侧边栏壁纸
博主头像
福福不服博主等级

孩子会穿过大雨,去懂人间的道理。

  • 累计撰写 92 篇文章
  • 累计创建 98 个标签
  • 累计收到 0 条评论

目 录CONTENT

文章目录

防火墙配置实验

Monster
2023-10-06 / 0 评论 / 3 点赞 / 89 阅读 / 9529 字 / 正在检测是否收录...
温馨提示:
请确保在评论和互动中保持礼貌和尊重。避免使用侮辱性、歧视性或攻击性语言。我们鼓励建设性的讨论和意见交流。

拓扑图

配置过程

PC分配IP

PC1:192.168.1.1/24

PC2:192.168.1.2/24

PC>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe87:1e5f
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.1.1
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.1.254
Physical address..................: 54-89-98-87-1E-5F
DNS server........................:

PC>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe69:79e9
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.1.2
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.1.254
Physical address..................: 54-89-98-69-79-E9
DNS server........................:

防火墙分配IP

防火墙需要登陆,默认账号:admin,密码:Admin@123

g1/0/2:192.168.1.254/24,允许ping

g1/0/0:192.168.2.254/24

g1/0/1:100.1.1.1/24

Username:admin
Password:
The password needs to be changed. Change now? [Y/N]: y
Please enter old password: 
Please enter new password: 
Please confirm new password: 

 Info: Your password has been changed. Save the change to survive a reboot. 
*************************************************************************
*         Copyright (C) 2014-2018 Huawei Technologies Co., Ltd.         *
*                           All rights reserved.                        *
*               Without the owner's prior written consent,              *
*        no decompiling or reverse-engineering shall be allowed.        *
*************************************************************************


<USG6000V1>
<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]interface gigabitether 1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip address 192.168.1.254 24
[USG6000V1-GigabitEthernet1/0/2]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/2]quit
[USG6000V1]interface gigabitether 1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 192.168.2.254 24
[USG6000V1-GigabitEthernet1/0/0]quit
[USG6000V1]interface gigabitether 1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip address 100.1.1.1 24
[USG6000V1-GigabitEthernet1/0/1]quit
[USG6000V1]

服务器配置IP

ip:192.168.2.100

网关:192.168.2.254

Internet分配IP

g0/0/0:100.1.1.2 /24

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]interface gigabitether 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 100.1.1.2 24
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]sysname internet
[internet]

防火墙安全域划分

把相应的接口划入相应的区域

trust:g1/0/2

untrust:g1/0/1

dmz:g1/0/0

[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface gigabitether 1/0/2
[USG6000V1-zone-trust]quit
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface gigabitether 1/0/1
[USG6000V1-zone-untrust]quit
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface gigabitether 1/0/0
[USG6000V1-zone-dmz]quit
[USG6000V1]

创建安全策略

安全策略名:trust_to_untrust

源区域:trust

目的区域:untrust

源地址(可设可不设)1.0网段:192.168.1.0 24

目的地址(可设可不设)所有:any

动作:允许

[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust_to_untrust
[USG6000V1-policy-security-rule-trust_to_untrust]source-zone trust
[USG6000V1-policy-security-rule-trust_to_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-trust_to_untrust]source-address 192.168.1.0 24
[USG6000V1-policy-security-rule-trust_to_untrust]destination-address any
[USG6000V1-policy-security-rule-trust_to_untrust]action permit
[USG6000V1-policy-security-rule-trust_to_untrust]quit
[USG6000V1-policy-security]quit
[USG6000V1]

配置NAT

策略建好了但是访问不到互联网,没有做nat

地址池名称:addressgroup1

模式:pat

公网地址:100.1.1.10-100.1.1.20

[USG6000V1]nat address-group addressgroup1
[USG6000V1-address-group-addressgroup1]mode pat
[USG6000V1-address-group-addressgroup1]section 0 100.1.1.10 100.1.1.20
[USG6000V1-address-group-addressgroup1]quit
[USG6000V1]

NAT策略

策略名称:nat1

源区域:trust

目的区域:untrust

源地址:192.168.1.0 /24

目的地址:any

动作:基于源地址nat,使用addressgroup1地址池

[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name nat1
[USG6000V1-policy-nat-rule-nat1]source-zone trust
[USG6000V1-policy-nat-rule-nat1]destination-zone untrust
[USG6000V1-policy-nat-rule-nat1]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-nat1]destination-address any
[USG6000V1-policy-nat-rule-nat1]action source-nat address-group addressgroup1
[USG6000V1-policy-nat-rule-nat1]quit
[USG6000V1-policy-nat]quit
[USG6000V1]

