一、实验目的及拓扑
实验目的:
1、内网设立两台防火墙实现双机热备
2、防火墙设置二个虚拟系统,VRF_A对应PC1和服务器,VRF_B对应PC2,虚拟防火墙内部实现对服务器的访问
3、PC1访问外网通过防火墙1,PC2访问外网通过防火墙2
4、将服务器向外网通过NAT SERVER进行地址映射,使外网能够访问内网服务器
5、在防火墙VRF_A虚墙上设置超级用户后设置相应功能
二、基础配置
(一)交换网络配置
1、在交换机1和交换机2之间设立trunk链路trunk12包含g/0/21和g/0/22,设置为trunk接口并允许所有VLAN通过
[S1-Eth-Trunk12]dis th
#
interface Eth-Trunk12
port link-type trunk
port trunk allow-pass vlan 2 to 4094
stp edged-port disable
mode lacp-static
trunkport g0/0/21
trunkport g0/0/22
#
2、将交换机1的g/0/23和交换机2的g/0/24设置为trunk接口并允许所有VLAN通过
3、将交换机3的g/0/23和g/0/24设置为trunk接口并允许所有VLAN通过
port-group group-member g0/0/23 g0/0/24
port link-type trunk
port trunk allow-pass vlan all
4、将交换机3的g/0/1、g/0/2、g/0/3口设置为access接口并设置VLAN为10、20、100
5、将交换机1和交换机2的g/0/12端口设置为两台防火墙之间的心跳线,将VLAN设置为254,端口类型为access
6、在交换机1、交换机2和交换机3分别优化相应的stp配置
[S2-mst-region]dis th
#
stp region-configuration
region-name MST
revision-level 1
instance 1 vlan 10 100
instance 2 vlan 20
active region-configuration
#
[S1]stp instance 1 root primary
[S1]stp instance 2 root secondary
[S2]stp instance 1 root secondary
[S2]stp instance 2 root primary
[S1]port-group group-member g0/0/23 Eth-Trunk 12
[S1-port-group]stp edged-port disable
[S1]stp edged-port default
[S3]port-group group-member g0/0/23 g0/0/24
[S3-port-group]stp edged-port disable
[S3]stp edged-port default
7、在交换机1和交换机2的g0/0/1口设置面向外网路由器R1的vlanif端口121和131
[S1-GigabitEthernet0/0/1]dis th
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 121
#
[S2-GigabitEthernet0/0/1]dis th
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 131
#
三、详细配置
(一)防火墙双机热备配置
1、将g1/0/2和对应的交换机端口作为心跳线
[FW1-GigabitEthernet1/0/2]ip add 10.0.0.12 24
[FW1]firewall zone dmz
[FW1-zone-dmz]add int g1/0/2
[FW1]hrp interface G1/0/2 remote 10.0.0.13
[FW1]hrp enable
HRP_S[FW1]hrp mirror session enable
HRP_M[FW1]dis hrp state
2024-08-02 02:00:20.100
Role: active, peer: active
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 2 minutes
Last state change information: 2024-08-02 1:57:49 HRP core state changed, old_s
tate = abnormal(active), new_state = normal, local_priority = 45000, peer_priori
ty = 45000.
