当前位置:网站首页>2022 - 06 - 23 vgmp - OSPF - Inter - Domain Security Policy - nat Policy (Update)
2022 - 06 - 23 vgmp - OSPF - Inter - Domain Security Policy - nat Policy (Update)
2022-07-03 06:41:00 【Les rues du coucher de soleil】
Cet article est à titre d'étude et de référence seulement!
Bienvenue à l'échange~
Un.、Topologie expérimentale:
Télécharger le lien:https://pan.baidu.com/s/1tbrhHKz8XKXqlQP_ZnMw1A?pwd=usmk
2.、Configuration expérimentale:
1. Configurer le pare - feu:
(1)ConfigurationFW1
Modifier le nom du périphérique
sysname FW1
ConfigurationIP
interface GigabitEthernet0/0/0
ip address 192.168.100.1 255.255.0.0
interface GigabitEthernet0/0/1
ip address 10.1.13.1 255.255.255.0
interface GigabitEthernet0/0/5
ip address 10.88.12.1 255.255.255.0
Ajouter une zone de sécurité
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
ConfigurationOSPF
ospf 1 router-id 123.1.1.1
area 0.0.0.0
network 10.1.13.1 0.0.0.0
network 192.168.100.1 0.0.0.0
ConfigurationVRRP
interface GigabitEthernet0/0/0
vrrp vrid 10 virtual-ip 192.168.10.254 16 master
vrrp vrid 20 virtual-ip 192.168.20.254 16 slave
vrrp vrid 30 virtual-ip 192.168.30.254 16 master
vrrp virtual-mac enable
Prévenir les incohérences dans les trajets aller - retour
Effectuer une sauvegarde rapide de session
SelonVGMPAjustement du StatutOSPF CostFonction de valeur
Spécifiez le port de battement de cœur
Activer la veille chaude en double - clic
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable
(2)ConfigurationFW2
Modifier le nom du périphérique
sysname FW2
ConfigurationIP
interface GigabitEthernet0/0/0
ip address 192.168.100.2 255.255.0.0
interface GigabitEthernet0/0/1
ip address 10.1.24.2 255.255.255.0
interface GigabitEthernet0/0/5
ip address 10.88.12.2 255.255.255.0
Ajouter une zone de sécurité
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
ConfigurationOSPF
ospf 1 router-id 123.2.2.2
area 0.0.0.0
network 10.1.24.2 0.0.0.0
network 192.168.100.2 0.0.0.0
ConfigurationVRRP
interface GigabitEthernet0/0/0
vrrp vrid 10 virtual-ip 192.168.10.254 16 slave
vrrp vrid 20 virtual-ip 192.168.20.254 16 master
vrrp vrid 30 virtual-ip 192.168.30.254 16 slave
vrrp virtual-mac enable
Prévenir les incohérences dans les trajets aller - retour
Effectuer une sauvegarde rapide de session
SelonVGMPAjustement du StatutOSPF CostFonction de valeur
Spécifiez le port de battement de cœur
Activer la veille chaude en double - clic
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable
(3)ConfigurationFW5
Modifier le nom du périphérique
sysname FW5
ConfigurationIP
interface GigabitEthernet0/0/0
ip address 10.5.5.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.35.5 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.45.5 255.255.255.0
interface GigabitEthernet0/0/5
ip address 202.103.56.5 255.255.255.0
Ajouter une zone de confiance
firewall zone trust
add interface GigabitEthernet0/0/1
add interface GigabitEthernet0/0/2
Ajouter une zone de méfiance
firewall zone untrust
add interface GigabitEthernet0/0/5
Ajouter une zone démilitarisée
firewall zone dmz
add interface GigabitEthernet0/0/0
ConfigurationOSPF
ospf 1 router-id 123.5.5.5
default-route-advertise always
area 0.0.0.0
network 10.5.5.1 0.0.0.0
network 10.1.35.5 0.0.0.0
network 10.1.45.5 0.0.0.0
Configurer le routage par défaut / Le routage du réseau public peut atteindre
ip route-static 0.0.0.0 0.0.0.0 202.103.56.6
Prévenir les incohérences dans les trajets aller - retour
undo firewall session link-state check
Configurer la politique de sécurité inter - zone :trustÀdmz
policy interzone trust dmz outbound
policy 1
action permit
Configurer la politique de sécurité inter - zone :untrustÀdmz
