ensp综合实验:双机热备、IPSec、FTP

作业十八:综合实验

实验要求

在这里插入图片描述

实验环境

在这里插入图片描述

实验步骤

规划并配置IP

PC1:

在这里插入图片描述

PC2:
在这里插入图片描述

Client1:

在这里插入图片描述

Server1:

在这里插入图片描述

R1:

[R1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip add 200.1.1.254 24

[R1-GigabitEthernet0/0/2]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 200.1.3.1 24

[R1-GigabitEthernet0/0/1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 200.1.12.1 24

FW1:

[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 192.168.4.1 24

[FW1-GigabitEthernet1/0/0]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 12.1.1.1 24

[FW1-GigabitEthernet1/0/2]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 192.168.3.1 24

FW2:

[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 192.168.4.2 24

[FW2-GigabitEthernet1/0/0]int g1/0/2
[FW2-GigabitEthernet1/0/2]ip add 12.1.1.2 24

[FW2-GigabitEthernet1/0/2]int g1/0/1
[FW2-GigabitEthernet1/0/1]ip add 192.168.3.2 24

FW3:

[FW3]int g0/0/0
[FW3-GigabitEthernet0/0/0]ip add 200.1.3.3 24

[FW3-GigabitEthernet0/0/0]int g1/0/2
[FW3-GigabitEthernet1/0/2]ip add 192.168.2.254 24

[FW3-GigabitEthernet1/0/2]int g1/0/1
[FW3-GigabitEthernet1/0/1]ip add 192.168.1.254 24

划分区域

FW1:

[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/0

[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/1

[FW1]firewall zone dmz
[FW1-zone-dmz]add int g1/0/2

FW2:

[FW2]firewall zone untrust
[FW2-zone-untrust]add int g1/0/0

[FW2]firewall zone trust
[FW2-zone-trust]add int g1/0/1

[FW2]firewall zone dmz
[FW-zone-dmz]add int g1/0/2

FW3:

[FW3]firewall zone trust
[FW3-zone-trust]add int g1/0/1

[FW3]firewall zone untrust
[FW3-zone-untrust]add int g1/0/0

[FW3]firewall zone dmz
[FW3-zone-dmz]add int g1/0/2

配置OSPF

R1:

[R1]ospf 
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]int g0/0/0
[R1-GigabitEthernet0/0/0]os e a 0
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1os e a 0
[R1-GigabitEthernet0/0/1]int g0/02
[R1-GigabitEthernet0/0/2]os e a 0

FW1:

[FW1]ospf 
[FW1-ospf-1]area 0
[FW1-ospf-1-area-0.0.0.0]int g1/0/0
[FW1-GigabitEthernet0/0/0]os e a 0

FW2:

[FW2]ospf 
[FW2-ospf-1]area 0
[FW2-ospf-1-area-0.0.0.0]int g1/0/0
[FW2-GigabitEthernet0/0/0]os e a 0

FW3:

[FW3]ospf 
[FW3-ospf-1]area 0
[FW3-ospf-1-area-0.0.0.0]int g1/0/0
[FW3-GigabitEthernet0/0/0]os e a 0

配置双机热备

配置静态路由

R1:

[R1]ip route-static 192.168.1.0 24 200.1.12.1
配置VRRP

FW1:

[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 200.1.2.10 active 

[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 192.168.3.10 active 

FW2:

[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 200.1.2.10 standby 

[FW2-GigabitEthernet1/0/0]int g1/0/1
[FW2-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 192.168.3.10 standby
配置心跳接口

FW1:

[FW1]hrp int g1/0/2 remote 12.1.1.2
[FW1]hrp enable

FW2:

[FW2]hrp int g1/0/2 remote 12.1.1.1
[FW2]hrp enable
配置IPSec

FW1:

//感兴趣流
HRP_M[FW1]acl 3000 (+B)
HRP_M[FW1-acl-adv-3000]rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 (+B)

//ike安全提议
HRP_M[FW1]ike proposal 1 (+B)
HRP_M[FW1-ike-proposal-1]di th (+B)  //验证与加密算法使用默认配置如下
#
ike proposal 1
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#

