、将交换机3的g/0/1、g/0/2、g/0/3口设置为access接口并设置VLAN为10、20、100

5、将交换机1和交换机2的g/0/12端口设置为两台防火墙之间的心跳线，将VLAN设置为254，端口类型为access

6、在交换机1、交换机2和交换机3分别优化相应的stp配置

[S2-mst-region]dis th
#
stp region-configuration
region-name MST
revision-level 1
instance 1 vlan 10 100
instance 2 vlan 20
active region-configuration
#

[S1]stp instance 1 root primary

[S1]stp instance 2 root secondary

[S2]stp instance 1 root secondary

[S2]stp instance 2 root primary

[S1]port-group group-member g0/0/23 Eth-Trunk 12

[S1-port-group]stp edged-port disable

[S1]stp edged-port default

[S3]port-group group-member g0/0/23 g0/0/24

[S3-port-group]stp edged-port disable

[S3]stp edged-port default

7、在交换机1和交换机2的g0/0/1口设置面向外网路由器R1的vlanif端口121和131

[S1-GigabitEthernet0/0/1]dis th
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 121
#

[S2-GigabitEthernet0/0/1]dis th
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 131
#

三、详细配置

（一）防火墙双机热备配置

1、将g1/0/2和对应的交换机端口作为心跳线

[FW1-GigabitEthernet1/0/2]ip add 10.0.0.12 24

[FW1]firewall zone dmz
[FW1-zone-dmz]add int g1/0/2

[FW1]hrp interface G1/0/2 remote 10.0.0.13

[FW1]hrp enable

HRP_S[FW1]hrp mirror session enable

HRP_M[FW1]dis hrp state
2024-08-02 02:00:20.100
Role: active, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 2 minutes
Last state change information: 2024-08-02 1:57:49 HRP core state changed, old_s
tate = abnormal(active), new_state = normal, local_priority = 45000, peer_priori
ty = 45000.

2、在防火墙1（master）上设置eth-trunk1并将0号口和1号口加入其中，设置端口模式为lacp、端口类型为trunk。在防火墙上设置VLAN10/20/100，并使能后将其分配至对应的虚拟系统

HRP_M[FW1-Eth-Trunk1]dis th
#
interface Eth-Trunk1
portswitch
port link-type trunk
port trunk allow-pass vlan 2 to 4094
mode lacp-static
#

HRP_M[FW1]vlan batch 10 20 100

HRP_M[FW1]vlan 10

HRP_M[FW1]vsys name VRF_A

HRP_M[FW1-vsys-VRF_A]dis th
#
vsys name VRF_A 1
assign vlan 10
assign vlan 100
#

HRP_M[FW1]vsys name VRF_B

HRP_M[FW1-vsys-VRF_B]DIS TH
#
vsys name VRF_B 2
assign vlan 20
#

在防火墙2上配置

HRP_S[FW2]hrp standby config enable

HRP_S[FW2]dis ip vpn-instance interface
2024-08-02 07:36:59.830
Total VPN-Instances configured : 3

VPN-Instance Name and ID : VRF_A, 1
Interface Number : 3
Interface list : Virtual-if1,
Vlanif10,
Vlanif100

VPN-Instance Name and ID : VRF_B, 2
Interface Number : 2
Interface list : Virtual-if2,
Vlanif20

VPN-Instance Name and ID : default, 21
Interface Number : 1
Interface list : GigabitEthernet0/0/0

（二）设置虚拟系统VRF_A和VRF_B，将相应的子接口加入其中并设置地址和区域

HRP_M[FW1]vsys name VRF_A

HRP_M[FW1-vsys-VRF_A]dis th
#
vsys name VRF_A 1
assign vlan 10
assign vlan 100
#

HRP_M[FW1]vsys name VRF_B
HRP_M[FW1-vsys-VRF_B]DIS TH
#
vsys name VRF_B 2
assign vlan 20
#

HRP_M[FW1]dis ip vpn-instance interface
2024-08-02 08:30:08.160
Total VPN-Instances configured : 3

VPN-Instance Name and ID : VRF_A, 1
Interface Number : 3
Interface list : Virtual-if1,
Vlanif10,
Vlanif100

VPN-Instance Name and ID : VRF_B, 2
Interface Number : 2
Interface list : Virtual-if2,
Vlanif20

