当前位置:网站首页>2022-06-23 VGMP-OSPF-域間安全策略-NAT策略(更新中)

2022-06-23 VGMP-OSPF-域間安全策略-NAT策略(更新中)

2022-07-03 06:41:00 夕陽的街道

本文章僅供學習和參考!

歡迎交流~

一、實驗拓撲圖:

        下載鏈接:https://pan.baidu.com/s/1tbrhHKz8XKXqlQP_ZnMw1A?pwd=usmk

 

二、實驗配置:

1. 配置防火牆:

(1)配置FW1

 
修改設備名稱
sysname FW1
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 192.168.100.1 255.255.0.0
interface GigabitEthernet0/0/1
 ip address 10.1.13.1 255.255.255.0
interface GigabitEthernet0/0/5
 ip address 10.88.12.1 255.255.255.0
 
 
添加安全區域
firewall zone trust
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet0/0/1
 
 
配置OSPF
ospf 1 router-id 123.1.1.1
 area 0.0.0.0
  network 10.1.13.1 0.0.0.0
  network 192.168.100.1 0.0.0.0
 
 
配置VRRP
interface GigabitEthernet0/0/0	
 vrrp vrid 10 virtual-ip 192.168.10.254 16 master
 vrrp vrid 20 virtual-ip 192.168.20.254 16 slave
 vrrp vrid 30 virtual-ip 192.168.30.254 16 master
 vrrp virtual-mac enable
 
 
防止來回路徑不一致
進行會話快速備份功能
根據VGMP狀態調整OSPF Cost值功能
指定心跳口
啟用雙擊熱備
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable

(2)配置FW2

 
修改設備名稱
sysname FW2
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 192.168.100.2 255.255.0.0
interface GigabitEthernet0/0/1
 ip address 10.1.24.2 255.255.255.0
interface GigabitEthernet0/0/5
 ip address 10.88.12.2 255.255.255.0
 
 
添加安全區域
firewall zone trust
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet0/0/1
 
 
配置OSPF
ospf 1 router-id 123.2.2.2
 area 0.0.0.0
  network 10.1.24.2 0.0.0.0
  network 192.168.100.2 0.0.0.0
 
 
配置VRRP
interface GigabitEthernet0/0/0	
 vrrp vrid 10 virtual-ip 192.168.10.254 16 slave
 vrrp vrid 20 virtual-ip 192.168.20.254 16 master
 vrrp vrid 30 virtual-ip 192.168.30.254 16 slave
 vrrp virtual-mac enable
 
 
防止來回路徑不一致
進行會話快速備份功能
根據VGMP狀態調整OSPF Cost值功能
指定心跳口
啟用雙擊熱備
undo firewall session link-state check
hrp mirror session enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet0/0/5
hrp enable

(3)配置FW5

 
修改設備名稱
sysname FW5
 
配置IP
interface GigabitEthernet0/0/0
 ip address 10.5.5.1 255.255.255.0
interface GigabitEthernet0/0/1
 ip address 10.1.35.5 255.255.255.0
interface GigabitEthernet0/0/2
 ip address 10.1.45.5 255.255.255.0
interface GigabitEthernet0/0/5
 ip address 202.103.56.5 255.255.255.0
 
 
添加信任區域
firewall zone trust
 add interface GigabitEthernet0/0/1
 add interface GigabitEthernet0/0/2
 
 
添加不信任區域
firewall zone untrust
 add interface GigabitEthernet0/0/5
 
 
添加非軍事化區域
firewall zone dmz
 add interface GigabitEthernet0/0/0
 
 
配置OSPF
ospf 1 router-id 123.5.5.5
 default-route-advertise always
 area 0.0.0.0
  network 10.5.5.1 0.0.0.0
  network 10.1.35.5 0.0.0.0
  network 10.1.45.5 0.0.0.0
 
 
配置默認路由 / 公網路由可達
ip route-static 0.0.0.0 0.0.0.0 202.103.56.6
 
 
防止來回路徑不一致
undo firewall session link-state check


配置區域間的安全策略:trust到dmz
policy interzone trust dmz outbound
 policy 1
  action permit


配置區域間的安全策略:untrust到dmz
policy interzone dmz untrust inbound
 policy 1
  action permit
  policy service service-set ftp
  policy service service-set http
  policy service service-set https
  policy destination 10.5.5.100 0
  policy destination 10.5.5.101 0


配置區域間的安全策略:untrust到trust
policy interzone trust untrust inbound
 policy 1
  action permit
  policy service service-set ssh
  policy service service-set telnet
  policy destination 10.1.45.4 0


配置區域間的安全策略:trust到untrust
policy interzone trust untrust outbound
 policy 1
  action permit


配置NAPT(內網到公網轉換的地址池):
nat address-group 7 202.103.56.100 202.103.56.120


配置NAT策略-NAPT方式:trust到untrust(192.168.10.0/24和192.168.30.0/24用戶)
nat-policy interzone trust untrust outbound
 policy 1
  action source-nat
  policy source 192.168.10.0 0.0.0.255
  policy source 192.168.30.0 0.0.0.255
  address-group 7