//ike对等体
HRP_M[FW1]ike peer fw3 (+B) 
HRP_M[FW1-ike-peer-fw3]pre-shared-key cipher huawei (+B)
HRP_M[FW1-ike-peer-fw3]ike-proposal 1 (+B)
HRP_M[FW1-ike-peer-fw3]remote-address 200.1.3.3 (+B)

//ipsec安全提议
HRP_M[FW1]ipsec proposal 2 (+B)
HRP_M[FW1-ipsec-proposal-2]di th (+B)  //验证与加密算法使用默认配置如下
#
ipsec proposal 2
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#

//ipsec策略
HRP_M[FW1]ipsec policy runtime 10 isakmp (+B)
HRP_M[FW1-ipsec-policy-isakmp-runtime-10]security acl 3000 (+B)
HRP_M[FW1-ipsec-policy-isakmp-runtime-10]ike-peer fw3 (+B)	
HRP_M[FW1-ipsec-policy-isakmp-runtime-10]proposal 2 (+B)

//绑定接口
HRP_M[FW1]int g1/0/0 (+B)
HRP_M[FW1-GigabitEthernet1/0/0]ipsec policy runtime (+B)

//静态配置
HRP_M[FW1]ip route-static 192.168.1.0 24 200.1.12.1 (+B)

FW3:

//感兴趣流
[FW3]acl 3000
[FW3-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0  0.0.0.255

//ike安全提议
[FW3]ike proposal 1
[FW3-ike-proposal-1]di th  //验证与加密算法使用默认配置如下
#
ike proposal 1
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#

//ike对等体
[FW3]ike peer fw1 
[FW3-ike-peer-fw1]pre-shared-key cipher huawei
[FW3-ike-peer-fw1]ike-proposal 1
[FW3-ike-peer-fw1]remote-address 200.1.2.10

//ipsec安全提议
[FW3]ipsec proposal 2
[FW3-ipsec-proposal-2]di th  //验证与加密算法使用默认配置如下
#
ipsec proposal 2
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#

//ipsec策略
[FW3]ipsec policy runtime 10 isakmp
[FW3-ipsec-policy-isakmp-runtime-10]security acl 3000
[FW3-ipsec-policy-isakmp-runtime-10]ike-peer fw1	
[FW3-ipsec-policy-isakmp-runtime-10]proposal 2

//绑定接口
[FW3]int g1/0/0
[FW3-GigabitEthernet1/0/0]ipsec policy runtime

//静态配置
[FW3]ip route-static 192.168.3.0 24 200.1.3.1
配置安全策略

FW1:

[FW1]security-policy (+B) 
[FW1-policy-security]rule name t_u (+B) 
[FW1-policy-security-rule-t_u]source-zone trust (+B)
[FW1-policy-security-rule-t_ut]destination-zone untrust (+B) 
[FW1-policy-security-rule-t_u]source-address 192.168.3.0 24 (+B) 
[FW1-policy-security-rule-t_u]destination-address 192.168.1.0 24 (+B) 
[FW1-policy-security-rule-t_u]service icmp (+B) 
[FW1-policy-security-rule-t_u]action permit (+B) 

[FW1-policy-security]rule name u_t (+B) 
[FW1-policy-security-rule-u_t]source-zone untrust (+B)
[FW1-policy-security-rule-u_t]destination-zone trust (+B) 
[FW1-policy-security-rule-u_t]source-address 192.168.1.0 24 (+B)
[FW1-policy-security-rule-u_t]destination-address 192.168.3.0 24 (+B)
[FW1-policy-security-rule-u_t]service icmp (+B) 
[FW1-policy-security-rule-u_t]action permit (+B) 

[FW1-policy-security]rule name u_l (+B) 
[FW1-policy-security-rule-u_l]source-zone untrust (+B)
[FW1-policy-security-rule-u_l]destination-zone local (+B) 
[FW1-policy-security-rule-u_l]source-address 200.1.3.3 32 (+B)
[FW1-policy-security-rule-u_l]destination-address 200.1.2.10 32 (+B)
[FW1-policy-security-rule-u_l]service esp (+B)
[FW1-policy-security-rule-u_l]action permit (+B) 