VPN-Instance Name and ID : default, 21
Interface Number : 1
Interface list : GigabitEthernet0/0/0

HRP_M[FW1]switch vsys VRF_A
HRP_M<FW1-VRF_A>DIS zone
2024-08-02 08:33:39.910
vpn-instance VRF_A local
priority is 100
interface of the zone is (0):
#
vpn-instance VRF_A trust
priority is 85
interface of the zone is (1):
Vlanif10
#
vpn-instance VRF_A untrust
priority is 5
interface of the zone is (1):
Virtual-if1
#
vpn-instance VRF_A dmz
priority is 50
interface of the zone is (1):
Vlanif100
#

HRP_M[FW1]switch vsys VRF_B
HRP_M<FW1-VRF_B>DIS zone
2024-08-02 08:34:41.640
vpn-instance VRF_B local
priority is 100
interface of the zone is (0):
#
vpn-instance VRF_B trust
priority is 85
interface of the zone is (1):
Vlanif20
#
vpn-instance VRF_B untrust
priority is 5
interface of the zone is (1):
Virtual-if2
#
vpn-instance VRF_B dmz
priority is 50
interface of the zone is (0):
#

（三）在vlanif口上配置VRRP并实现相互备份

HRP_M[FW1-Vlanif10]dis th
#
interface Vlanif10
ip binding vpn-instance VRF_A
ip address 10.1.10.12 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.10.254 active
#

HRP_S[FW2-Vlanif10]dis th
#
interface Vlanif10
ip binding vpn-instance VRF_A
ip address 10.1.10.13 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.10.254 standby
#

HRP_M[FW1-Vlanif20]dis th
#
interface Vlanif20
ip binding vpn-instance VRF_B
ip address 10.1.20.12 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.20.254 standby
#

HRP_S[FW2-Vlanif20]dis th
#
interface Vlanif20
ip binding vpn-instance VRF_B
ip address 10.1.20.13 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.20.254 active
#

HRP_M[FW1-Vlanif100]dis th
#
interface Vlanif100
ip binding vpn-instance VRF_A
ip address 10.1.100.12 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.100.254 active
#

HRP_S[FW2-Vlanif100]dis th
#
interface Vlanif100
ip binding vpn-instance VRF_A
ip address 10.1.100.13 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.100.254 standby
#

（四）配置虚拟防火墙之间互访，实现PC之间和服务器之间互访

1、在防火墙根系统设置如下静态路由

#
ip route-static 10.1.10.0 255.255.255.0 vpn-instance VRF_A
ip route-static 10.1.20.0 255.255.255.0 vpn-instance VRF_B
ip route-static vpn-instance VRF_A 10.1.20.0 255.255.255.0 vpn-instance VRF_B
ip route-static vpn-instance VRF_B 10.1.10.0 255.255.255.0 vpn-instance VRF_A
ip route-static vpn-instance VRF_B 10.1.100.0 255.255.255.0 vpn-instance VRF_A
#

2、分别在虚拟系统设置静态路由

HRP_M[FW1-VRF_A]IP route-static 0.0.0.0 0 public

HRP_M[FW1-VRF_B]ip route-static 0.0.0.0 0 public

3、分别在虚拟系统设置安全策略

HRP_M[FW1-VRF_A-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_DMZ
source-zone trust
destination-zone dmz
source-address 10.1.10.0 mask 255.255.255.0
destination-address 10.1.100.0 mask 255.255.255.0
service protocol icmp
service protocol tcp destination-port 21
service protocol tcp destination-port 80
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
source-address 10.1.10.0 mask 255.255.255.0
action permit
rule name OUT_TO_DMZ
source-zone untrust
destination-zone dmz
destination-address 10.1.100.0 mask 255.255.255.0
action permit
#

HRP_M[FW1-VRF_B-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
source-address 10.1.20.0 mask 255.255.255.0
action permit
#

（五）访问外网并设置NAT转换

1、将两个防火墙的vlanif121及vlanif131口加入UNtrust区域，并设置IP地址与R1互联

2、在防火墙1上设置端口区域

HRP_M[FW1-zone-trust]dis th
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface Virtual-if0
#

