当前位置:网站首页>2022-06-23 vgmp OSPF inter domain security policy NAT policy (under update)

2022-06-23 vgmp OSPF inter domain security policy NAT policy (under update)

2022-07-03 06:41:00 Sunset Street

This article is for learning and reference only !

Welcome to exchange ~

One 、 Experimental Topology :

         Download link :https://pan.baidu.com/s/1tbrhHKz8XKXqlQP_ZnMw1A?pwd=usmk

 

Two 、 Experimental configuration :

1. Configure firewall :

(1) To configure FW1

 
 Modify the device name 
sysname FW1
 
 
 To configure IP
interface GigabitEthernet0/0/0
 ip address 192.168.100.1 255.255.0.0
interface GigabitEthernet0/0/1
 ip address 10.1.13.1 255.255.255.0
interface GigabitEthernet0/0/5
 ip address 10.88.12.1 255.255.255.0
 
 
 Add security zone 
firewall zone trust
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet0/0/1
 
 
 To configure OSPF
ospf 1 router-id 123.1.1.1
 area 0.0.0.0
  network 10.1.13.1 0.0.0.0
  network 192.168.100.1 0.0.0.0
 
 
 To configure VRRP
interface GigabitEthernet0/0/0	
 vrrp vrid 10 virtual-ip 192.168.10.254 16 master
 vrrp vrid 20 virtual-ip 192.168.20.254 16 slave
 vrrp vrid 30 virtual-ip 192.168.30.254 16 master
 vrrp virtual-mac enable
 
 
 Prevent inconsistent back and forth paths 
 Fast session backup 
 according to VGMP State adjustment OSPF Cost Value function 
 Specify heartbeat port 
 Enable double-click hot standby 
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable

(2) To configure FW2

 
 Modify the device name 
sysname FW2
 
 
 To configure IP
interface GigabitEthernet0/0/0
 ip address 192.168.100.2 255.255.0.0
interface GigabitEthernet0/0/1
 ip address 10.1.24.2 255.255.255.0
interface GigabitEthernet0/0/5
 ip address 10.88.12.2 255.255.255.0
 
 
 Add security zone 
firewall zone trust
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet0/0/1
 
 
 To configure OSPF
ospf 1 router-id 123.2.2.2
 area 0.0.0.0
  network 10.1.24.2 0.0.0.0
  network 192.168.100.2 0.0.0.0
 
 
 To configure VRRP
interface GigabitEthernet0/0/0	
 vrrp vrid 10 virtual-ip 192.168.10.254 16 slave
 vrrp vrid 20 virtual-ip 192.168.20.254 16 master
 vrrp vrid 30 virtual-ip 192.168.30.254 16 slave
 vrrp virtual-mac enable
 
 
 Prevent inconsistent back and forth paths 
 Fast session backup 
 according to VGMP State adjustment OSPF Cost Value function 
 Specify heartbeat port 
 Enable double-click hot standby 
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable

(3) To configure FW5

 
 Modify the device name 
sysname FW5
 
 To configure IP
interface GigabitEthernet0/0/0
 ip address 10.5.5.1 255.255.255.0
interface GigabitEthernet0/0/1
 ip address 10.1.35.5 255.255.255.0
interface GigabitEthernet0/0/2
 ip address 10.1.45.5 255.255.255.0
interface GigabitEthernet0/0/5
 ip address 202.103.56.5 255.255.255.0
 
 
 Add trust zone 
firewall zone trust
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/2
 
 
 Add untrusted zone 
firewall zone untrust
 add interface GigabitEthernet0/0/5
 
 
 Add demilitarized areas 
firewall zone dmz
 add interface GigabitEthernet0/0/0
 
 
 To configure OSPF
ospf 1 router-id 123.5.5.5
 default-route-advertise always
 area 0.0.0.0
  network 10.5.5.1 0.0.0.0
  network 10.1.35.5 0.0.0.0
  network 10.1.45.5 0.0.0.0
 
 
 Configure the default route  /  Public network routing can reach 
ip route-static 0.0.0.0 0.0.0.0 202.103.56.6
 
 
 Prevent inconsistent back and forth paths 
undo firewall session link-state check


 Configure the security policy between zones :trust To dmz
policy interzone trust dmz outbound
 policy 1
  action permit


 Configure the security policy between zones :untrust To dmz
policy interzone dmz untrust inbound
 policy 1
  action permit
  policy service service-set ftp
  policy service service-set http
  policy service service-set https
  policy destination 10.5.5.100 0
  policy destination 10.5.5.101 0


 Configure the security policy between zones :untrust To trust
policy interzone trust untrust inbound
 policy 1
  action permit
  policy service service-set ssh
  policy service service-set telnet
  policy destination 10.1.45.4 0


 Configure the security policy between zones :trust To untrust
policy interzone trust untrust outbound
 policy 1
  action permit


 To configure NAPT( Address pool for intranet to public network conversion ):
nat address-group 7 202.103.56.100 202.103.56.120


