2022-06-23 VGMP-OSPF-域间安全策略-NAT策略

夕阳的街道

已于 2022-08-10 14:24:56 修改

阅读量769

点赞数 1

分类专栏：数通基础文章标签：网络运维

于 2022-07-02 17:47:58 首次发布

本文链接：https://blog.csdn.net/m0_58489132/article/details/125550124

版权

数通基础专栏收录该内容

4 篇文章 2 订阅

订阅专栏

本文章仅供学习和参考！

欢迎交流~

一、实验拓扑图：

二、实验配置：

1. 配置防火墙：

（1）配置FW1

 
修改设备名称
sysname FW1
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 192.168.100.1 255.255.0.0
interface GigabitEthernet0/0/1
 ip address 10.1.13.1 255.255.255.0
interface GigabitEthernet0/0/5
 ip address 10.88.12.1 255.255.255.0
 
 
添加安全区域
firewall zone trust
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet0/0/1
 
 
配置OSPF
ospf 1 router-id 123.1.1.1
 area 0.0.0.0
  network 10.1.13.1 0.0.0.0
  network 192.168.100.1 0.0.0.0
 
 
配置VRRP
interface GigabitEthernet0/0/0	
 vrrp vrid 10 virtual-ip 192.168.10.254 16 master
 vrrp vrid 20 virtual-ip 192.168.20.254 16 slave
 vrrp vrid 30 virtual-ip 192.168.30.254 16 master
 vrrp virtual-mac enable
 
 
防止来回路径不一致
进行会话快速备份功能
根据VGMP状态调整OSPF Cost值功能
指定心跳口
启用双击热备
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable

（2）配置FW2

 
修改设备名称
sysname FW2
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 192.168.100.2 255.255.0.0
interface GigabitEthernet0/0/1
 ip address 10.1.24.2 255.255.255.0
interface GigabitEthernet0/0/5
 ip address 10.88.12.2 255.255.255.0
 
 
添加安全区域
firewall zone trust
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet0/0/1
 
 
配置OSPF
ospf 1 router-id 123.2.2.2
 area 0.0.0.0
  network 10.1.24.2 0.0.0.0
  network 192.168.100.2 0.0.0.0
 
 
配置VRRP
interface GigabitEthernet0/0/0	
 vrrp vrid 10 virtual-ip 192.168.10.254 16 slave
 vrrp vrid 20 virtual-ip 192.168.20.254 16 master
 vrrp vrid 30 virtual-ip 192.168.30.254 16 slave
 vrrp virtual-mac enable
 
 
防止来回路径不一致
进行会话快速备份功能
根据VGMP状态调整OSPF Cost值功能
指定心跳口
启用双击热备
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable

（3）配置FW5

 
修改设备名称
sysname FW5
 
配置IP
interface GigabitEthernet0/0/0
 ip address 10.5.5.1 255.255.255.0
interface GigabitEthernet0/0/1
 ip address 10.1.35.5 255.255.255.0
interface GigabitEthernet0/0/2
 ip address 10.1.45.5 255.255.255.0
interface GigabitEthernet0/0/5
 ip address 202.103.56.5 255.255.255.0
 
 
添加信任区域
firewall zone trust
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/2
 
 
添加不信任区域
firewall zone untrust
 add interface GigabitEthernet0/0/5
 
 
添加非军事化区域
firewall zone dmz
 add interface GigabitEthernet0/0/0
 
 
配置OSPF
ospf 1 router-id 123.5.5.5
 default-route-advertise always
 area 0.0.0.0
  network 10.5.5.1 0.0.0.0
  network 10.1.35.5 0.0.0.0
  network 10.1.45.5 0.0.0.0
 
 
配置默认路由 / 公网路由可达
ip route-static 0.0.0.0 0.0.0.0 202.103.56.6
 
 
防止来回路径不一致
undo firewall session link-state check


配置区域间的安全策略：trust到dmz
policy interzone trust dmz outbound
 policy 1
  action permit


配置区域间的安全策略：untrust到dmz
policy interzone dmz untrust inbound
 policy 1
  action permit
  policy service service-set ftp
  policy service service-set http
  policy service service-set https
  policy destination 10.5.5.100 0
  policy destination 10.5.5.101 0


