实验目的:
掌握简单配置防火墙路由模式的操作方法
网络地址及拓扑结构:
配置要求:
1、lan、branch office可以访问wan、dmz;
2、wan可以访问dmz,不能访问lan;
配置操作
一、PC1
二、SERVER1
三、AR1
<Huawei>sys //进入系统视图
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en //取消命令提示说明
Info: Information center is disabled.
[Huawei]sysname AR1 //修改路由器的设备名称
[AR1]int gi 0/0/0 //进入接口视图
[AR1-GigabitEthernet0/0/0]ip addr 10.1.1.2 24 //配置接口IP
[AR1-GigabitEthernet0/0/0]q //返回系统视图
[AR1]ip route-static 0.0.0.0 0.0.0.0 10.1.1.1 //配置缺省静态路由
四、branch office配置
(1)PC2:
(2)L2-SW配置
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname L2-SW
[L2-SW]vlan 100
[L2-SW-vlan100]q
[L2-SW]int gi 0/0/2
[L2-SW-GigabitEthernet0/0/2]port link-type access
[L2-SW-GigabitEthernet0/0/2]port default vlan 100
[L2-SW-GigabitEthernet0/0/2]int gi 0/0/1
[L2-SW-GigabitEthernet0/0/1]port link-type trunk
[L2-SW-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[L2-SW-GigabitEthernet0/0/1]
(3)L3-SW配置
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[SW]sysname L3-SW
[L3-SW]vlan 100 //分支机构局域网vlan100
[L3-SW-vlan100]q
[L3-SW]int gi 0/0/2 //下连L2-SW
[L3-SW-GigabitEthernet0/0/2]port link-type trunk
[L3-SW-GigabitEthernet0/0/2]port trunk allow-pass vlan 100
[L3-SW-GigabitEthernet0/0/2]int gi 0/0/1 //上连FW
[L3-SW-GigabitEthernet0/0/3]port link-type access
[L3-SW-GigabitEthernet0/0/3]q
[L3-SW]vlan 300 //上连接口vlan
[L3-SW-vlan300]Q
[L3-SW]int gi 0/0/3 //上连/接口
[L3-SW-GigabitEthernet0/0/3]port link-type access
[L3-SW-GigabitEthernet0/0/3]port default vlan 300
[L3-SW-GigabitEthernet0/0/3]q
[L3-SW]int vlanif 300 //上连/接口地址
[L3-SW-Vlanif300]ip addr 192.168.20.2 24 //上连/接口地址
[L3-SW-Vlanif300]q
[L3-SW]int vlanif 100 //局域网vlan
[L3-SW-Vlanif100]ip addr 192.168.1.1 24 //局域网vlan100的网关
[L3-SW-Vlanif100]q
[L3-SW]ip route-static 0.0.0.0 0.0.0.0 192.168.20.1 //配置缺省路由
(4)分支机构局域网配置验证
五、防火墙FW配置
<USG6000V1>system-view //进入管理视图
[USG6000V1]sysname FW1 //修改防火墙的设备名称
[FW1]un in en //关闭信息提示
[FW1]interface GigabitEthernet
1/
0/
0
[FW1-GigabitEthernet1/0/1]ip
address
192.168.
10.1
24
[FW1-GigabitEthernet1/0/1]service-manage ping permit //此接口允许PING通过
[FW1-GigabitEthernet1/0/1]quit //退出接口配置
[FW1]interface GigabitEthernet
1/
0/
1
[FW1-GigabitEthernet1/0/2]ip
address
10.10.
10.1
24
[FW1-GigabitEthernet1/0/2]service-manage ping permit
[FW1-GigabitEthernet1/0/2]quit
[FW1]interface GigabitEthernet
1/
0/
2
[FW1-GigabitEthernet1/0/3]ip
address
10.1.
1.1
24
[FW1-GigabitEthernet1/0/3]service-manage ping permit
[FW1-GigabitEthernet1/0/3]quit
[FW1]interface GigabitEthernet
1/
0/
3
[FW1-GigabitEthernet1/0/3]ip
address
192.168.