 To configure NAT Strategy -NAPT The way :trust To untrust(192.168.10.0/24 and 192.168.30.0/24 user )
nat-policy interzone trust untrust outbound
 policy 1
  action source-nat
  policy source 192.168.10.0 0.0.0.255
  policy source 192.168.30.0 0.0.0.255
  address-group 7


 To configure NAT Strategy -easy ip The way :trust To untrust(192.168.20.0/24 user )
nat-policy interzone trust untrust outbound
 policy 2
  action source-nat
  policy source 192.168.20.0 0.0.0.255
  easy-ip GigabitEthernet0/0/5


 To configure nat server, The intranet server provides FTP、HTTP、HTTPs service :
nat server protocol tcp global 202.103.56.99 8003 inside 10.5.5.100 80
nat server protocol tcp global 202.103.56.99 443 inside 10.5.5.100 443
nat server protocol tcp global 202.103.56.99 21 inside 10.5.5.100 21
nat server protocol tcp global 202.103.56.99 20 inside 10.5.5.100 20


 To configure nat server, The intranet equipment provides telnet and SSH service :
nat server protocol tcp global 202.103.56.88  23 inside 10.1.45.4 23
nat server protocol tcp global 202.103.56.88  22 inside 10.1.45.4 22


 Configure the security policy between zones :local To untrust
policy interzone local untrust outbound
 policy 1
  action permit

(4) To configure FW8

 
 Modify the device name 
sysname FW8
 
 
 To configure IP
interface GigabitEthernet0/0/0
 ip address 172.16.99.1 255.255.0.0
interface GigabitEthernet0/0/2
 ip address 202.103.78.8 255.255.255.0
 
 
 Add unsafe zone 
firewall zone untrust
 add interface GigabitEthernet0/0/2


 Configure the default route  /  Public network routing can reach 
ip route-static 0.0.0.0 0.0.0.0 202.103.78.7


 Configure the security policy between zones :trust To untrust
policy interzone trust untrust outbound
 policy 1
  policy source 172.16.99.0 0.0.0.255
  action permit


 Configure the security policy between zones :local To untrust
policy interzone local untrust outbound
 policy 1
  action permit


 To configure NAT Strategy -easy ip The way :trust To untrust(172.16.99.0/24 user )
nat-policy interzone trust untrust outbound
 policy 1
  action source-nat
  policy source 172.16.99.0 0.0.0.255
  easy-ip GigabitEthernet0/0/2


 Branch firewall FW8 To configure SYN Flood、UDP Flood and ICMP Flood Attack prevention function , And limit the number of ICMP The maximum message rate is 5 package / second :
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
firewall defend icmp-flood base-session max-rate 5

2. Configure router :

(1) To configure R3

 
 Modify the device name 
sysname R3
 
 
 To configure IP
interface GigabitEthernet0/0/0
 ip address 10.1.35.3 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 10.1.13.3 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 10.1.34.3 255.255.255.0 
 
 
 To configure OSPF
ospf 1 router-id 123.3.3.3 
 area 0.0.0.0 
  network 10.1.13.3 0.0.0.0 
  network 10.1.34.3 0.0.0.0 
  network 10.1.35.3 0.0.0.0

(2) To configure R4

 
 Modify the device name 
sysname R4
 
 
 To configure IP
interface GigabitEthernet0/0/0
 ip address 10.1.45.4 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 10.1.24.4 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 10.1.34.4 255.255.255.0 
 
 
 To configure OSPF
ospf 1 router-id 123.4.4.4 
 area 0.0.0.0 
  network 10.1.24.4 0.0.0.0 
  network 10.1.34.4 0.0.0.0 
  network 10.1.45.4 0.0.0.0 
 

 To configure telnet function :  Where password =telnet123, User privilege level =3
telnet server enable
user-interface vty  0 4 
 set authentication  password cipher telnet123
 user privilege level 3

(3) To configure ISP6

 
 Modify the device name 
sysname ISP6
 
 
 To configure IP
interface GigabitEthernet0/0/1
 ip address 202.103.67.6 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 202.103.56.6 255.255.255.0 
 
 
 To configure OSPF
ospf 200 router-id 123.6.6.6 
 default-route-advertise always
 area 0.0.0.0 
  network 202.103.67.6 0.0.0.0 
 
 
 Configure the default route 
ip route-static 0.0.0.0 0.0.0.0 202.103.56.5

(4) To configure ISP7

 
 Modify the device name 
sysname ISP7
 
 
 To configure IP
interface GigabitEthernet0/0/0
 ip address 200.1.1.1 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 202.103.67.7 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 100.1.1.1 255.255.255.0 
interface GigabitEthernet2/0/0
 ip address 202.103.78.7 255.255.255.0
 
 
 To configure OSPF
ospf 200 router-id 123.7.7.7 
 area 0.0.0.0 
  network 100.1.1.1 0.0.0.0 
  network 200.1.1.1 0.0.0.0 
  network 202.103.67.7 0.0.0.0 
  network 202.103.78.7 0.0.0.0

3. Configure server :

4. Configure terminal devices :

 

原网站

版权声明
本文为[Sunset Street]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/184/202207030640123581.html

边栏推荐

猜你喜欢

随机推荐