HCIP security 综合实验测试

最新推荐文章于 2023-09-12 10:11:46 发布

竹 ·君

最新推荐文章于 2023-09-12 10:11:46 发布

阅读量353

点赞数 4

分类专栏： ensp HCIP security 安全文章标签：网络运维服务器安全

本文链接：https://blog.csdn.net/weixin_73561423/article/details/132234418

版权

ensp 同时被 3 个专栏收录

1 篇文章 0 订阅

订阅专栏

HCIP security

1 篇文章 0 订阅

订阅专栏

安全

1 篇文章 0 订阅

订阅专栏

HCIP security 综合实验测试

拓扑图

实验要求

1.总部在出口处部署双机热备负载分担模式，心跳线采用ETH-TRUNK链路聚合方式
2.内部网络访问总部服务器走内网网络，直接访问服务器真实内网地址；子公司访问总部HTTP/FTP服务器使用公网地址访问，
总部公司申请了200.1.1.100/24的公网地址供外网用户访问
3.子公司A与子公司B之间的通信使用加密通道进行通信
4.内网区域的各个部门访问子公司的服务器使用出接口方式访问

LSW1

//接口配置
#
vlan batch 10 20 30 100
#
#
interface Vlanif10
 ip address 172.16.10.254 255.255.255.0
#
interface Vlanif20
 ip address 172.16.20.254 255.255.255.0
#
interface Vlanif30
 ip address 172.16.30.254 255.255.255.0
#
interface Vlanif100
 ip address 172.16.100.3 255.255.255.0
#
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 100
#
interface GigabitEthernet0/0/4
 port link-type access
 port default vlan 100
#

//路由配置
#
ip route-static 0.0.0.0 0.0.0.0 172.16.100.254
#

LSW2

此交换机仅做转发，不做任何配置

LSW3

//接口配置
#
vlan batch 10 20 30
#
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 30
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 10
#
interface Ethernet0/0/3
 port link-type access
 port default vlan 10
#
interface Ethernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#
interface Ethernet0/0/5
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#
interface Ethernet0/0/6
 port link-type access
 port default vlan 30
#

LSW4

//接口配置
#
vlan batch 10 20 30
#
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 20
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 20
#
interface Ethernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#
interface Ethernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
#

AR1

//接口配置
#
interface GigabitEthernet0/0/0
 ip address 202.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 100.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.1.1.1 255.255.255.0 
#

//路由配置
#
ip route-static 10.1.2.0 255.255.255.0 100.1.1.2
ip route-static 192.168.0.0 255.255.248.0 10.1.1.10
ip route-static 192.168.0.0 255.255.252.0 100.1.1.2
ip route-static 200.1.1.0 255.255.255.0 202.1.1.10
ip route-static 200.1.1.0 255.255.255.0 100.1.1.2
ip route-static 202.1.2.0 255.255.255.0 100.1.1.2
#

AR2

//接口配置
#
interface GigabitEthernet0/0/0
 ip address 202.1.2.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.1.2.2 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 100.1.1.2 255.255.255.0 
#

//路由配置
#
ip route-static 10.1.1.0 255.255.255.0 100.1.1.1
ip route-static 192.168.0.0 255.255.248.0 100.1.1.1
ip route-static 192.168.0.0 255.255.252.0 10.1.2.10
ip route-static 200.1.1.0 255.255.255.0 202.1.2.10
ip route-static 202.1.1.0 255.255.255.0 100.1.1.1
#

FW1

//接口配置
#
interface Eth-Trunk1 //聚合链路,g1/0/0 1/0/5 1/0/3
 ip address 10.10.0.1 255.255.255.0
#
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 202.1.1.10 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 172.16.40.10 255.255.255.0
 vrrp vrid 2 virtual-ip 172.16.40.254 active
 service-manage ping permit
#
interface GigabitEthernet1/0/3
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/4
 undo shutdown
 ip address 172.16.100.10 255.255.255.0
 vrrp vrid 1 virtual-ip 172.16.100.254 active
 service-manage ping permit
#