[FW1]ip service-set isakmp type object 16 (+B)
[FW1-object-service-set-isakmp]service protocol udp source-port 500 (+B)

[FW1]security-policy (+B)
[FW1-policy-security]rule name isakmp (+B) 
[FW1-policy-security-rule-isakmp]source-zone untrust (+B)
[FW1-policy-security-rule-isakmp]source-zone local (+B)
[FW1-policy-security-rule-isakmp]destination-zone local (+B) 
[FW1-policy-security-rule-isakmp]destination-zone untrust (+B)
[FW1-policy-security-rule-isakmp]source-address 200.1.3.3 32 (+B)
[FW1-policy-security-rule-isakmp]destination-address 200.1.2.10 32 (+B)
[FW1-policy-security-rule-isakmp]source-address 200.1.2.10 32 (+B)
[FW1-policy-security-rule-isakmp]destination-address 200.1.3.3 32 (+B)
[FW1-policy-security-rule-isakmp]service isakmp (+B)
[FW1-policy-security-rule-isakmp]action permit (+B) 

FW3:

[FW3]security-policy 
[FW3-policy-security]rule name t_u 
[FW3-policy-security-rule-t_u]source-zone trust
[FW3-policy-security-rule-t_u]destination-zone untrust 
[FW3-policy-security-rule-t_u]source-address 192.168.3.0 24 
[FW3-policy-security-rule-t_u]destination-address 192.168.1.0 24 
[FW3-policy-security-rule-t_u]service icmp 
[FW3-policy-security-rule-t_u]action permit 

[FW3-policy-security]rule name u_t 
[FW3-policy-security-rule-u_t]source-zone untrust
[FW3-policy-security-rule-u_t]destination-zone trust 
[FW3-policy-security-rule-u_t]source-address 192.168.1.0 24
[FW3-policy-security-rule-u_t]destination-address 192.168.3.0 24
[FW3-policy-security-rule-u_t]service icmp 
[FW3-policy-security-rule-u_t]action permit 

[FW3-policy-security]rule name u_l 
[FW3-policy-security-rule-u_l]source-zone untrust
[FW3-policy-security-rule-u_l]destination-zone local 
[FW3-policy-security-rule-u_l]source-address 200.1.2.10 32
[FW3-policy-security-rule-u_l]destination-address 200.1.3.3 32
[FW3-policy-security-rule-u_l]service esp
[FW3-policy-security-rule-u_l]action permit 


[FW1]ip service-set isakmp type object 16
[FW3-object-service-set-isakmp]service protocol udp source-port 500

[FW3-policy-security]security-policy
[FW3-policy-security-rule-isakmp]rule name isakmp 
[FW3-policy-security-rule-isakmp]source-zone untrust
[FW3-policy-security-rule-isakmp]source-zone local
[FW3-policy-security-rule-isakmp]destination-zone local 
[FW3-policy-security-rule-isakmp]destination-zone untrust
[FW3-policy-security-rule-isakmp]source-address 200.1.3.3 32
[FW3-policy-security-rule-isakmp]destination-address 200.1.2.10 32
[FW3-policy-security-rule-isakmp]source-address 200.1.2.10 32
[FW3-policy-security-rule-isakmp]destination-address 200.1.3.3 32
[FW3-policy-security-rule-isakmp]service isakmp
[FW3-policy-security-rule-isakmp]action permit 
检查连通性

PC1 ping PC2:

PC>ping 192.168.1.1

Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break
From 192.168.1.1: bytes=32 seq=1 ttl=254 time=172 ms
From 192.168.1.1: bytes=32 seq=2 ttl=254 time=63 ms
From 192.168.1.1: bytes=32 seq=3 ttl=254 time=62 ms
From 192.168.1.1: bytes=32 seq=4 ttl=254 time=62 ms
From 192.168.1.1: bytes=32 seq=5 ttl=254 time=46 ms

--- 192.168.1.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 46/81/172 ms

PC2 ping PC1:

PC>ping 192.168.3.1

Ping 192.168.3.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.3.1: bytes=32 seq=2 ttl=126 time=15 ms
From 192.168.3.1: bytes=32 seq=3 ttl=126 time=15 ms
From 192.168.3.1: bytes=32 seq=4 ttl=126 time=15 ms
From 192.168.3.1: bytes=32 seq=5 ttl=126 time=15 ms

--- 172.16.1.1 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/15/15 ms

配置访问公网的Client

NAT配置

FW3:

//配置地址池
[FW1]nat address-group 1
[FW1-address-group-1]section 200.1.12.10 200.1.12.10

//配置NAT策略
[FW1]nat-policy 
[FW1-policy-nat]rule name no_nat
[FW1-policy-nat-rule-no_nat]source-zone trust
[FW1-policy-nat-rule-no_nat]destination-zone untrust
[FW1-policy-nat-rule-no_nat]source-address 192.168.3.0 24
[FW1-policy-nat-rule-no_nat]destination-address 192.168.1.0 24
[FW1-policy-nat-rule-no_nat]action no-nat

[FW1]nat-policy 
[FW1-policy-nat]rule name t_u	
[FW1-policy-nat-rule-t_u]source-zone trust
[FW1-policy-nat-rule-t_u]destination-zone untrust
[FW1-policy-nat-rule-t_u]source-address 192.168.3.0 24
[FW1-policy-nat-rule-t_u]action source-nat address-group 1


配置安全策略

FW3:

//配置安全策略
[FW1]security-policy
[FW1-policy-security]rule name nat
[FW1-policy-security-rule-nat]source-zone trust
[FW1-policy-security-rule-nat]destination-zone untrust
[FW1-policy-security-rule-nat]source-address 192.168.3.0 24
[FW1-policy-security-rule-nat]service icmp
[FW1-policy-security-rule-nat]action permit 

//配置静态路由
[FW1]ip route-static 0.0.0.0 0 200.1.12.1
检查连通性

PC1 ping Client1:

PC>ping 200.1.1.1

Ping 200.1.1.1: 32 data bytes, Press Ctrl_C to break
From 200.1.1.1: bytes=32 seq=1 ttl=254 time=78 ms
From 200.1.1.1: bytes=32 seq=2 ttl=254 time=46 ms
From 200.1.1.1: bytes=32 seq=3 ttl=254 time=62 ms
From 200.1.1.1: bytes=32 seq=4 ttl=254 time=62 ms
From 200.1.1.1: bytes=32 seq=5 ttl=254 time=47 ms

--- 200.1.1.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 46/59/78 ms

配置FTP

配置NAT

FW3:

[FW3]nat address-group 2 
[FW3-address-group-1]section 200.1.3.10 200.1.3.10
[FW3-address-group-1]q
[FW3]nat-policy 
[FW3-policy-nat]rule name u_t
[FW3-policy-nat-rule-t_u]source-zone untrust
[FW3-policy-nat-rule-t_u]destination-zone trust 
[FW3-policy-nat-rule-t_u]source-address 200.1.1.0 24
[FW3-policy-nat-rule-t_u]action source-nat address-group 2
配置安全策略

FW3:

[FW3]security-policy
[FW3-policy-security]rule name ftp
[FW3-policy-security-rule-ftp]source-zone untrust
[FW3-policy-security-rule-ftp]destination-zone trust
[FW3-policy-security-rule-ftp]source-address 200.1.1.0 24
[FW3-policy-security-rule-ftp]destination-address 192.168.2.0 24
[FW3-policy-security-rule-ftp]service ftp
[FW3-policy-security-rule-ftp]action permit 
配置ASPF

FW3:

[FW3]firewall detect ftp
检查连通性

在这里插入图片描述

实验总结

​ 通过本次实验我学会了如何灵活地运用双机热备和IPSec配置。实验比较复杂,需要先想清楚要实现的功能对应的大概配置和要用到的协议,然后再一部分一部分地去完善实验。同时也要考虑配置的顺序问题,此处实验中将双机热备先配置明显较为省事。同时也要注意安全策略的配置顺序,防止需要的策略先被匹配而无法实行。

  • 5
    点赞
  • 86
    收藏
    觉得还不错? 一键收藏
  • 4
    评论
评论 4
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值