2、在防火墙1(master)上设置eth-trunk1并将0号口和1号口加入其中,设置端口模式为lacp、端口类型为trunk。在防火墙上设置VLAN10/20/100,并使能后将其分配至对应的虚拟系统
HRP_M[FW1-Eth-Trunk1]dis th
#
interface Eth-Trunk1
portswitch
port link-type trunk
port trunk allow-pass vlan 2 to 4094
mode lacp-static
#
HRP_M[FW1]vlan batch 10 20 100
HRP_M[FW1]vlan 10
HRP_M[FW1]vsys name VRF_A
HRP_M[FW1-vsys-VRF_A]dis th
#
vsys name VRF_A 1
assign vlan 10
assign vlan 100
#
HRP_M[FW1]vsys name VRF_B
HRP_M[FW1-vsys-VRF_B]DIS TH
#
vsys name VRF_B 2
assign vlan 20
#
在防火墙2上配置
HRP_S[FW2]hrp standby config enable
HRP_S[FW2]dis ip vpn-instance interface
2024-08-02 07:36:59.830
Total VPN-Instances configured : 3
VPN-Instance Name and ID : VRF_A, 1
Interface Number : 3
Interface list : Virtual-if1,
Vlanif10,
Vlanif100
VPN-Instance Name and ID : VRF_B, 2
Interface Number : 2
Interface list : Virtual-if2,
Vlanif20
VPN-Instance Name and ID : default, 21
Interface Number : 1
Interface list : GigabitEthernet0/0/0
(二)设置虚拟系统VRF_A和VRF_B,将相应的子接口加入其中并设置地址和区域
HRP_M[FW1]vsys name VRF_A
HRP_M[FW1-vsys-VRF_A]dis th
#
vsys name VRF_A 1
assign vlan 10
assign vlan 100
#
HRP_M[FW1]vsys name VRF_B
HRP_M[FW1-vsys-VRF_B]DIS TH
#
vsys name VRF_B 2
assign vlan 20
#
HRP_M[FW1]dis ip vpn-instance interface
2024-08-02 08:30:08.160
Total VPN-Instances configured : 3
VPN-Instance Name and ID : VRF_A, 1
Interface Number : 3
Interface list : Virtual-if1,
Vlanif10,
Vlanif100
VPN-Instance Name and ID : VRF_B, 2
Interface Number : 2
Interface list : Virtual-if2,
Vlanif20
VPN-Instance Name and ID : default, 21
Interface Number : 1
Interface list : GigabitEthernet0/0/0
HRP_M[FW1]switch vsys VRF_A
HRP_M<FW1-VRF_A>DIS zone
2024-08-02 08:33:39.910
vpn-instance VRF_A local
priority is 100
interface of the zone is (0):
#
vpn-instance VRF_A trust
priority is 85
interface of the zone is (1):
Vlanif10
#
vpn-instance VRF_A untrust
priority is 5
interface of the zone is (1):
Virtual-if1
#
vpn-instance VRF_A dmz
priority is 50
interface of the zone is (1):
Vlanif100
#
HRP_M[FW1]switch vsys VRF_B
HRP_M<FW1-VRF_B>DIS zone
2024-08-02 08:34:41.640
vpn-instance VRF_B local
priority is 100
interface of the zone is (0):
#
vpn-instance VRF_B trust
priority is 85
interface of the zone is (1):
Vlanif20
#
vpn-instance VRF_B untrust
priority is 5
interface of the zone is (1):
Virtual-if2
#
vpn-instance VRF_B dmz
priority is 50
interface of the zone is (0):
#
(三)在vlanif口上配置VRRP并实现相互备份
HRP_M[FW1-Vlanif10]dis th
#
interface Vlanif10
ip binding vpn-instance VRF_A
ip address 10.1.10.12 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.10.254 active
#
HRP_S[FW2-Vlanif10]dis th
#
interface Vlanif10
ip binding vpn-instance VRF_A
ip address 10.1.10.13 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.10.254 standby
#
HRP_M[FW1-Vlanif20]dis th
#
interface Vlanif20
ip binding vpn-instance VRF_B
ip address 10.1.20.12 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.20.254 standby
#
HRP_S[FW2-Vlanif20]dis th
#
interface Vlanif20
ip binding vpn-instance VRF_B
ip address 10.1.20.13 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.20.254 active
#
HRP_M[FW1-Vlanif100]dis th
#
interface Vlanif100
ip binding vpn-instance VRF_A
ip address 10.1.100.12 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.100.254 active
#
HRP_S[FW2-Vlanif100]dis th
#
interface Vlanif100
ip binding vpn-instance VRF_A
ip address 10.1.100.13 255.255.255.0
vrrp vrid 3 virtual-ip 10.1.100.254 standby
#
(四)配置虚拟防火墙之间互访,实现PC之间和服务器之间互访
1、在防火墙根系统设置如下静态路由
#
ip route-static 10.1.10.0 255.255.255.0 vpn-instance VRF_A
ip route-static 10.1.20.0 255.255.255.0 vpn-instance VRF_B