3、设置NAT，使PC1和PC2访问外网是分别使用防火墙1和防火墙2的外网端口地址

HRP_M[FW1-policy-nat]dis th
2024-08-05 06:17:33.300
#
nat-policy
rule name EASY_IP
source-zone trust
destination-zone untrust
source-address 10.1.0.0 mask 255.255.0.0
action source-nat easy-ip
#

（六）设置相应的路由使外网能够访问虚拟墙A上dmz区域的服务器，设置NAT SERVER服务，设置安全策略

1、路由

HRP_M[FW1]ip route-static 10.1.0.0 16 vpn-instance VRF_A

HRP_S[FW2]ip route-static 10.1.0.0 16 vpn-instance VRF_A

2、NAT SERVER

#
nat server 0 protocol tcp global 155.1.131.10 www inside 10.1.100.100 www no-re
verse unr-route
nat server 1 protocol tcp global 155.1.121.10 www inside 10.1.100.100 www no-re
verse unr-route
#

3、安全策略

HRP_M[FW1-policy-security]dis th
2024-08-05 06:31:31.900
#
security-policy
default action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
source-address 10.1.0.0 mask 255.255.0.0
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
destination-address 10.1.0.10 mask 255.255.255.255
service protocol tcp destination-port 80
action permit
#

（七）在虚拟系统VRF_A上新建用户并进行相应的功能设置

HRP_M[FW1-VRF_A]aaa

HRP_M[FW1-VRF_A-aaa]manager-user QUW@@VRF_A (+B)

HRP_M[FW1-VRF_A-aaa-manager-user-QUW@@VRF_A]password cipher Huawei@123 (+B)

HRP_M[FW1-VRF_A-aaa-manager-user-QUW@@VRF_A]service-type web (+B)

HRP_M[FW1-VRF_A-aaa]bind manager-user QUW@@VRF_A role system-admin (+B)

1、反病毒设置

下载模板修改后再导入

修改安全策略

2、URL地址过滤

修改安全策略

3、入侵防御配置

四、结果验证

1、虚拟系统间互访

位于VRF_A虚拟系统的PC1和服务器之间可以互访

PC>ping 10.1.100.100

Ping 10.1.100.100: 32 data bytes, Press Ctrl_C to break
From 10.1.100.100: bytes=32 seq=1 ttl=254 time=140 ms

位于VRF_B虚拟系统的PC2和位于VRF_A虚拟系统的服务器之间可以互访

PC>ping 10.1.100.100

Ping 10.1.100.100: 32 data bytes, Press Ctrl_C to break
From 10.1.100.100: bytes=32 seq=1 ttl=253 time=94 ms
From 10.1.100.100: bytes=32 seq=2 ttl=253 time=125 ms

2、内网访问外网

位于VRF_A虚拟系统的PC1通过VRF_A虚拟系统和防火墙1的根系统接口155.1.121.12访问外网

PC>tracert 150.1.1.1

traceroute to 150.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.10.12 47 ms 93 ms 78 ms
2 * * *
3 150.1.1.1 94 ms 110 ms 125 ms

位于VRF_A虚拟系统的PC1通过VRF_B虚拟系统和防火墙2的根系统接口155.1.131.13访问外网

PC>tracert 150.1.1.1

traceroute to 150.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.20.13 63 ms 78 ms 62 ms
2 * * *
3 150.1.1.1 110 ms 94 ms 125 ms

3、外网不同的映射地址访问内网服务器

HRP_M<FW1-VRF_A>dis firewall session table
2024-08-05 06:53:05.550
Current Total Sessions : 1
http VPN: VRF_A --> VRF_A 155.1.1.10:2056 --> 10.1.100.100:80

4、虚拟防火墙上相关功能设置

earthtoearth

关注

10
点赞
踩
15

收藏

觉得还不错? 一键收藏
0
评论
防火墙综合实验

1、在交换机1和交换机2之间设立trunk链路trunk12包含g/0/21和g/0/22，设置为trunk接口并允许所有VLAN通过。5、将交换机1和交换机2的g/0/12端口设置为两台防火墙之间的心跳线，将VLAN设置为254，端口类型为access。4、将交换机3的g/0/1、g/0/2、g/0/3口设置为access接口并设置VLAN为10、20、100。2、将交换机1的g/0/23和交换机2的g/0/24设置为trunk接口并允许所有VLAN通过。
复制链接

扫一扫