配置NAT策略-easy ip方式:trust到untrust(192.168.20.0/24用戶)
nat-policy interzone trust untrust outbound
 policy 2
  action source-nat
  policy source 192.168.20.0 0.0.0.255
  easy-ip GigabitEthernet0/0/5


配置nat server,內網服務器向公網提供FTP、HTTP、HTTPs服務:
nat server protocol tcp global 202.103.56.99 8003 inside 10.5.5.100 80
nat server protocol tcp global 202.103.56.99 443 inside 10.5.5.100 443
nat server protocol tcp global 202.103.56.99 21 inside 10.5.5.100 21
nat server protocol tcp global 202.103.56.99 20 inside 10.5.5.100 20


配置nat server,內網設備向公網提供telnet和SSH服務:
nat server protocol tcp global 202.103.56.88  23 inside 10.1.45.4 23
nat server protocol tcp global 202.103.56.88  22 inside 10.1.45.4 22


配置區域間的安全策略:local到untrust
policy interzone local untrust outbound
 policy 1
  action permit

(4)配置FW8

 
修改設備名稱
sysname FW8
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 172.16.99.1 255.255.0.0
interface GigabitEthernet0/0/2
 ip address 202.103.78.8 255.255.255.0
 
 
添加不安全區域
firewall zone untrust
 add interface GigabitEthernet0/0/2


配置默認路由 / 公網路由可達
ip route-static 0.0.0.0 0.0.0.0 202.103.78.7


配置區域間的安全策略:trust到untrust
policy interzone trust untrust outbound
 policy 1
  policy source 172.16.99.0 0.0.0.255
  action permit


配置區域間的安全策略:local到untrust
policy interzone local untrust outbound
 policy 1
  action permit


配置NAT策略-easy ip方式:trust到untrust(172.16.99.0/24用戶)
nat-policy interzone trust untrust outbound
 policy 1
  action source-nat
  policy source 172.16.99.0 0.0.0.255
  easy-ip GigabitEthernet0/0/2


分支防火牆FW8配置SYN Flood、UDP Flood和ICMP Flood攻擊防範功能,並限制每條會話允許通過的ICMP報文最大速率為5包/秒:
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
firewall defend icmp-flood base-session max-rate 5

2. 配置路由器:

(1)配置R3

 
修改設備名稱
sysname R3
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 10.1.35.3 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 10.1.13.3 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 10.1.34.3 255.255.255.0 
 
 
配置OSPF
ospf 1 router-id 123.3.3.3 
 area 0.0.0.0 
  network 10.1.13.3 0.0.0.0 
  network 10.1.34.3 0.0.0.0 
  network 10.1.35.3 0.0.0.0

(2)配置R4

 
修改設備名稱
sysname R4
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 10.1.45.4 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 10.1.24.4 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 10.1.34.4 255.255.255.0 
 
 
配置OSPF
ospf 1 router-id 123.4.4.4 
 area 0.0.0.0 
  network 10.1.24.4 0.0.0.0 
  network 10.1.34.4 0.0.0.0 
  network 10.1.45.4 0.0.0.0 
 

配置telnet功能: 其中密碼=telnet123,用戶權限級別=3
telnet server enable
user-interface vty  0 4 
 set authentication  password cipher telnet123
 user privilege level 3

(3)配置ISP6

 
修改設備名稱
sysname ISP6
 
 
配置IP
interface GigabitEthernet0/0/1
 ip address 202.103.67.6 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 202.103.56.6 255.255.255.0 
 
 
配置OSPF
ospf 200 router-id 123.6.6.6 
 default-route-advertise always
 area 0.0.0.0 
  network 202.103.67.6 0.0.0.0 
 
 
配置默認路由
ip route-static 0.0.0.0 0.0.0.0 202.103.56.5

(4)配置ISP7

 
修改設備名稱
sysname ISP7
 
 
配置IP
interface GigabitEthernet0/0/0
 ip address 200.1.1.1 255.255.255.0 
interface GigabitEthernet0/0/1
 ip address 202.103.67.7 255.255.255.0 
interface GigabitEthernet0/0/2
 ip address 100.1.1.1 255.255.255.0 
interface GigabitEthernet2/0/0
 ip address 202.103.78.7 255.255.255.0
 
 
配置OSPF
ospf 200 router-id 123.7.7.7 
 area 0.0.0.0 
  network 100.1.1.1 0.0.0.0 
  network 200.1.1.1 0.0.0.0 
  network 202.103.67.7 0.0.0.0 
  network 202.103.78.7 0.0.0.0

3. 配置服務器:

4. 配置終端設備:

 

原网站

版权声明
本文为[夕陽的街道]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/184/202207030640123581.html

边栏推荐

猜你喜欢

随机推荐