ip route-static vpn-instance VRF_A 10.1.20.0 255.255.255.0 vpn-instance VRF_B
ip route-static vpn-instance VRF_B 10.1.10.0 255.255.255.0 vpn-instance VRF_A
ip route-static vpn-instance VRF_B 10.1.100.0 255.255.255.0 vpn-instance VRF_A
#
2、分别在虚拟系统设置静态路由
HRP_M[FW1-VRF_A]IP route-static 0.0.0.0 0 public
HRP_M[FW1-VRF_B]ip route-static 0.0.0.0 0 public
3、分别在虚拟系统设置安全策略
HRP_M[FW1-VRF_A-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_DMZ
source-zone trust
destination-zone dmz
source-address 10.1.10.0 mask 255.255.255.0
destination-address 10.1.100.0 mask 255.255.255.0
service protocol icmp
service protocol tcp destination-port 21
service protocol tcp destination-port 80
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
source-address 10.1.10.0 mask 255.255.255.0
action permit
rule name OUT_TO_DMZ
source-zone untrust
destination-zone dmz
destination-address 10.1.100.0 mask 255.255.255.0
action permit
#
HRP_M[FW1-VRF_B-policy-security]dis th
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
source-address 10.1.20.0 mask 255.255.255.0
action permit
#
(五)访问外网并设置NAT转换
1、将两个防火墙的vlanif121及vlanif131口加入UNtrust区域,并设置IP地址与R1互联
2、在防火墙1上设置端口区域
HRP_M[FW1-zone-trust]dis th
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface Virtual-if0
#
3、设置NAT,使PC1和PC2访问外网是分别使用防火墙1和防火墙2的外网端口地址
HRP_M[FW1-policy-nat]dis th
2024-08-05 06:17:33.300
#
nat-policy
rule name EASY_IP
source-zone trust
destination-zone untrust
source-address 10.1.0.0 mask 255.255.0.0
action source-nat easy-ip
#
(六)设置相应的路由使外网能够访问虚拟墙A上dmz区域的服务器,设置NAT SERVER服务,设置安全策略
1、路由
HRP_M[FW1]ip route-static 10.1.0.0 16 vpn-instance VRF_A
HRP_S[FW2]ip route-static 10.1.0.0 16 vpn-instance VRF_A
2、NAT SERVER
#
nat server 0 protocol tcp global 155.1.131.10 www inside 10.1.100.100 www no-re
verse unr-route
nat server 1 protocol tcp global 155.1.121.10 www inside 10.1.100.100 www no-re
verse unr-route
#
3、安全策略
HRP_M[FW1-policy-security]dis th
2024-08-05 06:31:31.900
#
security-policy
default action permit
rule name IN_TO_OUT
source-zone trust
destination-zone untrust
source-address 10.1.0.0 mask 255.255.0.0
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
destination-address 10.1.0.10 mask 255.255.255.255
service protocol tcp destination-port 80
action permit
#
(七)在虚拟系统VRF_A上新建用户并进行相应的功能设置
HRP_M[FW1-VRF_A]aaa
HRP_M[FW1-VRF_A-aaa]manager-user QUW@@VRF_A (+B)
HRP_M[FW1-VRF_A-aaa-manager-user-QUW@@VRF_A]password cipher Huawei@123 (+B)
HRP_M[FW1-VRF_A-aaa-manager-user-QUW@@VRF_A]service-type web (+B)
HRP_M[FW1-VRF_A-aaa]bind manager-user QUW@@VRF_A role system-admin (+B)
1、反病毒设置
下载模板修改后再导入
修改安全策略
2、URL地址过滤
修改安全策略
3、入侵防御配置
四、结果验证
1、虚拟系统间互访
位于VRF_A虚拟系统的PC1和服务器之间可以互访
PC>ping 10.1.100.100
Ping 10.1.100.100: 32 data bytes, Press Ctrl_C to break
From 10.1.100.100: bytes=32 seq=1 ttl=254 time=140 ms
位于VRF_B虚拟系统的PC2和位于VRF_A虚拟系统的服务器之间可以互访
PC>ping 10.1.100.100
Ping 10.1.100.100: 32 data bytes, Press Ctrl_C to break
From 10.1.100.100: bytes=32 seq=1 ttl=253 time=94 ms
From 10.1.100.100: bytes=32 seq=2 ttl=253 time=125 ms
2、内网访问外网
位于VRF_A虚拟系统的PC1通过VRF_A虚拟系统和防火墙1的根系统接口155.1.121.12访问外网
PC>tracert 150.1.1.1
traceroute to 150.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.10.12 47 ms 93 ms 78 ms
2 * * *
3 150.1.1.1 94 ms 110 ms 125 ms
位于VRF_A虚拟系统的PC1通过VRF_B虚拟系统和防火墙2的根系统接口155.1.131.13访问外网
PC>tracert 150.1.1.1
traceroute to 150.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
1 10.1.20.13 63 ms 78 ms 62 ms
2 * * *
3 150.1.1.1 110 ms 94 ms 125 ms
3、外网不同的映射地址访问内网服务器
HRP_M<FW1-VRF_A>dis firewall session table
2024-08-05 06:53:05.550
Current Total Sessions : 1
http VPN: VRF_A --> VRF_A 155.1.1.10:2056 --> 10.1.100.100:80
4、虚拟防火墙上相关功能设置