一、组网需求
1:企业有二条专线接入,当其中一条出现故障时,自动切换至另外一条,保障网络访问正常。
(a)要求PC1从dx专线(1.1.1.2/24)访问外网PC,PC2从yd专线(2.2.2.2/24)访问外网PC。
(b)当dx或yd 任意一条出口线路出现故障时,所有的流量访问都自动切换到另外一条正常的线路上,保障出口流量正常。
2:http SERVER服务器放置在TRUST区域,通过NAT发布到外网。要求外网PC能访问此服务器,同时内网也可以通过公网IP访问企业内部的http服务器。FTP服务器位于DMZ区域。
NAT SERVER规划如下
二、来回路径不一致问题
出口防火墙有多个ISP出口,如果部署了负载均衡方式,会同时存在多条优先级相同的路由,在外部用户访问企业内部http服务时,会有来回路径不一致问题。如外网PC通过dx线路访问进来,而回包的线路可能是通过yd线路出去。解决方法:启用防火墙上的源进源出功能。
三、网络拓扑图
一、防火墙配置
1.接口配置
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.100.100 255.255.255.0
alias GE0/METH
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage enble
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 172.21.100.2 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/1
description LINK_DX
undo shutdown
ip address 1.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
description LINK_YD
undo shutdown
ip address 2.2.2.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 172.21.101.2 255.255.255.0
service-manage ping permit
#
2.区域配置 ,将接口划分到区域中。
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/3
#创建dx区域,并设置该区域优先级为10。将G1/0/1口加入该区域。
firewall zone name dx
set priority 10
add interface GigabitEthernet1/0/1
#创建yd区域,并设置该区域优先级为11。将G1/0/2口加入该区域。
firewall zone name yd
set priority 11
add interface GigabitEthernet1/0/2
#
3.配置路由
配置二条默认路由,分别指向1.1.1.2和2.2.2.2。再配置到内网的静态路由。如果需要外网任何一条线路断了,自动切换,可采用通过与ip-link绑定的方法。
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
ip route-static 172.16.0.0 255.255.0.0 172.21.100.254
#
4.配置安全策略,允许区域内流量互通
#
security-policy
rule name dmz_to_untrust
source-zone dmz
destination-zone dx
destination-zone yd
source-address 172.21.101.80 mask 255.255.255.255
action permit
rule name untrust_to_dmz
source-zone dx
source-zone yd
destination-zone dmz
destination-address 172.21.101.80 mask 255.255.255.255
action permit
rule name trust2dmz
source-zone dmz
source-zone trust
destination-zone dmz
destination-zone trust
action permit
rule name trust_dx2yd
source-zone trust
destination-zone dx
destination-zone yd
action permit
rule name untrust_to_trust
source-zone dx
source-zone yd
destination-zone trust
destination-address address-set HTTP_SERVER01
action permit
# 5.创建NAT地址池
#
nat address-group DX_SERVER 0
mode pat
section 0 1.1.1.5 1.1.1.6
#
nat address-group YD_SERVER 1
mode pat
section 0 2.2.2.5 2.2.2.6
#
6.配置用于域内NAT的地址池
#
nat address-group server01
mode pat
section 0 2.2.2.10 2.2.2.11
#
7.配置NAT POLICY
#
nat-policy
rule name DX_NAT
source-zone trust
destination-zone dx
source-address 172.16.10.0 mask 255.255.255.0
action source-nat address-group DX_SERVER
rule name YD_NAT
source-zone trust
destination-zone yd
source-address 172.16.20.0 mask 255.255.255.0
action source-nat address-group YD_SERVER
rule name nat_policy1
description FOR_TRUST_HTTPSERVER
source-zone trust
destination-zone trust