配置区域间的安全策略：untrust到trust
policy interzone trust untrust inbound
 policy 1
  action permit
  policy service service-set ssh
  policy service service-set telnet
  policy destination 10.1.45.4 0


配置区域间的安全策略：trust到untrust
policy interzone trust untrust outbound
 policy 1
  action permit


配置NAPT（内网到公网转换的地址池）：
nat address-group 7 202.103.56.100 202.103.56.120


配置NAT策略-NAPT方式：trust到untrust（192.168.10.0/24和192.168.30.0/24用户）
nat-policy interzone trust untrust outbound
 policy 1
  action source-nat
  policy source 192.168.10.0 0.0.0.255
  policy source 192.168.30.0 0.0.0.255
  address-group 7


配置NAT策略-easy ip方式：trust到untrust（192.168.20.0/24用户）
nat-policy interzone trust untrust outbound
 policy 2
  action source-nat
  policy source 192.168.20.0 0.0.0.255
  easy-ip GigabitEthernet0/0/5


配置nat server，内网服务器向公网提供FTP、HTTP、HTTPs服务：
nat server protocol tcp global 202.103.56.99 8003 inside 10.5.5.100 80
nat server protocol tcp global 202.103.56.99 443 inside 10.5.5.100 443
nat server protocol tcp global 202.103.56.99 21 inside 10.5.5.100 21
nat server protocol tcp global 202.103.56.99 20 inside 10.5.5.100 20


配置nat server，内网设备向公网提供telnet和SSH服务：
nat server protocol tcp global 202.103.56.88  23 inside 10.1.45.4 23
nat server protocol tcp global 202.103.56.88  22 inside 10.1.45.4 22


配置区域间的安全策略：local到untrust
policy interzone local untrust outbound
 policy 1
  action permit


配置感兴趣流
acl number 3000
 rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.99.0 0.0.0.2


配置Ipsec 安全提议
ipsec proposal ipsec2tiyi1
 encapsulation-mode tunnel
 esp authentication-algorithm sha1
 esp encryption-algorithm aes 192


配置IKE安全提议，认证方式=预共享密钥pre-share，认证算法使用aes-cbc 192，DH group=2，完整性算法使用hmac-sha1-96
ike proposal 10
 authentication-method pre-share
 encryption-algorithm aes-cbc 192
 dh group2
 integrity-algorithm hmac-sha1-96


配置IKE peer，IKE peer name=5，预共享密钥密码pre-shared-key=Admin@123，对端IP地址=202.103.78.8
ike peer 5
 ike-proposal 10
 pre-shared-key Admin@123
 remote-address 202.103.78.8


配置IPsec策略组，IPsec策略名=celue1，序号=5，使用Internet安全关联密钥管理协议(isakmp)，把感兴趣流量、IPsec安全提议、ike-peer进行关联
ipsec policy celue1 5 isakmp
 security acl 3000
 proposal ipsec2tiyi1
 ike-peer 5


接口下调用Ipsec 安全策略
interface GigabitEthernet0/0/5
 ipsec policy celue1


配置静态明细路由通往分支172.16.99.0/24
ip route-static 172.16.99.0 255.255.255.0 202.103.56.6


配置静态明细路由引入到OSPF中
ospf 1
 import-route static

（4）配置FW8

 
修改设备名称
sysname FW8
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 172.16.99.1 255.255.0.0
interface GigabitEthernet0/0/2
 ip address 202.103.78.8 255.255.255.0
 
 
添加不安全区域
firewall zone untrust
 add interface GigabitEthernet0/0/2


配置默认路由 / 公网路由可达
ip route-static 0.0.0.0 0.0.0.0 202.103.78.7


配置区域间的安全策略：trust到untrust
policy interzone trust untrust outbound
 policy 1
  policy source 172.16.99.0 0.0.0.255
  action permit


配置NAT策略-easy ip方式：trust到untrust（172.16.99.0/24用户）
nat-policy interzone trust untrust outbound
 policy 1
  action source-nat
  policy source 172.16.99.0 0.0.0.255
  easy-ip GigabitEthernet0/0/2


