当前位置:网站首页>2022-06-23 vgmp OSPF inter domain security policy NAT policy (under update)
2022-06-23 vgmp OSPF inter domain security policy NAT policy (under update)
2022-07-03 06:41:00 【Sunset Street】
This article is for learning and reference only !
Welcome to exchange ~
One 、 Experimental Topology :
Download link :https://pan.baidu.com/s/1tbrhHKz8XKXqlQP_ZnMw1A?pwd=usmk
Two 、 Experimental configuration :
1. Configure firewall :
(1) To configure FW1
Modify the device name
sysname FW1
To configure IP
interface GigabitEthernet0/0/0
ip address 192.168.100.1 255.255.0.0
interface GigabitEthernet0/0/1
ip address 10.1.13.1 255.255.255.0
interface GigabitEthernet0/0/5
ip address 10.88.12.1 255.255.255.0
Add security zone
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
To configure OSPF
ospf 1 router-id 123.1.1.1
area 0.0.0.0
network 10.1.13.1 0.0.0.0
network 192.168.100.1 0.0.0.0
To configure VRRP
interface GigabitEthernet0/0/0
vrrp vrid 10 virtual-ip 192.168.10.254 16 master
vrrp vrid 20 virtual-ip 192.168.20.254 16 slave
vrrp vrid 30 virtual-ip 192.168.30.254 16 master
vrrp virtual-mac enable
Prevent inconsistent back and forth paths
Fast session backup
according to VGMP State adjustment OSPF Cost Value function
Specify heartbeat port
Enable double-click hot standby
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable
(2) To configure FW2
Modify the device name
sysname FW2
To configure IP
interface GigabitEthernet0/0/0
ip address 192.168.100.2 255.255.0.0
interface GigabitEthernet0/0/1
ip address 10.1.24.2 255.255.255.0
interface GigabitEthernet0/0/5
ip address 10.88.12.2 255.255.255.0
Add security zone
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
To configure OSPF
ospf 1 router-id 123.2.2.2
area 0.0.0.0
network 10.1.24.2 0.0.0.0
network 192.168.100.2 0.0.0.0
To configure VRRP
interface GigabitEthernet0/0/0
vrrp vrid 10 virtual-ip 192.168.10.254 16 slave
vrrp vrid 20 virtual-ip 192.168.20.254 16 master
vrrp vrid 30 virtual-ip 192.168.30.254 16 slave
vrrp virtual-mac enable
Prevent inconsistent back and forth paths
Fast session backup
according to VGMP State adjustment OSPF Cost Value function
Specify heartbeat port
Enable double-click hot standby
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable
(3) To configure FW5
Modify the device name
sysname FW5
To configure IP
interface GigabitEthernet0/0/0
ip address 10.5.5.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.35.5 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.45.5 255.255.255.0
interface GigabitEthernet0/0/5
ip address 202.103.56.5 255.255.255.0
Add trust zone
firewall zone trust
add interface GigabitEthernet0/0/1
add interface GigabitEthernet0/0/2
Add untrusted zone
firewall zone untrust
add interface GigabitEthernet0/0/5
Add demilitarized areas
firewall zone dmz
add interface GigabitEthernet0/0/0
To configure OSPF
ospf 1 router-id 123.5.5.5
default-route-advertise always
area 0.0.0.0
network 10.5.5.1 0.0.0.0
network 10.1.35.5 0.0.0.0
network 10.1.45.5 0.0.0.0
Configure the default route / Public network routing can reach
ip route-static 0.0.0.0 0.0.0.0 202.103.56.6
Prevent inconsistent back and forth paths
undo firewall session link-state check
Configure the security policy between zones :trust To dmz
policy interzone trust dmz outbound
policy 1
action permit
Configure the security policy between zones :untrust To dmz
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set ftp
policy service service-set http
policy service service-set https
policy destination 10.5.5.100 0
policy destination 10.5.5.101 0
Configure the security policy between zones :untrust To trust
policy interzone trust untrust inbound
policy 1
action permit
policy service service-set ssh
policy service service-set telnet
policy destination 10.1.45.4 0
Configure the security policy between zones :trust To untrust
policy interzone trust untrust outbound
policy 1
action permit
To configure NAPT( Address pool for intranet to public network conversion ):
nat address-group 7 202.103.56.100 202.103.56.120
To configure NAT Strategy -NAPT The way :trust To untrust(192.168.10.0/24 and 192.168.30.0/24 user )
nat-policy interzone trust untrust outbound
policy 1
action source-nat
policy source 192.168.10.0 0.0.0.255
policy source 192.168.30.0 0.0.0.255
address-group 7
To configure NAT Strategy -easy ip The way :trust To untrust(192.168.20.0/24 user )
nat-policy interzone trust untrust outbound
policy 2
action source-nat
policy source 192.168.20.0 0.0.0.255
easy-ip GigabitEthernet0/0/5
To configure nat server, The intranet server provides FTP、HTTP、HTTPs service :
nat server protocol tcp global 202.103.56.99 8003 inside 10.5.5.100 80
nat server protocol tcp global 202.103.56.99 443 inside 10.5.5.100 443
nat server protocol tcp global 202.103.56.99 21 inside 10.5.5.100 21
nat server protocol tcp global 202.103.56.99 20 inside 10.5.5.100 20
To configure nat server, The intranet equipment provides telnet and SSH service :
nat server protocol tcp global 202.103.56.88 23 inside 10.1.45.4 23
nat server protocol tcp global 202.103.56.88 22 inside 10.1.45.4 22
Configure the security policy between zones :local To untrust
policy interzone local untrust outbound
policy 1
action permit
(4) To configure FW8
Modify the device name
sysname FW8
To configure IP
interface GigabitEthernet0/0/0
ip address 172.16.99.1 255.255.0.0