source-address 172.16.10.0 mask 255.255.255.0
source-address 172.16.20.0 mask 255.255.255.0
destination-address 172.16.20.80 mask 255.255.255.255
service http
action source-nat address-group server01
#
8.配置策略路由
VLAN10段的用户上网从DX(1.1.1.2)出去,VLAN20段的用户上网从YD(2.2.2.2)出去。VLAN10、VLAN20和VLAN101的内网流量访问不执行pbr策略,要保证能相互访问。
#
policy-based-route
rule name pbr_5
ingress-interface GigabitEthernet1/0/0
source-address 172.16.10.0 mask 255.255.255.0
source-address 172.16.20.0 mask 255.255.255.0
destination-address 172.16.10.0 mask 255.255.255.0
destination-address 172.16.20.0 mask 255.255.255.0
destination-address 172.21.101.0 mask 255.255.255.0
action no-pbr
rule name pbr_10
ingress-interface GigabitEthernet1/0/0
source-address 172.16.10.0 mask 255.255.255.0
action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.2
rule name pbr_15
ingress-interface GigabitEthernet1/0/0
source-address 172.16.20.0 mask 255.255.255.0
action pbr egress-interface GigabitEthernet1/0/2 next-hop 2.2.2.2
9.配置基于区域的NAT SERVERT
注:指定了区域的话,就表示只允许这个区域内的用户可以访问。
#
nat server 0 zone dx protocol tcp global 1.1.1.3 8080 inside 172.21.101.80 www
nat server 1 zone yd protocol tcp global 2.2.2.3 8080 inside 172.21.101.80 www
nat server 2 zone trust protocol tcp global 1.1.1.3 8080 inside 172.21.101.80 www no-reverse
nat server 3 zone trust protocol tcp global 2.2.2.3 8080 inside 172.21.101.80 www no-reverse
#
10.基于全局的NAT SERVER /*做这个之前使用undon nat server all删除所有的nat server映射。
这个主要用于验证同一个域内内网用户通过公网IP访问http服务。
注:(1)配置nat server时加no-reverse参数,只生成正方向的Server-Map表项。如果没有指定no-reverse参数,将会生成正反两个方向的Server-Map表项(2)如果在企业中有多个出口ISP线路,同时需要将企业内部服务器发布到多个公网IP上时,如果不加no-reverse参数,将无法配置多个Global地址和同一个Inside地址建立映射关系。
#
nat server http protocol tcp global 2.2.2.3 8080 inside 172.16.20.80 www no-reverse
nat server http1 protocol tcp global 1.1.1.3 8080 inside 172.16.20.80 www no-reverse
nat server ftp01 protocol tcp global 1.1.1.4 2121 inside 172.21.101.80 ftp no-reverse
nat server ftp02 protocol tcp global 2.2.2.4 2121 inside 172.21.101.80 ftp no-reverse
#11.配置地址集
#
ip address-set HTTP_SERVER01 type object
address 0 172.21.101.80 0
address 1 172.16.20.80 0
#
12.配置自定义服务集(配置未使用)
#
ip service-set server1_port type object
service 0 protocol tcp destination-port 8888
#
ip service-set server2_port type object
service 0 protocol udp destination-port 6666
#
13.配置源进源出功能
为了保证流量来回路径一致,即从dx进来的外部流量访问,回包也从dx出去。从yd进来的外部流量访问,回包也从yd出去。
#
interface GigabitEthernet1/0/1
description LINK_DX
undo shutdown
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.2------------配置默认网关
service-manage ping permit
redirect-reverse next-hop 1.1.1.2------------配置接口的源进源出功能,外网用户从DX访问企业http或ftp服务器,防火墙就使用从该报文进入的接口(1.1.1.2)作为回包。
#
interface GigabitEthernet1/0/2
description LINK_YD
undo shutdown
ip address 2.2.2.1 255.255.255.0
gateway 2.2.2.2------------配置默认网关