分支防火墙FW8配置SYN Flood、UDP Flood和ICMP Flood攻击防范功能，并限制每条会话允许通过的ICMP报文最大速率为5包/秒：
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
firewall defend icmp-flood base-session max-rate 5


配置区域间的安全策略：local到untrust
policy interzone local untrust outbound
 policy 1
  action permit


配置感兴趣流
acl number 3000
 rule 5 permit ip source 172.16.99.0 0.0.0.255 destination 192.168.0.0 0.0.255.255


配置Ipsec 安全提议
ipsec proposal ipsec2tiyi1
 encapsulation-mode tunnel
 esp authentication-algorithm sha1
 esp encryption-algorithm aes 192


配置IKE安全提议，认证方式=预共享密钥pre-share，认证算法使用aes-cbc 192，DH group=2，完整性算法使用hmac-sha1-96
ike proposal 10
 authentication-method pre-share
 encryption-algorithm aes-cbc 192
 dh group2
 integrity-algorithm hmac-sha1-96


配置IKE peer，IKE peer name=5，预共享密钥密码pre-shared-key=Admin@123，对端IP地址=202.103.56.5
ike peer 5
 ike-proposal 10
 pre-shared-key Admin@123
 remote-address 202.103.56.5


配置IPsec策略组，IPsec策略名=celue1，序号=5，使用Internet安全关联密钥管理协议(isakmp)，把感兴趣流量、IPsec安全提议、ike-peer进行关联
ipsec policy celue1 3 isakmp
 security acl 3000
 proposal ipsec2tiyi1
 ike-peer 5


接口下调用Ipsec 安全策略
interface GigabitEthernet0/0/2
 ipsec policy celue1


配置静态明细路由通往分支172.16.99.0/24
ip route-static 172.16.99.0 255.255.255.0 202.103.56.6


配置静态明细路由引入到OSPF中
ip route-static 192.168.0.0 255.255.0.0 202.103.78.7

2. 配置路由器：

（1）配置R3

 
修改设备名称
sysname R3
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 10.1.35.3 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 10.1.13.3 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 10.1.34.3 255.255.255.0 
 
 
配置OSPF
ospf 1 router-id 123.3.3.3 
 area 0.0.0.0 
  network 10.1.13.3 0.0.0.0 
  network 10.1.34.3 0.0.0.0 
  network 10.1.35.3 0.0.0.0

（2）配置R4

 
修改设备名称
sysname R4
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 10.1.45.4 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 10.1.24.4 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 10.1.34.4 255.255.255.0 
 
 
配置OSPF
ospf 1 router-id 123.4.4.4 
 area 0.0.0.0 
  network 10.1.24.4 0.0.0.0 
  network 10.1.34.4 0.0.0.0 
  network 10.1.45.4 0.0.0.0 
 

配置telnet功能: 其中密码=telnet123，用户权限级别=3
telnet server enable
user-interface vty  0 4 
 set authentication  password cipher telnet123
 user privilege level 3

（3）配置ISP6

 
修改设备名称
sysname ISP6
 
 
配置IP
interface GigabitEthernet0/0/1
 ip address 202.103.67.6 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 202.103.56.6 255.255.255.0 
 
 
配置OSPF
ospf 200 router-id 123.6.6.6 
 default-route-advertise always
 area 0.0.0.0 
  network 202.103.67.6 0.0.0.0 
 
 
配置默认路由
ip route-static 0.0.0.0 0.0.0.0 202.103.56.5

（4）配置ISP7

 
修改设备名称
sysname ISP7
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 200.1.1.1 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 202.103.67.7 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 100.1.1.1 255.255.255.0 
interface GigabitEthernet2/0/0
 ip address 202.103.78.7 255.255.255.0
 
 
配置OSPF
ospf 200 router-id 123.7.7.7 
 area 0.0.0.0 
  network 100.1.1.1 0.0.0.0 
  network 200.1.1.1 0.0.0.0 
  network 202.103.67.7 0.0.0.0 
  network 202.103.78.7 0.0.0.0