20.1
24
[FW1-GigabitEthernet1/0/3]service-manage ping permit
[FW1-GigabitEthernet1/0/3]quit
[FW1]
[FW1]firewall zone trust //进入安全域配置
[FW1-zone-trust]add interface GigabitEthernet
1/
0/
0
[FW1-zone-trust]add interface GigabitEthernet
1/
0/
3
[FW1-zone-trust]quit //退出安全域配置
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet
1/
0/
1
[FW1-zone-dmz]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet
1/
0/
2
[FW1-zone-untrust]quit
[FW1]
[FW1]security-policy //进入安全策略配置
[FW1-policy-security]rule name lan_wan_dmz //创建名为lan_wan_dmz的策略规则
[FW1-policy-security-rule-lan_wan_dmz]source-zone trust //策略中的源安全域
[FW1-policy-security-rule-lan_wan_dmz]destination-zone dmz //策略中的目标安全域
[FW1-policy-security-rule-lan_wan_dmz]destination-zone untrust
[FW1-policy-security-rule-lan_wan_dmz]action permit //启动策略规则
[FW1-policy-security-rule-lan_wan_dmz]quit //退出策略规则
[FW1-policy-security]rule name wan_dmz
[FW1-policy-security-rule-wan_dmz]source-zone untrust
[FW1-policy-security-rule-wan_dmz]destination-zone dmz
[FW1-policy-security-rule-wan_dmz]action permit
[FW1-policy-security-rule-wan_dmz]quit
[FW1-policy-security]quit
[FW1]
[FW1]ip route-static
192.168.
10.0
24
192.168.
10.2
[FW1]ip route-static
10.10.
10.0
24
10.10.
10.2
[FW1]ip route-static
10.1.
1.0
24
10.1.
1.2
[FW1]ip route-static
192.168.
20.0
24
192.168.
20.2
[FW1]ip route-static
192.168.
10.0
24
192.168.
20.2
[FW1]quit //退出系统视图
<FW1>save //保存系统配置
六、验证配置
1、lan、branch office可以访问wan、dmz;
2、wan可以访问dmz,不能访问lan;
注意:
1、两个trust接口之间是互通的
2、不能直接用FW上的默认0/0/0接口,因为里面默认就有配置,除非undo掉默认配置
3、不知道为啥,在FW上不能ping通L3-SW的相邻接口,但是在L3-SW上可以ping通FW上的,是L3-SWvlanif接口默认禁ping?
难道是因为这条静态路由?
思考:
能不能让FW和L3-SW之间运行ospf?
实验目的:
掌握简单配置防火墙路由模式的操作方法
网络地址及拓扑结构:
配置要求:
1、lan、branch office可以访问wan、dmz;
2、wan可以访问dmz,不能访问lan;
配置操作
一、PC1
二、SERVER1
三、AR1
<Huawei>sys //进入系统视图
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en //取消命令提示说明
Info: Information center is disabled.
[Huawei]sysname AR1 //修改路由器的设备名称
[AR1]int gi 0/0/0 //进入接口视图
[AR1-GigabitEthernet0/0/0]ip addr 10.1.1.2 24 //配置接口IP
[AR1-GigabitEthernet0/0/0]q //返回系统视图
[AR1]ip route-static 0.0.0.0 0.0.0.0 10.1.1.1 //配置缺省静态路由
四、branch office配置
(1)PC2:
(2)L2-SW配置
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname L2-SW
[L2-SW]vlan 100
[L2-SW-vlan100]q
[L2-SW]int gi 0/0/2
[L2-SW-GigabitEthernet0/0/2]port link-type access
[L2-SW-GigabitEthernet0/0/2]port default vlan 100
[L2-SW-GigabitEthernet0/0/2]int gi 0/0/1
[L2-SW-GigabitEthernet0/0/1]port link-type trunk
[L2-SW-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[L2-SW-GigabitEthernet0/0/1]
(3)L3-SW配置
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[SW]sysname L3-SW
[L3-SW]vlan 100 //分支机构局域网vlan100
[L3-SW-vlan100]q
[L3-SW]int gi 0/0/2 //下连L2-SW
[L3-SW-GigabitEthernet0/0/2]port link-type trunk
[L3-SW-GigabitEthernet0/0/2]port trunk allow-pass vlan 100
[L3-SW-GigabitEthernet0/0/2]int gi 0/0/1 //上连FW
[L3-SW-GigabitEthernet0/0/3]port link-type access
[L3-SW-GigabitEthernet0/0/3]q
[L3-SW]vlan 300 //上连接口vlan
[L3-SW-vlan300]Q
[L3-SW]int gi 0/0/3 //上连/接口
[L3-SW-GigabitEthernet0/0/3]port link-type access
[L3-SW-GigabitEthernet0/0/3]port default vlan 300
[L3-SW-GigabitEthernet0/0/3]q
[L3-SW]int vlanif 300 //上连/接口地址
[L3-SW-Vlanif300]ip addr 192.168.20.2 24 //上连/接口地址
[L3-SW-Vlanif300]q
[L3-SW]int vlanif 100 //局域网vlan
[L3-SW-Vlanif100]ip addr 192.168.1.1 24 //局域网vlan100的网关
[L3-SW-Vlanif100]q
[L3-SW]ip route-static 0.0.0.0 0.0.0.0 192.168.20.1 //配置缺省路由
(4)分支机构局域网配置验证
五、防火墙FW配置
<USG6000V1>system-view //进入管理视图
[USG6000V1]sysname FW1 //修改防火墙的设备名称
[FW1]un in en //关闭信息提示
[FW1]interface GigabitEthernet
1/
0/
0
[FW1-GigabitEthernet1/0/1]ip
address
192.168.
