当前位置:网站首页>2022-06-23 vgmp OSPF inter domain security policy NAT policy (under update)
2022-06-23 vgmp OSPF inter domain security policy NAT policy (under update)
2022-07-03 06:41:00 【Sunset Street】
This article is for learning and reference only !
Welcome to exchange ~
One 、 Experimental Topology :
Download link :https://pan.baidu.com/s/1tbrhHKz8XKXqlQP_ZnMw1A?pwd=usmk
Two 、 Experimental configuration :
1. Configure firewall :
(1) To configure FW1
Modify the device name
sysname FW1
To configure IP
interface GigabitEthernet0/0/0
ip address 192.168.100.1 255.255.0.0
interface GigabitEthernet0/0/1
ip address 10.1.13.1 255.255.255.0
interface GigabitEthernet0/0/5
ip address 10.88.12.1 255.255.255.0
Add security zone
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
To configure OSPF
ospf 1 router-id 123.1.1.1
area 0.0.0.0
network 10.1.13.1 0.0.0.0
network 192.168.100.1 0.0.0.0
To configure VRRP
interface GigabitEthernet0/0/0
vrrp vrid 10 virtual-ip 192.168.10.254 16 master
vrrp vrid 20 virtual-ip 192.168.20.254 16 slave
vrrp vrid 30 virtual-ip 192.168.30.254 16 master
vrrp virtual-mac enable
Prevent inconsistent back and forth paths
Fast session backup
according to VGMP State adjustment OSPF Cost Value function
Specify heartbeat port
Enable double-click hot standby
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable
(2) To configure FW2
Modify the device name
sysname FW2
To configure IP
interface GigabitEthernet0/0/0
ip address 192.168.100.2 255.255.0.0
interface GigabitEthernet0/0/1
ip address 10.1.24.2 255.255.255.0
interface GigabitEthernet0/0/5
ip address 10.88.12.2 255.255.255.0
Add security zone
firewall zone trust
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
To configure OSPF
ospf 1 router-id 123.2.2.2
area 0.0.0.0
network 10.1.24.2 0.0.0.0
network 192.168.100.2 0.0.0.0
To configure VRRP
interface GigabitEthernet0/0/0
vrrp vrid 10 virtual-ip 192.168.10.254 16 slave
vrrp vrid 20 virtual-ip 192.168.20.254 16 master
vrrp vrid 30 virtual-ip 192.168.30.254 16 slave
vrrp virtual-mac enable
Prevent inconsistent back and forth paths
Fast session backup
according to VGMP State adjustment OSPF Cost Value function
Specify heartbeat port
Enable double-click hot standby
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable
(3) To configure FW5
Modify the device name
sysname FW5
To configure IP
interface GigabitEthernet0/0/0
ip address 10.5.5.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.35.5 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.45.5 255.255.255.0
interface GigabitEthernet0/0/5
ip address 202.103.56.5 255.255.255.0
Add trust zone
firewall zone trust
add interface GigabitEthernet0/0/1
add interface GigabitEthernet0/0/2
Add untrusted zone
firewall zone untrust
add interface GigabitEthernet0/0/5
Add demilitarized areas
firewall zone dmz
add interface GigabitEthernet0/0/0
To configure OSPF
ospf 1 router-id 123.5.5.5
default-route-advertise always
area 0.0.0.0
network 10.5.5.1 0.0.0.0
network 10.1.35.5 0.0.0.0
network 10.1.45.5 0.0.0.0
Configure the default route / Public network routing can reach
ip route-static 0.0.0.0 0.0.0.0 202.103.56.6
Prevent inconsistent back and forth paths
undo firewall session link-state check
Configure the security policy between zones :trust To dmz
policy interzone trust dmz outbound
policy 1
action permit
Configure the security policy between zones :untrust To dmz
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set ftp
policy service service-set http
policy service service-set https
policy destination 10.5.5.100 0
policy destination 10.5.5.101 0
Configure the security policy between zones :untrust To trust
policy interzone trust untrust inbound
policy 1
action permit
policy service service-set ssh
policy service service-set telnet
policy destination 10.1.45.4 0
Configure the security policy between zones :trust To untrust
policy interzone trust untrust outbound
policy 1
action permit
To configure NAPT( Address pool for intranet to public network conversion ):
nat address-group 7 202.103.56.100 202.103.56.120
To configure NAT Strategy -NAPT The way :trust To untrust(192.168.10.0/24 and 192.168.30.0/24 user )
nat-policy interzone trust untrust outbound
policy 1
action source-nat
policy source 192.168.10.0 0.0.0.255
policy source 192.168.30.0 0.0.0.255
address-group 7
To configure NAT Strategy -easy ip The way :trust To untrust(192.168.20.0/24 user )
nat-policy interzone trust untrust outbound
policy 2
action source-nat
policy source 192.168.20.0 0.0.0.255
easy-ip GigabitEthernet0/0/5
To configure nat server, The intranet server provides FTP、HTTP、HTTPs service :
nat server protocol tcp global 202.103.56.99 8003 inside 10.5.5.100 80
nat server protocol tcp global 202.103.56.99 443 inside 10.5.5.100 443
nat server protocol tcp global 202.103.56.99 21 inside 10.5.5.100 21
nat server protocol tcp global 202.103.56.99 20 inside 10.5.5.100 20
To configure nat server, The intranet equipment provides telnet and SSH service :
nat server protocol tcp global 202.103.56.88 23 inside 10.1.45.4 23