这时候用PC去ping互联网,已经通了

PC>ping 100.1.1.2

Ping 100.1.1.2: 32 data bytes, Press Ctrl_C to break
From 100.1.1.2: bytes=32 seq=1 ttl=254 time=47 ms
From 100.1.1.2: bytes=32 seq=2 ttl=254 time=47 ms
From 100.1.1.2: bytes=32 seq=3 ttl=254 time=31 ms
From 100.1.1.2: bytes=32 seq=4 ttl=254 time=47 ms
From 100.1.1.2: bytes=32 seq=5 ttl=254 time=47 ms

--- 100.1.1.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/43/47 ms

PC>

可以查看一下session表,ping停止后过段时间会消失,先ping一下再查看session表

[USG6000V1]display firewall session table
2023-10-06 02:35:27.900 
 Current Total Sessions : 5
 icmp  VPN: public --> public  192.168.1.1:20082[100.1.1.20:2066] --> 100.1.1.2:
2048
 icmp  VPN: public --> public  192.168.1.1:20338[100.1.1.20:2067] --> 100.1.1.2:
2048
 icmp  VPN: public --> public  192.168.1.1:19570[100.1.1.20:2064] --> 100.1.1.2:
2048
 icmp  VPN: public --> public  192.168.1.1:19314[100.1.1.20:2063] --> 100.1.1.2:
2048
 icmp  VPN: public --> public  192.168.1.1:19826[100.1.1.20:2065] --> 100.1.1.2:
2048
[USG6000V1]

到这里拓扑图里面的4点要求都已经实现

访问服务器配置

拓扑图里面还有个dmz区域没做任何配置,此时内部PC是访问不了服务器的

实现PC访问服务器,和trust访问untrust一样,放行trust到dmz区域的流量即可,配置如下

安全策略

创建个trust到dmz的策略

[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name trust_to_dmz
[USG6000V1-policy-security-rule-trust_to_dmz]source-zone trust
[USG6000V1-policy-security-rule-trust_to_dmz]destination-zone dmz
[USG6000V1-policy-security-rule-trust_to_dmz]action permit
[USG6000V1-policy-security-rule-trust_to_dmz]quit
[USG6000V1-policy-security]quit
[USG6000V1]

这个时候去ping 服务器可以通了

PC>ping 192.168.2.100

Ping 192.168.2.100: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.2.100: bytes=32 seq=2 ttl=254 time=31 ms
From 192.168.2.100: bytes=32 seq=3 ttl=254 time=47 ms
From 192.168.2.100: bytes=32 seq=4 ttl=254 time=15 ms
From 192.168.2.100: bytes=32 seq=5 ttl=254 time=31 ms

--- 192.168.2.100 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/31/47 ms

PC>

NAT Server配置

再来实现一下nat server 端口映射,把内网web服务器映射到公网地址,允许公网访问服务器

nat server 映射,www换成80 也是一样的

[USG6000V1]nat server protocol tcp global 100.1.1.100 80 inside 192.168.2.100 www

映射后公网还是访问不了服务器,没有放行untrust到dmz的流量,所以再建条安全策略

[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name untrust_to_dmz
[USG6000V1-policy-security-rule-untrust_to_dmz]source-zone untrust
[USG6000V1-policy-security-rule-untrust_to_dmz]destination-zone dmz
[USG6000V1-policy-security-rule-untrust_to_dmz]action permit
[USG6000V1-policy-security-rule-untrust_to_dmz]quit
[USG6000V1-policy-security]quit
[USG6000V1]

放行后去Internet上使用Telnet模拟访问服务器

<Huawei>telnet 100.1.1.100 80
  Press CTRL_] to quit telnet mode
  Trying 100.1.1.100 ...
  Connected to 100.1.1.100 ...

通过服务器的日志信息可以看到访问成功了

也可以到防火墙上查看session表,可以看到公网地址100.1.1.2访问服务器映射的公网地址100.1.1.100,实际内网地址192.168.2.100的80端口

[USG6000V1]display firewall session table
2023-10-06 02:59:04.750 
 Current Total Sessions : 1
 http  VPN: public --> public  100.1.1.2:49852 --> 100.1.1.100:80[192.168.2.100:
80]
[USG6000V1]

3

评论区