防火墙实验
接入层交换机switch未做配置,默认vlanif1通信:
[switch]dis cu
#
sysname switch
#
undo info-center enable
防火墙firefall配置如下:
[Firewall]dis cu
2024-10-28 14:01:53.950
#
sysname Firewall
#
undo info-center enable
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 192.168.2.254 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 100.1.1.1 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
nat server 0 protocol tcp global 100.1.1.100 www inside 192.168.2.100 www
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
sa
#
nat address-group addressgroup1 0
mode pat
section 0 100.1.1.10 100.1.1.20
#
security-policy
rule name trust_to_untrust
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action permit
rule name trust_to_dmz
source-zone trust
destination-zone dmz
action permit
rule name untrust_to_dmz
source-zone untrust
destination-zone dmz
destination-address 192.168.2.100 mask 255.255.255.255
action permit
#
nat-policy
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group addressgroup1
Internet配置如下:
[internet]dis cu
#
sysname internet
#
interface GigabitEthernet0/0/0
ip address 100.1.1.2 255.255.255.0
防火墙默认密码
用户名:admin
密码:Admin@123
修改后的账号和密码:
用户名:admin
密码:Admin@1234
实验配置步骤简略如下:
[USG6000V1]sysname Firewall
[Firewall]int g 1/0/1
[Firewall-GigabitEthernet1/0/1]ip add 192.168.1.254 24
[Firewall]int g 1/0/2
[Firewall-GigabitEthernet1/0/2]ip add 192.168.2.254 24
[Firewall]int g 1/0/3
[Firewall-GigabitEthernet1/0/3]ip add 100.1.1.1 24[Firewall]firewall zone trust
[Firewall-zone-trust]add interface g 1/0/1
[Firewall]firewall zone untrust
[Firewall-zone-untrust]add interface g 1/0/3
[Firewall]firewall zone dmz
[Firewall-zone-dmz]add interface g 1/0/2
[Firewall]security-policy
[Firewall-policy-security]rule name trust_to_untrust
[Firewall-policy-security-rule-trust_to_untrust]source-zone trust
[Firewall-policy-security-rule-trust_to_untrust]destination-zone untrust
[Firewall-policy-security-rule-trust_to_untrust]source-address 192.168.1.0 24
[Firewall-policy-security-rule-trust_to_untrust]destination-address any
[Firewall-policy-security-rule-trust_to_untrust]action permit
[Firewall-policy-security-rule-trust_to_untrust]q[Firewall]nat address-group addressgroup1
[Firewall-address-group-addressgroup1]mode pat
[Firewall-address-group-addressgroup1]section 0 100.1.1.10 100.1.1.20
[Firewall-address-group-addressgroup1]q
[Firewall]nat-policy
[Firewall-policy-nat]rule name policy_nat1
[Firewall-policy-nat-rule-policy_nat1]source-zone trust
[Firewall-policy-nat-rule-policy_nat1]destination-zone untrust
[Firewall-policy-nat-rule-policy_nat1]source-address 192.168.1.0 24
[Firewall-policy-nat-rule-policy_nat1]destination-address any
[Firewall-policy-nat-rule-policy_nat1]action source-nat address-group addressgro
up1
[Firewall-policy-nat-rule-policy_nat1]q
[Firewall-policy-nat-rule-policy_nat1]dis th
2024-10-26 15:49:16.850
#
rule name policy_nat1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group addressgroup1
#
[Firewall]display firewall session table
2024-10-26 15:55:38.300
Current Total Sessions : 5
icmp VPN: public –> public 192.168.1.1:64272[100.1.1.20:2057] –> 100.1.1.2:
2048
icmp VPN: public –> public 192.168.1.1:63760[100.1.1.20:2055] –> 100.1.1.2:
2048
icmp VPN: public –> public 192.168.1.1:63248[100.1.1.20:2053] –> 100.1.1.2:
2048
icmp VPN: public –> public 192.168.1.1:63504[100.1.1.20:2054] –> 100.1.1.2:
2048
icmp VPN: public –> public 192.168.1.1:64016[100.1.1.20:2056] –> 100.1.1.2:
2048
[Firewall]security-policy
[Firewall-policy-security]rule name trust_to_dmz
[Firewall-policy-security-rule-trust_to_dmz]source-zone trust
[Firewall-policy-security-rule-trust_to_dmz]destination-zone dmz
[Firewall-policy-security-rule-trust_to_dmz]action permitnat server 0 protocol tcp global 100.1.1.100 www inside 192.168.2.100 www
rule name untrust_to_dmz
source-zone untrust
destination-zone dmz
destination-address 192.168.2.100 mask 255.255.255.255
action permit[Firewall]dis firewall session table
2024-10-26 16:09:37.610
Current Total Sessions : 1
http VPN: public –> public 100.1.1.2:50224 –> 100.1.1.100:80[192.168.2.100:
80]
实验现象:
电脑pc配置如下:
防火墙策略放行trust_to_dmz后可以ping通服务器:
服务器映射现象
服务器做了nat地址映射
华为ensp通过ssh远程登录交换机
华三的hcl模拟器与华为ensp模拟器共存的方式
小型校园网wlan案例实验
IPSEC VPN IKE实验
gre vpn隧道实验 ospf
GRE VPN隧道技术
IPSec VPN以IKE方式建立IPSec隧道
OSPF 虚链路