//心跳线采用ETH-TRUNK链路聚合方式
//大致命令如下：
[FW2]int Eth-Trunk 1
[FW2-Eth-Trunk1]ip address 10.10.0.2 24
[FW2-Eth-Trunk1]trunkport GigabitEthernet 1/0/0 1/0/3 1/0/5
[FW2]dis eth-trunk
[FW2]hrp mirror session enable 
[FW2]hrp interface Eth-Trunk 1 remote 10.10.0.1 
[FW2]hrp enable
HRP_S[FW2]dis hrp state verbose

//安全区域及安全策略
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/4
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
firewall zone dmz
 set priority 50
 add interface Eth-Trunk1
 add interface GigabitEthernet1/0/2
#
#
security-policy
 rule name 1
  source-zone trust
  destination-zone dmz
  action permit
 rule name 2
  source-zone untrust
  destination-zone dmz
  action permit
#
//总部内网不访问外网，服务器被动接受外网访问

//心跳配置，双机热备配置
#
 hrp enable
 hrp interface Eth-Trunk1 remote 10.10.0.2
 hrp mirror session enable
 hrp track interface Eth-Trunk1
 hrp track interface GigabitEthernet1/0/1
 hrp track interface GigabitEthernet1/0/2
 hrp track interface GigabitEthernet1/0/4
#

//路由配置
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.1
ip route-static 172.16.0.0 255.255.224.0 172.16.100.3
#

//nat策略及nat server配置
#
 nat server server1 protocol tcp global 200.1.1.100 www inside 172.16.40.1 www no-reverse
#
#
nat-policy
 rule name nat1
  source-zone trust
  destination-zone untrust
  action source-nat easy-ip
#

FW2

//接口配置
#
interface Eth-Trunk1
 ip address 10.10.0.2 255.255.255.0
#
#
interface GigabitEthernet1/0/0
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 202.1.2.10 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 172.16.40.20 255.255.255.0
 vrrp vrid 2 virtual-ip 172.16.40.254 active
 service-manage ping permit
#
interface GigabitEthernet1/0/3
 undo shutdown
 eth-trunk 1
#
interface GigabitEthernet1/0/4
 undo shutdown
 ip address 172.16.100.20 255.255.255.0
 vrrp vrid 1 virtual-ip 172.16.100.254 active
 service-manage ping permit
#
interface GigabitEthernet1/0/5
 undo shutdown
 eth-trunk 1
#

//安全区域及安全策略
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/4
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
firewall zone dmz
 set priority 50
 add interface Eth-Trunk1
 add interface GigabitEthernet1/0/2
#
#
security-policy
 rule name 1
  source-zone trust
  destination-zone dmz
  action permit
 rule name 2
  source-zone untrust
  destination-zone dmz
  action permit
#

//心跳配置，双机热备配置
#
 hrp enable
 hrp interface Eth-Trunk1 remote 10.10.0.1
 hrp mirror session enable
 hrp track interface Eth-Trunk1
 hrp track interface GigabitEthernet1/0/1
 hrp track interface GigabitEthernet1/0/2
 hrp track interface GigabitEthernet1/0/4
#

//路由配置
#
ip route-static 0.0.0.0 0.0.0.0 202.1.2.2
ip route-static 172.16.0.0 255.255.224.0 172.16.100.3
#

//nat策略及nat server配置
#
 nat server server1 protocol tcp global 200.1.1.100 www inside 172.16.40.1 www no-reverse
#
#
nat-policy
 rule name nat1
  source-zone trust
  destination-zone untrust
  action source-nat easy-ip
#

FW3

//接口配置
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 192.168.4.10 255.255.255.0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.6.10 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.1.1.10 255.255.255.0
 service-manage ping permit
 ipsec policy map
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 192.168.5.10 255.255.255.0
#