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set ftp
policy service service-set http
policy service service-set https
policy destination 10.5.5.100 0
policy destination 10.5.5.101 0
Configurer la politique de sécurité inter - zone :untrustÀtrust
policy interzone trust untrust inbound
policy 1
action permit
policy service service-set ssh
policy service service-set telnet
policy destination 10.1.45.4 0
Configurer la politique de sécurité inter - zone :trustÀuntrust
policy interzone trust untrust outbound
policy 1
action permit
ConfigurationNAPT( Pool d'adresses pour la conversion intranet en réseau public ):
nat address-group 7 202.103.56.100 202.103.56.120
ConfigurationNATStratégie-NAPTComment:trustÀuntrust(192.168.10.0/24Et192.168.30.0/24Utilisateurs)
nat-policy interzone trust untrust outbound
policy 1
action source-nat
policy source 192.168.10.0 0.0.0.255
policy source 192.168.30.0 0.0.0.255
address-group 7
ConfigurationNATStratégie-easy ipComment:trustÀuntrust(192.168.20.0/24Utilisateurs)
nat-policy interzone trust untrust outbound
policy 2
action source-nat
policy source 192.168.20.0 0.0.0.255
easy-ip GigabitEthernet0/0/5
Configurationnat server, Le serveur Intranet fournit au réseau public FTP、HTTP、HTTPsServices:
nat server protocol tcp global 202.103.56.99 8003 inside 10.5.5.100 80
nat server protocol tcp global 202.103.56.99 443 inside 10.5.5.100 443
nat server protocol tcp global 202.103.56.99 21 inside 10.5.5.100 21
nat server protocol tcp global 202.103.56.99 20 inside 10.5.5.100 20
Configurationnat server, L'équipement Intranet fournit au réseau public telnetEtSSHServices:
nat server protocol tcp global 202.103.56.88 23 inside 10.1.45.4 23
nat server protocol tcp global 202.103.56.88 22 inside 10.1.45.4 22
Configurer la politique de sécurité inter - zone :localÀuntrust
policy interzone local untrust outbound
policy 1
action permit
(4)ConfigurationFW8
Modifier le nom du périphérique
sysname FW8
ConfigurationIP
interface GigabitEthernet0/0/0
ip address 172.16.99.1 255.255.0.0
interface GigabitEthernet0/0/2
ip address 202.103.78.8 255.255.255.0
Ajouter une zone dangereuse
firewall zone untrust
add interface GigabitEthernet0/0/2
Configurer le routage par défaut / Le routage du réseau public peut atteindre
ip route-static 0.0.0.0 0.0.0.0 202.103.78.7
Configurer la politique de sécurité inter - zone :trustÀuntrust
policy interzone trust untrust outbound
policy 1
policy source 172.16.99.0 0.0.0.255
action permit
Configurer la politique de sécurité inter - zone :localÀuntrust
policy interzone local untrust outbound
policy 1
action permit
ConfigurationNATStratégie-easy ipComment:trustÀuntrust(172.16.99.0/24Utilisateurs)
nat-policy interzone trust untrust outbound
policy 1
action source-nat
policy source 172.16.99.0 0.0.0.255
easy-ip GigabitEthernet0/0/2
Pare - feu de branche FW8ConfigurationSYN Flood、UDP FloodEtICMP Flood Protection contre les attaques , Et limiter le passage de chaque session ICMP La vitesse maximale du message est 5Sac/Secondes:
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
firewall defend icmp-flood base-session max-rate 5
2. Configurer le routeur:
(1)ConfigurationR3
Modifier le nom du périphérique
sysname R3
ConfigurationIP
interface GigabitEthernet0/0/0
ip address 10.1.35.3 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.13.3 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.34.3 255.255.255.0
ConfigurationOSPF
ospf 1 router-id 123.3.3.3
area 0.0.0.0
network 10.1.13.3 0.0.0.0
network 10.1.34.3 0.0.0.0
network 10.1.35.3 0.0.0.0
(2)ConfigurationR4
Modifier le nom du périphérique