service-manage ping permit
redirect-reverse next-hop 2.2.2.2------------配置接口的源进源出功能,外网用户从YD访问企业http或ftp服务器,防火墙就使用从该报文进入的接口(2.2.2.2)作为回包。
#
二、验证测试
查看防火墙server-map表
只显示正向server-map表(nat server后面加了no-reverse参数)
<FW1>display firewall server-map
2021-11-04 03:00:17.830
Current Total Server-map : 4
Type: Nat Server, ANY -> 2.2.2.3:8080[172.16.20.80:80], Zone:---, protocol:t
cp Vpn: public -> public
Type: Nat Server, ANY -> 2.2.2.4:2121[172.21.101.80:21], Zone:---, protocol:
tcp Vpn: public -> public
Type: Nat Server, ANY -> 1.1.1.3:8080[172.16.20.80:80], Zone:---, protocol:t
cp Vpn: public -> public
Type: Nat Server, ANY -> 1.1.1.4:2121[172.21.101.80:21], Zone:---, protocol:
tcp Vpn: public -> public
显示正反方向server-map表(nat server后面没有no-reverse参数)
[FW1]display firewall server-map
2021-10-28 08:33:48.950
Current Total Server-map : 4
Type: Nat Server, ANY -> 2.2.2.3:8080[172.21.101.80:80], Zone:---, protocol:
tcp
Vpn: public -> public
Type: Nat Server Reverse, 172.21.101.80[2.2.2.3] -> ANY, Zone:---, protocol:t
cp
Vpn: public -> public, counter: 1
2.1 内、外网用户访问FTP服务测试
a.外网web用户访问FTP://2.2.2.4:2121和FTP://1.1.1.4:2121
查看防火墙会话表记录
<FW1>display firewall session table
2021-11-04 03:10:53.590
Current Total Sessions : 2
ftp VPN: public --> public 50.1.1.253:2074 +-> 2.2.2.4:2121[172.21.101.80:21]
ftp VPN: public --> public 50.1.1.253:2076 +-> 1.1.1.4:2121[172.21.101.80:21]
b.内网web1用户访问FTP://2.2.2.4:2121和FTP://1.1.1.4:2121
登录防火墙web管理页面,查看会话记录
查看防火墙会话表记录
<FW1>display firewall session table
2021-11-04 03:13:57.770
Current Total Sessions : 3
ftp VPN: public --> public 172.16.10.22:2053 +-> 1.1.1.4:2121[172.21.101.80:21]
ftp VPN: public --> public 172.16.10.22:2055 +-> 2.2.2.4:2121[172.21.101.80:21]
查询指定的内网web1用户172.1.10.22的会话表记录
<FW1>display firewall session table source inside 172.16.10.22
2021-11-04 03:25:56.990
Current Total Sessions : 2
ftp VPN: public --> public 172.16.10.22:2053 +-> 1.1.1.4:2121[172.21.101.80:21]
ftp VPN: public --> public 172.16.10.22:2055 +-> 2.2.2.4:2121[172.21.101.80:21]
2.2 域内NAT访问测试
a.内网web1访问http://1.1.1.3:8080和http://2.2.2.3:8080
查看防火墙会话表,发现用户都通过NAT策略中的地址池将内网IP(172.16.10.22)转化成公网IP(2.2.2.10)。
[FW1]dis firewall session table
2021-11-01 08:55:35.580
Current Total Sessions : 1
http VPN: public --> public 172.16.10.22:2058[2.2.2.10:2058] --> 1.1.1.3:8080[172.16.20.80:80]
[FW1]dis firewall session table
2021-11-01 08:56:00.570
Current Total Sessions : 1
http VPN: public --> public 172.16.10.22:2059[2.2.2.10:2059] --> 2.2.2.3:8080[172.16.20.80:80]
b.内网web2访问http://1.1.1.3:8080和http://2.2.2.3:8080
查看防火墙会话表,发现用户都通过NAT策略中的地址池将内网IP(172.16.20.22)转化成公网IP(2.2.2.10)。
[FW1]dis firewall session table
2021-11-01 08:58:48.600
Current Total Sessions : 1
http VPN: public --> public 172.16.20.22:2059[2.2.2.10:2060] --> 1.1.1.3:8080[172.16.20.80:80]