10.1
24
[FW1-GigabitEthernet1/0/1]service-manage ping permit //此接口允许PING通过
[FW1-GigabitEthernet1/0/1]quit //退出接口配置
[FW1]interface GigabitEthernet
1/
0/
1
[FW1-GigabitEthernet1/0/2]ip
address
10.10.
10.1
24
[FW1-GigabitEthernet1/0/2]service-manage ping permit
[FW1-GigabitEthernet1/0/2]quit
[FW1]interface GigabitEthernet
1/
0/
2
[FW1-GigabitEthernet1/0/3]ip
address
10.1.
1.1
24
[FW1-GigabitEthernet1/0/3]service-manage ping permit
[FW1-GigabitEthernet1/0/3]quit
[FW1]interface GigabitEthernet
1/
0/
3
[FW1-GigabitEthernet1/0/3]ip
address
192.168.
20.1
24
[FW1-GigabitEthernet1/0/3]service-manage ping permit
[FW1-GigabitEthernet1/0/3]quit
[FW1]
[FW1]firewall zone trust //进入安全域配置
[FW1-zone-trust]add interface GigabitEthernet
1/
0/
0
[FW1-zone-trust]add interface GigabitEthernet
1/
0/
3
[FW1-zone-trust]quit //退出安全域配置
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet
1/
0/
1
[FW1-zone-dmz]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet
1/
0/
2
[FW1-zone-untrust]quit
[FW1]
[FW1]security-policy //进入安全策略配置
[FW1-policy-security]rule name lan_wan_dmz //创建名为lan_wan_dmz的策略规则
[FW1-policy-security-rule-lan_wan_dmz]source-zone trust //策略中的源安全域
[FW1-policy-security-rule-lan_wan_dmz]destination-zone dmz //策略中的目标安全域
[FW1-policy-security-rule-lan_wan_dmz]destination-zone untrust
[FW1-policy-security-rule-lan_wan_dmz]action permit //启动策略规则
[FW1-policy-security-rule-lan_wan_dmz]quit //退出策略规则
[FW1-policy-security]rule name wan_dmz
[FW1-policy-security-rule-wan_dmz]source-zone untrust
[FW1-policy-security-rule-wan_dmz]destination-zone dmz
[FW1-policy-security-rule-wan_dmz]action permit
[FW1-policy-security-rule-wan_dmz]quit
[FW1-policy-security]quit
[FW1]
[FW1]ip route-static
192.168.
10.0
24
192.168.
10.2
[FW1]ip route-static
10.10.
10.0
24
10.10.
10.2
[FW1]ip route-static
10.1.
1.0
24
10.1.
1.2
[FW1]ip route-static
192.168.
20.0
24
192.168.
20.2
[FW1]ip route-static
192.168.
10.0
24
192.168.
20.2
[FW1]quit //退出系统视图
<FW1>save //保存系统配置
六、验证配置
1、lan、branch office可以访问wan、dmz;
2、wan可以访问dmz,不能访问lan;
注意:
1、两个trust接口之间是互通的
2、不能直接用FW上的默认0/0/0接口,因为里面默认就有配置,除非undo掉默认配置
3、不知道为啥,在FW上不能ping通L3-SW的相邻接口,但是在L3-SW上可以ping通FW上的,是L3-SWvlanif接口默认禁ping?
难道是因为这条静态路由?
思考:
能不能让FW和L3-SW之间运行ospf?