sysname R4
ConfigurationIP
interface GigabitEthernet0/0/0
ip address 10.1.45.4 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.24.4 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.34.4 255.255.255.0
ConfigurationOSPF
ospf 1 router-id 123.4.4.4
area 0.0.0.0
network 10.1.24.4 0.0.0.0
network 10.1.34.4 0.0.0.0
network 10.1.45.4 0.0.0.0
ConfigurationtelnetFonction: Où mot de passe =telnet123,Niveau de permission de l'utilisateur=3
telnet server enable
user-interface vty 0 4
set authentication password cipher telnet123
user privilege level 3
(3)ConfigurationISP6
Modifier le nom du périphérique
sysname ISP6
ConfigurationIP
interface GigabitEthernet0/0/1
ip address 202.103.67.6 255.255.255.0
interface GigabitEthernet0/0/2
ip address 202.103.56.6 255.255.255.0
ConfigurationOSPF
ospf 200 router-id 123.6.6.6
default-route-advertise always
area 0.0.0.0
network 202.103.67.6 0.0.0.0
Configurer le routage par défaut
ip route-static 0.0.0.0 0.0.0.0 202.103.56.5
(4)ConfigurationISP7
Modifier le nom du périphérique
sysname ISP7
ConfigurationIP
interface GigabitEthernet0/0/0
ip address 200.1.1.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 202.103.67.7 255.255.255.0
interface GigabitEthernet0/0/2
ip address 100.1.1.1 255.255.255.0
interface GigabitEthernet2/0/0
ip address 202.103.78.7 255.255.255.0
ConfigurationOSPF
ospf 200 router-id 123.7.7.7
area 0.0.0.0
network 100.1.1.1 0.0.0.0
network 200.1.1.1 0.0.0.0
network 202.103.67.7 0.0.0.0
network 202.103.78.7 0.0.0.0
3. Configurer le serveur:
4. Configurer le terminal:
边栏推荐
- Judge whether the date time exceeds 31 days
- 2022年华东师范大学计科考研复试机试题-详细题解
- New knowledge! The virtual machine network card causes your DNS resolution to slow down
- Common interview questions
- [untitled] 5 self use history
- How to scan when Canon c3120l is a network shared printer
- JMeter performance automation test
- After the Chrome browser is updated, lodop printing cannot be called
- SSH link remote server and local display of remote graphical interface
- Opencv mouse and keyboard events
猜你喜欢
SQL implementation merges multiple rows of records into one row
ssh链接远程服务器 及 远程图形化界面的本地显示
SQL实现将多行记录合并成一行
卡特兰数(Catalan)的应用场景
IE browser flash back, automatically open edge browser
Docker advanced learning (container data volume, MySQL installation, dockerfile)
Push box games C #
Reinstalling the system displays "setup is applying system settings" stationary
golang操作redis:写入、读取kv数据
. Net program configuration file operation (INI, CFG, config)
随机推荐
Pytest attempts to execute the test case without skipping, but the case shows that it is all skipped
[set theory] relational closure (relational closure solution | relational graph closure | relational matrix closure | closure operation and relational properties | closure compound operation)
ROS+Pytorch的联合使用示例(语义分割)
每日刷题记录 (十一)
opencv鼠标键盘事件
YOLOV3学习笔记
DNS forward query:
The most classic 100 sentences in the world famous works
(翻译)异步编程:Async/Await在ASP.NET中的介绍
POI dealing with Excel learning
Pdf files can only print out the first page
Printer related problem record
100000 bonus is divided up. Come and meet the "sister who braves the wind and waves" among the winners
Golang operation redis: write and read kV data
剖析虚幻渲染体系(16)- 图形驱动的秘密
Yolov1 learning notes
Local rviz call and display of remote rostopic
[open source project recommendation colugomum] this group of undergraduates open source retail industry solutions based on the domestic deep learning framework paddlepadddle
New knowledge! The virtual machine network card causes your DNS resolution to slow down
Simple understanding of bubble sorting