防火墙的基本应用
实验工具:ENSP
如图搭建一个拓扑图
1.将三个路由器创建IP地址
[R5-GigabitEthernet0/0/0]ip address 192.168.10.1 24
[R6-GigabitEthernet0/0/0]ip address 192.168.20.1 24
[R7-GigabitEthernet0/0/0]ip address 192.168.30.1 24
2.在交换机创建VLAN
[SW1]vlan batch 10 20 30
3.设置所有接口
[SW1]port-group group-member g0/0/1 g0/0/2 g0/0/3 g0/0/11 g0/0/12 g0/0/13
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/2]port link-type access
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/11]port link-type access
[SW1-GigabitEthernet0/0/12]port link-type access
[SW1-GigabitEthernet0/0/13]port link-type access //将交换机所有接口加入access接口
[SW1-GigabitEthernet0/0/1]port default vlan 10
[SW1-GigabitEthernet0/0/2]port default vlan 20
[SW1-GigabitEthernet0/0/3]port default vlan 30
[SW1-GigabitEthernet0/0/11]port default vlan 10
[SW1-GigabitEthernet0/0/12]port default vlan 20
[SW1-GigabitEthernet0/0/13]port default vlan 30 //将各接口加入各vlan
4.防火墙配置
Username:admin
Password:Admin@123 // 更改密码为 “ YSys1234 ”
[USG6000V1-GigabitEthernet1/0/1]ip address 192.168.10.254 24
[USG6000V1-GigabitEthernet1/0/2]ip address 192.168.20.254 24
[USG6000V1-GigabitEthernet1/0/3]ip address 192.168.30.254 24 // 将防火墙各自接口设置为对应路由器的网关
5.配置各路由器默认IP地址
[R5]ip route-static 0.0.0.0 0 192.168.10.254
[R6]ip route-static 0.0.0.0 0 192.168.20.254
[R7]ip route-static 0.0.0.0 0 192.168.30.254 //下一跳为各自网关
6.设置防火墙区域
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface g1/0/1
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface g1/0/2
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface g1/0/3 //设置各区域并带入各自接口
7.验证
[USG6000V1]dis zone //通过命令display zone查看
2021-04-08 02:00:15.680
local
priority is 100
interface of the zone is (0):
#
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/2
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/1
#
dmz
priority is 50
interface of the zone is (1):
GigabitEthernet1/0/3
实验一:Trust 访问untrust
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust_untrust
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-trust_untrust]action permit //设置策略 策略的名字为Trust到UnTrust
验证:
<R6>ping 192.168.10.1
PING 192.168.10.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.10.1: bytes=56 Sequence=1 ttl=255 time=10 ms
Reply from 192.168.10.1: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 192.168.10.1: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 192.168.10.1: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 192.168.10.1: bytes=56 Sequence=5 ttl=255 time=1 ms
--- 192.168.10.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/82/110 ms
// 验证成功
实验二:DMZ访问untrust
[USG6000V1-policy-security]rule name dmz_untrust
[USG6000V1-policy-security-rule-dmz_untrust]source-zone dmz
[USG6000V1-policy-security-rule-dmz_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-dmz_untrust]action permit
验证:
<R7>ping 192.168.10.1
PING 192.168.10.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.10.1: bytes=56 Sequence=1 ttl=255 time=20 ms
Reply from 192.168.10.1: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 192.168.10.1: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 192.168.10.1: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 192.168.10.1: bytes=56 Sequence=5 ttl=255 time=1 ms
--- 192.168.10.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 61/84/120 ms
// 验证成功
实验三:Untrust访问DMZ
1.设置被访问路由器开启远程控制
[R7]user-interface vty 0 4
[R7-ui-vty0-4]aut
[R7-ui-vty0-4]authentication-mode pass
[R7-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):123 //设置被访问路由器远程控制
2.设置Untrust 到dmz
[USG6000V1-policy-security]rule name untrust_dmz //定义untrust到dmz
[USG6000V1-policy-security-rule-untrust_dmz]source-zone untrust
[USG6000V1-policy-security-rule-untrust_dmz]destination-zone dmz
[USG6000V1-policy-security-rule-untrust_dmz]destination-address 192.168.30.1 mask 255.255.255.0 // 精确到这个设备
[USG6000V1-policy-security-rule-untrust_dmz]service telnet //只开启telnet远程服务
[USG6000V1-policy-security-rule-untrust_dmz]action permit
[USG6000V1]nat server 1 protocol tcp global 192.168.10.20 2323 // 外部访问的虚假地址及端口号 inside 192.168.30.1 23 //真实地址 no-reverse // 禁止反向
验证:
<R5>telnet 192.168.10.20 2323
Press CTRL_] to quit telnet mode
Trying 192.168.10.20 ...
Connected to 192.168.10.20 ...
Login authentication
Password: 密码:123
<R7> //成功进入R7
// 实验成功
实验四:访问防火墙的图形界面
1.进入cloud设置
配置如下
2.进入防火墙g0/0/0接口
[USG6000V1-GigabitEthernet0/0/0]ip address 192.168.100.151 24 //配置接口IP地址
[USG6000V1-GigabitEthernet0/0/0]service-manage all permit //接口允许所有服务通过
3.使用本机 ping 验证cloud网卡设置
C:\Users\10649>ping 192.168.100.151
正在 Ping 192.168.100.151 具有 32 字节的数据:
来自 192.168.100.151 的回复: 字节=32 时间<1ms TTL=225
来自 192.168.100.151 的回复: 字节=32 时间<1ms TTL=225
来自 192.168.100.151 的回复: 字节=32 时间<1ms TTL=225
来自 192.168.100.151 的回复: 字节=32 时间<1ms TTL=225
192.168.100.151 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 1ms,平均 = 0ms
4.进入浏览器验证
// 成功进入界面
输入密码成功进入配置界面
// 实验成功