作业十五:GRE的防火墙配置
实验环境
实验思路
- 规划并配置IP
- 配置OSPF
- 划分区域
- 配置GRE
- 配置静态路由
- 配置安全策略
- 检查连通性
实验步骤
规划并配置IP
PC1:
PC2:
FW1:
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 192.168.1.254 24
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 200.1.1.1 24
[FW1]int Tunnel 0
[FW1-Tunnel0]ip add 1.1.1.1 24
FW2:
[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 200.1.2.2 24
[FW2-GigabitEthernet1/0/0]int g1/0/1
[FW2-GigabitEthernet1/0/1]ip add 192.168.2.254 24
[FW2]int Tunnel 0
[FW2-Tunnel0]ip add 2.2.2.2 24
R3:
[R3]int g 0/0/1
[R3-GigabitEthernet0/0/1]ip add 200.1.1.3 24
[R3-GigabitEthernet0/0/1]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 200.1.2.3 24
配置OSPF
FW1:
[FW1]ospf
[FW1-ospf-1]area 0
[FW1-ospf-1-area-0.0.0.0]network 200.1.1.1 0.0.0.0
FW2:
[FW2]ospf
[FW2-ospf-1]area 0
[FW2-ospf-1-area-0.0.0.0]network 200.1.2.2 0.0.0.0
R3:
[R3]ospf
[R3-ospf-1]area 0
[R3-ospf-1-area-0.0.0.0]network 200.1.1.3 0.0.0.0
[R3-ospf-1-area-0.0.0.0]network 200.1.2.3 0.0.0.0
划分区域
FW1:
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/0
[FW1-zone-trust]firewall zone untrust
[FW1-zone-untrust]add int g1/0/1
[FW1]firewall zone dmz
[FW1-zone-dmz]add int Tunnel 0
FW2:
[FW2]firewall zone trust
[FW2-zone-trust]add int g1/0/1
[FW2-zone-trust]firewall zone untrust
[FW2-zone-untrust]add int g1/0/0
[FW2-zone-untrust]firewall zone dmz
[FW2-zone-dmz]add int Tunnel 0
配置GRE
FW1:
[FW1]int Tunnel 0
[FW1-Tunnel0]tunnel-protocol gre
[FW1-Tunnel0]source 200.1.1.1
[FW1-Tunnel0]destination 200.1.2.2
FW2:
[FW2]int Tunnel 0
[FW2-Tunnel0]tunnel-protocol gre
[FW2-Tunnel0]source 200.1.2.2
[FW2-Tunnel0]destination 200.1.1.1
配置静态路由
FW1:
[FW1]ip route-static 192.168.2.0 24 Tunnel 0
FW2:
[FW2]ip route-static 192.168.1.0 24 Tunnel 0
配置安全策略
FW1:
[FW1]security-policy
[FW1-policy-security]rule name u_l
[FW1-policy-security-rule-u_l]source-zone untrust
[FW1-policy-security-rule-u_l]destination-zone local
[FW1-policy-security-rule-u_l]source-address 200.1.2.2 24
[FW1-policy-security-rule-u_l]destination-address 200.1.1.1 24
[FW1-policy-security-rule-u_l]service gre
[FW1-policy-security-rule-u_l]action permit
[FW1-policy-security-rule-u_l]rule name t_d
[FW1-policy-security-rule-t_d]source-zone trust
[FW1-policy-security-rule-t_d]destination-zone dmz
[FW1-policy-security-rule-t_d]source-address 192.168.1.1 24
[FW1-policy-security-rule-t_d]destination-address 192.168.2.2 24
[FW1-policy-security-rule-t_d]service icmp
[FW1-policy-security-rule-t_d]action permit
FW2:
[FW2]security-policy
[FW2-policy-security]rule name u_l
[FW2-policy-security-rule-u_l]source-zone untrust
[FW2-policy-security-rule-u_l]destination-zone local
[FW2-policy-security-rule-u_l]source-address 200.1.1.1 24
[FW2-policy-security-rule-u_l]destination-address 200.1.2.2 24
[FW2-policy-security-rule-u_l]service gre
[FW2-policy-security-rule-u_l]action permit
[FW2-policy-security]rule name d_t
[FW2-policy-security-rule-d_t]source-zone dmz
[FW2-policy-security-rule-d_t]destination-zone trust
[FW2-policy-security-rule-d_t]source-address 192.168.1.1 24
[FW2-policy-security-rule-d_t]destination-address 192.168.2.2 24
[FW2-policy-security-rule-d_t]service icmp
[FW2-policy-security-rule-d_t]action permit
检查连通性
PC1 ping PC2
PC>ping 192.168.2.2
Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.2.2: bytes=32 seq=2 ttl=126 time=47 ms
From 192.168.2.2: bytes=32 seq=3 ttl=126 time=31 ms
From 192.168.2.2: bytes=32 seq=4 ttl=126 time=15 ms
From 192.168.2.2: bytes=32 seq=5 ttl=126 time=15 ms
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/27/47 ms
对R3的g/0/0抓包
实验总结
通过本次实验学习了防火墙上的GRE配置。因为telnet流量属于防火墙自身收发,所以需要配置untrust区域到local区域的安全策略。GRE流量封装后,往外发送时是不需要匹配策略的,直接放行,但是接收时是需要匹配策略的。
实验注意:1.Tunnel要加入dmz区域。 2.配置策略:t_d ICMP 私网地址 ; u_l GRE 公网地址