interface GigabitEthernet0/0/2
ip address 202.103.78.8 255.255.255.0
Add unsafe zone
firewall zone untrust
add interface GigabitEthernet0/0/2
Configure the default route / Public network routing can reach
ip route-static 0.0.0.0 0.0.0.0 202.103.78.7
Configure the security policy between zones :trust To untrust
policy interzone trust untrust outbound
policy 1
policy source 172.16.99.0 0.0.0.255
action permit
Configure the security policy between zones :local To untrust
policy interzone local untrust outbound
policy 1
action permit
To configure NAT Strategy -easy ip The way :trust To untrust(172.16.99.0/24 user )
nat-policy interzone trust untrust outbound
policy 1
action source-nat
policy source 172.16.99.0 0.0.0.255
easy-ip GigabitEthernet0/0/2
Branch firewall FW8 To configure SYN Flood、UDP Flood and ICMP Flood Attack prevention function , And limit the number of ICMP The maximum message rate is 5 package / second :
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
firewall defend icmp-flood base-session max-rate 5
2. Configure router :
(1) To configure R3
Modify the device name
sysname R3
To configure IP
interface GigabitEthernet0/0/0
ip address 10.1.35.3 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.13.3 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.34.3 255.255.255.0
To configure OSPF
ospf 1 router-id 123.3.3.3
area 0.0.0.0
network 10.1.13.3 0.0.0.0
network 10.1.34.3 0.0.0.0
network 10.1.35.3 0.0.0.0
(2) To configure R4
Modify the device name
sysname R4
To configure IP
interface GigabitEthernet0/0/0
ip address 10.1.45.4 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.24.4 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.34.4 255.255.255.0
To configure OSPF
ospf 1 router-id 123.4.4.4
area 0.0.0.0
network 10.1.24.4 0.0.0.0
network 10.1.34.4 0.0.0.0
network 10.1.45.4 0.0.0.0
To configure telnet function : Where password =telnet123, User privilege level =3
telnet server enable
user-interface vty 0 4
set authentication password cipher telnet123
user privilege level 3
(3) To configure ISP6
Modify the device name
sysname ISP6
To configure IP
interface GigabitEthernet0/0/1
ip address 202.103.67.6 255.255.255.0
interface GigabitEthernet0/0/2
ip address 202.103.56.6 255.255.255.0
To configure OSPF
ospf 200 router-id 123.6.6.6
default-route-advertise always
area 0.0.0.0
network 202.103.67.6 0.0.0.0
Configure the default route
ip route-static 0.0.0.0 0.0.0.0 202.103.56.5
(4) To configure ISP7
Modify the device name
sysname ISP7
To configure IP
interface GigabitEthernet0/0/0
ip address 200.1.1.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 202.103.67.7 255.255.255.0
interface GigabitEthernet0/0/2
ip address 100.1.1.1 255.255.255.0
interface GigabitEthernet2/0/0
ip address 202.103.78.7 255.255.255.0
To configure OSPF
ospf 200 router-id 123.7.7.7
area 0.0.0.0
network 100.1.1.1 0.0.0.0
network 200.1.1.1 0.0.0.0
network 202.103.67.7 0.0.0.0
network 202.103.78.7 0.0.0.0
3. Configure server :
4. Configure terminal devices :
边栏推荐
- 论文笔记 VSALM 文献综述《A Comprehensive Survey of Visual SLAM Algorithms》
- Docker advanced learning (container data volume, MySQL installation, dockerfile)
- Code management tools
- Heap sort and priority queue
- Introduction to software engineering
- Install VM tools
- SQL implementation merges multiple rows of records into one row
- YOLOV1学习笔记
- 表达式的动态解析和计算,Flee用起来真香
- Click cesium to obtain three-dimensional coordinates (longitude, latitude and elevation)
猜你喜欢
Yolov2 learning and summary
Machine learning | simple but feature standardization methods that can improve the effect of the model (comparison and analysis of robustscaler, minmaxscaler, standardscaler)
【5G NR】UE注册流程
Operation principle of lua on C: Foundation
ruoyi接口权限校验
YOLOV3学习笔记
![[classes and objects] explain classes and objects in simple terms](/img/41/250457530880dfe3728432c2ccd50b.png)
[classes and objects] explain classes and objects in simple terms
Use selenium to climb the annual box office of Yien
![[set theory] relational closure (relational closure solution | relational graph closure | relational matrix closure | closure operation and relational properties | closure compound operation)](/img/a4/00aca72b268f77fe4fb24ac06289f5.jpg)
[set theory] relational closure (relational closure solution | relational graph closure | relational matrix closure | closure operation and relational properties | closure compound operation)
SQL implementation merges multiple rows of records into one row
随机推荐
Dbnet: real time scene text detection with differentiable binarization
2022 cisp-pte (III) command execution
IC_EDA_ALL虚拟机(丰富版):questasim、vivado、vcs、verdi、dc、pt、spyglass、icc2、synplify、INCISIVE、IC617、MMSIM、工艺库
Support vector machine for machine learning
golang操作redis:写入、读取kv数据
Ruoyi interface permission verification
scroll-view指定滚动元素的起始位置
Request weather interface format, automation
【LeetCode】Day93-两个数组的交集 II
In depth analysis of kubernetes controller runtime
Climb movie paradise 2021 hot
Condition annotation in uni-app realizes cross segment compatibility, navigation jump and parameter transfer, component creation and use, and life cycle function
YOLOV3学习笔记
The difference between CONDA and pip
JMeter performance automation test
剖析虚幻渲染体系(16)- 图形驱动的秘密
Common interview questions
Une exploration intéressante de l'interaction souris - pointeur
修改MySQL密码
ruoyi接口权限校验