//acl数据流.......
#
acl number 3000
 rule 5 permit ip source 192.168.6.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
 rule 10 permit ip source 192.168.5.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
 rule 15 permit ip source 192.168.4.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
#
#
ipsec proposal tran
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
ike proposal 10
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer fw4
 pre-shared-key %^%#AYPHHt]k60aALrO>PsaP0(4*<UA".4ytkj,L4_LE%^%#  //Test!123
 ike-proposal 10
 remote-address 10.1.2.10
#
ipsec policy map 10 isakmp
 security acl 3000
 ike-peer fw4
 proposal tran
#

//安全区域及安全策略
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/2
#
firewall zone dmz
 set priority 50
#
#
security-policy
 rule name 1
  source-zone trust
  source-zone untrust
  destination-zone trust
  destination-zone untrust
  action permit
 rule name 2
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  action permit
#

//路由配置
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#

FW4

//接口配置
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 192.168.1.10 255.255.255.0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.3.10 255.255.255.0
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.1.2.10 255.255.255.0
 ipsec policy map
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 192.168.2.10 255.255.255.0
#

//acl数据流.......
#
acl number 3000
 rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.6.0 0.0.0.255
 rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.4.0 0.0.0.25
5
 rule 15 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.5.0 0.0.0.25
5
#
#
ipsec proposal tran
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
ike proposal 10
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
ike peer fw3
 pre-shared-key %^%#8o,..LFy+2&.z8Ma<jqQ_G!Q#}{0(*Ty^T8U2,RS%^%#
 ike-proposal 10
 remote-address 10.1.1.10
#
ipsec policy map 10 isakmp
 security acl 3000
 ike-peer fw3
 proposal tran
#

//安全区域及安全策略
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/2
#
firewall zone dmz
 set priority 50
#
#
security-policy
 rule name 1
  source-zone trust
  source-zone untrust
  destination-zone trust
  destination-zone untrust
  action permit
 rule name 2
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  action permit
#

//路由配置
#
ip route-static 0.0.0.0 0.0.0.0 10.1.2.2
#

PC and 客户端

服务器

测试

双机热备故障及回切，当LSW1G0/0/3出现故障时，查看抓包情况

故障前
查看双机热备负载分担状态

抓包查看

故障后
查看双机热备状态

故障恢复后，故障回切

两个接口的回切动作抓包

查看双机热备负载分担状态

总部内部网络访问总部服务器时，使用内网真实地址

子公司通过公网地址去访问服务器

内网访问子公司使用地址转换出接口方式，保护内网真实地址

子公司之间的通信使用加密隧道进行通信

PC7→PC8

子公司客户端之间访问不走隧道

子公司之间客户端访问服务器走隧道

回顾总结：
1、本次实验应用知识点包括，IPSec VPN 技术、防火墙双机热备的负载分担模式，跨vlan通信技术，三层交换技术，心跳线ETH-TRUNK链路聚合技术，NAT转换–源地址转换–出接口的easy-ip模式（只做端口转换），nat策略及nat server配置
2、本次实验出现的主要问题，nat server配置及原理不熟悉，各设备的静态路由配置不够得心应手，数通部分知识有待加强

竹 ·君

关注

4
点赞
踩
0

收藏

觉得还不错? 一键收藏
1
评论
HCIP security 综合实验测试

HCIP security 综合测试相关实验要求：1.总部在出口处部署双机热备负载分担模式，心跳线采用ETH-TRUNK链路聚合方式2.内部网络访问总部服务器走内网网络，直接访问服务器真实内网地址；子公司访问总部HTTP/FTP服务器使用公网地址访问，总部公司申请了200.1.1.100/24的公网地址供外网用户访问3.子公司A与子公司B之间的通信使用加密通道进行通信4.内网区域的各个部门访问子公司的服务器使用出接口方式访问。
复制链接

扫一扫