nat server protocol tcp global 202.103.56.88 22 inside 10.1.45.4 22
Configure the security policy between zones :local To untrust
policy interzone local untrust outbound
policy 1
action permit
(4) To configure FW8
Modify the device name
sysname FW8
To configure IP
interface GigabitEthernet0/0/0
ip address 172.16.99.1 255.255.0.0
interface GigabitEthernet0/0/2
ip address 202.103.78.8 255.255.255.0
Add unsafe zone
firewall zone untrust
add interface GigabitEthernet0/0/2
Configure the default route / Public network routing can reach
ip route-static 0.0.0.0 0.0.0.0 202.103.78.7
Configure the security policy between zones :trust To untrust
policy interzone trust untrust outbound
policy 1
policy source 172.16.99.0 0.0.0.255
action permit
Configure the security policy between zones :local To untrust
policy interzone local untrust outbound
policy 1
action permit
To configure NAT Strategy -easy ip The way :trust To untrust(172.16.99.0/24 user )
nat-policy interzone trust untrust outbound
policy 1
action source-nat
policy source 172.16.99.0 0.0.0.255
easy-ip GigabitEthernet0/0/2
Branch firewall FW8 To configure SYN Flood、UDP Flood and ICMP Flood Attack prevention function , And limit the number of ICMP The maximum message rate is 5 package / second :
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
firewall defend icmp-flood base-session max-rate 5
2. Configure router :
(1) To configure R3
Modify the device name
sysname R3
To configure IP
interface GigabitEthernet0/0/0
ip address 10.1.35.3 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.13.3 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.34.3 255.255.255.0
To configure OSPF
ospf 1 router-id 123.3.3.3
area 0.0.0.0
network 10.1.13.3 0.0.0.0
network 10.1.34.3 0.0.0.0
network 10.1.35.3 0.0.0.0
(2) To configure R4
Modify the device name
sysname R4
To configure IP
interface GigabitEthernet0/0/0
ip address 10.1.45.4 255.255.255.0
interface GigabitEthernet0/0/1
ip address 10.1.24.4 255.255.255.0
interface GigabitEthernet0/0/2
ip address 10.1.34.4 255.255.255.0
To configure OSPF
ospf 1 router-id 123.4.4.4
area 0.0.0.0
network 10.1.24.4 0.0.0.0
network 10.1.34.4 0.0.0.0
network 10.1.45.4 0.0.0.0
To configure telnet function : Where password =telnet123, User privilege level =3
telnet server enable
user-interface vty 0 4
set authentication password cipher telnet123
user privilege level 3
(3) To configure ISP6
Modify the device name
sysname ISP6
To configure IP
interface GigabitEthernet0/0/1
ip address 202.103.67.6 255.255.255.0
interface GigabitEthernet0/0/2
ip address 202.103.56.6 255.255.255.0
To configure OSPF
ospf 200 router-id 123.6.6.6
default-route-advertise always
area 0.0.0.0
network 202.103.67.6 0.0.0.0
Configure the default route
ip route-static 0.0.0.0 0.0.0.0 202.103.56.5
(4) To configure ISP7
Modify the device name
sysname ISP7
To configure IP
interface GigabitEthernet0/0/0
ip address 200.1.1.1 255.255.255.0
interface GigabitEthernet0/0/1
ip address 202.103.67.7 255.255.255.0
interface GigabitEthernet0/0/2
ip address 100.1.1.1 255.255.255.0
interface GigabitEthernet2/0/0
ip address 202.103.78.7 255.255.255.0
To configure OSPF
ospf 200 router-id 123.7.7.7
area 0.0.0.0
network 100.1.1.1 0.0.0.0
network 200.1.1.1 0.0.0.0
network 202.103.67.7 0.0.0.0
network 202.103.78.7 0.0.0.0
3. Configure server :
4. Configure terminal devices :
边栏推荐
- [untitled] 5 self use history
- 认识弹性盒子flex
- 堆排序和优先队列
- Know flex box
- C2338 Cannot format an argument. To make type T formattable provide a formatter<T> specialization:
- Golang operation redis: write and read hash type data
- 【无标题】5 自用历程
- 方差迭代公式推导
- Oracle Database Introduction
- Use @data in Lombok to simplify entity class code
猜你喜欢
Support vector machine for machine learning
Une exploration intéressante de l'interaction souris - pointeur
![[classes and objects] explain classes and objects in simple terms](/img/41/250457530880dfe3728432c2ccd50b.png)
[classes and objects] explain classes and objects in simple terms
(翻译)异步编程:Async/Await在ASP.NET中的介绍
表达式的动态解析和计算,Flee用起来真香
ssh链接远程服务器 及 远程图形化界面的本地显示
Summary of remote connection of MySQL
Use selenium to climb the annual box office of Yien
JMeter linked database
Summary of the design and implementation of the weapon system similar to the paladin of vitality
随机推荐
Scripy learning
Judge whether the date time exceeds 31 days
Cesium Click to obtain the longitude and latitude elevation coordinates (3D coordinates) of the model surface
pytorch练习小项目
Personally design a highly concurrent seckill system
Openresty best practices
ODL framework project construction trial -demo
Derivation of variance iteration formula
The list of "I'm crazy about open source" was released in the first week, with 160 developers on the list
Simple password lock
JMeter performance automation test
Decision tree of machine learning
【无标题】5 自用历程
保险公司怎么查高血压?
UTC time, GMT time, CST time
Mysql database
UTC时间、GMT时间、CST时间
2022年华东师范大学计科考研复试机试题-详细题解
New knowledge! The virtual machine network card causes your DNS resolution to slow down
opencv