[FW1]dis firewall session table
2021-11-01 08:58:57.320
Current Total Sessions : 1
http VPN: public --> public 172.16.20.22:2060[2.2.2.10:2061] --> 2.2.2.3:8080[172.16.20.80:80]
c.外网web访问http://1.1.1.3:8080和http://2.2.2.3:8080
查看防火墙会话表,发现用户都通过NAT策略中的地址池将公网IP(50.1.1.253)访问内网的http服务器的公网IP 1.1.1.3和2.2.2.3转化成内网IP(172.16.20.80)。
[FW1]display firewall session table
2021-11-01 09:10:06.500
Current Total Sessions : 1
http VPN: public --> public 50.1.1.253:2063 --> 1.1.1.3:8080[172.16.20.80:80]
[FW1]display firewall session table
2021-11-01 09:10:35.410
Current Total Sessions : 1
http VPN: public --> public 50.1.1.253:2064 --> 2.2.2.3:8080[172.16.20.80:80]
三、验证策略路由
PC1按照配置的策略路由从1.1.1.2线路出去,然后到达50.1.1.253。
PC2按照配置的策略路由从2.2.2.2线路出去,然后到达50.1.1.253。
通过display firewall session table检查防火墙会话表
可以看到PC1访问外网时,使用地址池中的2.2.2.6进行了转换。PC2也使用了地址池中的1.1.1.6进行了转换访问外网。
[FW1]display firewall session table
2021-11-04 14:26:52.330
Current Total Sessions : 0
[FW1]dis firewall session table
2021-11-04 14:27:56.750
Current Total Sessions : 11
icmp VPN: public --> public 172.16.10.253:16319[1.1.1.6:2048] --> 8.8.8.8:2048
[FW1]display firewall session table
2021-11-04 14:28:45.650
Current Total Sessions : 12
icmp VPN: public --> public 172.16.20.253:27583[2.2.2.6:2049] --> 114.114.114.114:2048
四、出口线路故障模拟
要求:当dx线路出现故障后,所有的流量都从yd走。
线路故障之前的路由,只摘录配置的静态路由,可以看到有二条默认路由下一跳分别是1.1.1.2和2.2.2.2。另外一条是内网的回程路由。
<FW1>display ip routing-table
2021-10-29 07:21:25.320
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 10 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 1.1.1.2 GigabitEthernet1/0/1
Static 60 0 RD 2.2.2.2 GigabitEthernet1/0/2
172.16.0.0/16 Static 60 0 RD 172.21.100.254 GigabitEthernet1/0/0
在PC1先用ping命令测试与外网PC的连通性,然后通过tracert命令追踪包的路由。可以看到当DX线路出现故障后,PC1切换从YD(2.2.2.2)出去。
五、验证源进源出功能
在ISP上的路由配置如下,二条默认路由分别指向DX和YD。
<ISP>dis current-configuration | include static
ip route-static 0.0.0.0 0.0.0.0 30.1.1.2 track nqa test dxicmp
ip route-static 0.0.0.0 0.0.0.0 40.1.1.2 track nqa test ydicmp
NQA配置
#
nqa test-instance dx 1
nqa test-instance test dxicmp
test-type icmp
destination-address ipv4 30.1.1.2
frequency 10
probe-count 2
start now
nqa test-instance test ydicmp
test-type icmp
destination-address ipv4 40.1.1.2
frequency 10
probe-count 2
start now
#
接口配置
#
interface GigabitEthernet0/0/0
ip address 50.1.1.1 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
ip address 40.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 30.1.1.1 255.255.255.0
#
a.测试外网web用户访问企业内部服务HTTP01
通过抓包查看外网用户是从YD出口进入,回包也从YD回来。如果没有配置源进源出的时候,进去可能是从DX,而回包却是从YD。这样子就会导致正常的业务访问会出问题,注意一点在实验中是能正常访问的,但如果是ISP商有做防护的话,会导致业务流量访问出现异常。
b. 测试外网web用户访问企业内部服务部FTP01
通过抓包查看外网用户是从YD出口进入,回包也从YD回来。
c. 测试外网web用户访问企业内部服务FTP://2.2.2.4:2121
通过抓包查看外网用户是从DX出口进入,回包也从DX回来。
921
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
