==============================================================================================
2020/2/18 三叶草
实验拓扑:
实验需求:
1. 防火墙能连通trust区域
2. trust区域能连通防火墙
3. trust区域所有地址均能连通untrust区域
4. untrust区域只能访问DMZ区域环回接口
实验:
1. 按照图示配置ip
2. 创建vlan
[sw1]vlan batch 10 20 30
3. 将接口属性改为access并加入vlan
[sw1]int g0/0/1
[sw1-GigabitEthernet0/0/1]port link-type access
[sw1-GigabitEthernet0/0/1]port default vlan 10
[sw1-GigabitEthernet0/0/1]int g0/0/11
[sw1-GigabitEthernet0/0/11]port link-type access
[sw1-GigabitEthernet0/0/11]port default vlan 10
[sw1-GigabitEthernet0/0/11]int g0/0/2
[sw1-GigabitEthernet0/0/2]port link-type access
[sw1-GigabitEthernet0/0/2]port default vlan 20
[sw1-GigabitEthernet0/0/2]int g0/0/12
[sw1-GigabitEthernet0/0/12]port link-type access
[sw1-GigabitEthernet0/0/12]port default vlan 20
[sw1-GigabitEthernet0/0/12]int g0/0/3
[sw1-GigabitEthernet0/0/3]port link-type access
[sw1-GigabitEthernet0/0/3]port default vlan 30
[sw1-GigabitEthernet0/0/3]int g0/0/13
[sw1-GigabitEthernet0/0/13]port link-type access
[sw1-GigabitEthernet0/0/13]port default vlan 30
4. 配置静态路由
[r1]ip route-static 0.0.0.0 0 10.1.1.254
[r2]ip route-static 0.0.0.0 0 10.1.2.254
[r3]ip route-static 0.0.0.0 0 10.1.3.254
[USG6000V1]ip route-static 100.1.1.0 255.255.255.0 10.1.1.1
[USG6000V1]ip route-static 100.2.2.0 255.255.255.0 10.1.2.1
[USG6000V1]ip route-static 100.3.3.0 255.255.255.0 10.1.3.1
5. 将接口划分至各区域
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust] add interface GigabitEthernet1/0/2
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface GigabitEthernet1/0/1
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface GigabitEthernet1/0/3
6. 防火墙能连通trust区域
[USG6000V1-policy-security]rule name 1
[USG6000V1-policy-security-rule-1]source-zone local
[USG6000V1-policy-security-rule-1]destination-zone trust
[USG6000V1-policy-security-rule-1]source-address 10.1.2.0 24
[USG6000V1-policy-security-rule-1]action permit
[USG6000V1]ping 10.1.2.1
PING 10.1.2.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.2.1: bytes=56 Sequence=1 ttl=255 time=42 ms
Reply from 10.1.2.1: bytes=56 Sequence=2 ttl=255 time=38 ms
Reply from 10.1.2.1: bytes=56 Sequence=3 ttl=255 time=28 ms
Reply from 10.1.2.1: bytes=56 Sequence=4 ttl=255 time=26 ms
Reply from 10.1.2.1: bytes=56 Sequence=5 ttl=255 time=34 ms
7. trust区域能连通防火墙
[USG6000V1-GigabitEthernet1/0/2]service-manage ping permit
<r2>ping 10.1.2.254
PING 10.1.2.254: 56 data bytes, press CTRL_C to break
Reply from 10.1.2.254: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 10.1.2.254: bytes=56 Sequence=2 ttl=255 time=30 ms
Reply from 10.1.2.254: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 10.1.2.254: bytes=56 Sequence=4 ttl=255 time=40 ms
Reply from 10.1.2.254: bytes=56 Sequence=5 ttl=255 time=30 ms
8. trust区域所有地址均能连通untrust区域
[USG6000V1-policy-security]rule name 2
[USG6000V1-policy-security-rule-2]source-zone trust
[USG6000V1-policy-security-rule-2]destination-zone untrust
[USG6000V1-policy-security-rule-2]source-address 10.1.2.0 24
[USG6000V1-policy-security-rule-2]source-address 100.2.2.0 24
[USG6000V1-policy-security-rule-2]action permit
<r2>ping -a 10.1.2.1 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=254 time=90 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=254 time=80 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=254 time=90 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=254 time=80 ms
<r2>ping -a 100.2.2.2 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=254 time=80 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=254 time=90 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=254 time=90 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=254 time=80 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=254 time=80 ms
9. untrust区域只能访问DMZ区域环回接口
[USG6000V1-policy-security]rule name 3
[USG6000V1-policy-security-rule-3]source-zone untrust
[USG6000V1-policy-security-rule-3]destination-zone dmz
[USG6000V1-policy-security-rule-3]destination-address 100.3.3.0 24
[USG6000V1-policy-security-rule-3]service icmp
[USG6000V1-policy-security-rule-3]action permit
<r1>ping -a 100.1.1.1 100.3.3.3
PING 100.3.3.3: 56 data bytes, press CTRL_C to break
Request time out
Reply from 100.3.3.3: bytes=56 Sequence=2 ttl=254 time=270 ms
Reply from 100.3.3.3: bytes=56 Sequence=3 ttl=254 time=60 ms
Reply from 100.3.3.3: bytes=56 Sequence=4 ttl=254 time=60 ms
Reply from 100.3.3.3: bytes=56 Sequence=5 ttl=254 time=80 ms
<r1>ping -a 100.1.1.1 10.1.3.3
PING 10.1.3.3: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out