一,网络拓扑
二,规划说明
2.1IP地址规划
设备 | 接口 | 安全区域 | IP地址 |
FW1 | GE0/0/0 | Local | 192.168.0.10/24 |
GE1/0/0 | Local | 202.100.2.10/24 | |
GE1/0/1 | Local | 202.100.1.10/24 | |
GE1/0/2 | Local | 10.1.1.10/24 | |
GE1/0/3 | Local | 10.1.2.10/24 | |
GE1/0/4 | Local | 10.1.3.10/24 | |
GE1/0/5 | Local | 192.168.34.10/24 | |
ISP1 | GE0/0/0 | untrust | 11.1.1.20/24 |
GE0/0/1 | untrust | 202.100.1.20/24 | |
Loopback0 | untrust | 1.1.1.1/32 | |
Loopback1 | untrust | 2.2.2.2/32 | |
ISP2 | GE0/0/0 | untrust | 12.1.1.20/24 |
GE0/0/1 | untrust | 202.100.2.20/24 | |
Loopback0 | untrust | 3.3.3.3/32 | |
Loopback1 | untrust | 4.4.4/32 | |
Internet | GE0/0/0 | untrust | 11.1.1.30/24 |
GE0/0/1 | untrust | 12.1.1.30/24 | |
GE0/0/2 | untrust | 120.1.1.30/24 | |
http_server | Ethernet0/0/0 | untrust | 120.1.1.2/24 |
DMZ_Server | Ethernet0/0/0 | dmz | 192.168.34.1/24 |
kali_linux | Ethernet0/0/0 | trust | 10.1.1.1/24 |
PC1 | Ethernet0/0/0 | trust | 10.1.2.1/24 |
PC2 | Ethernet0/0/0 | trust | 10.1.3.1/24 |
MGMT_PC | Ethernet0/0/0 | trust | 192.168.0.1/24 |
2.2实验需求
通过配置ISP地址文件,使得访问1.1.1.1/32和2.2.2.2/32时选择最优路径ISP1,访问3.3.3.3/32和4.4.4.4/32时选择最优路径ISP2。在链路发生故障时也依然可以不影响访问这四个地址。
三,配置部分
3.1防火墙以外的配置
3.1.1 ISP1路由器
<Huawei>system-view [Huawei]sysname ISP1 [ISP1]user-interface con 0 [ISP1-ui-console0]idle-timeout 0 0 [ISP1]interface GigabitEthernet 0/0/0 [ISP1-GigabitEthernet0/0/0]ip address 11.1.1.20 24 [ISP1-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [ISP1-GigabitEthernet0/0/1]ip address 202.100.1.20 24 [ISP1-GigabitEthernet0/0/1]interface Loopback 0 [ISP1-LoopBack0]ip address 1.1.1.1 32 [ISP1-LoopBack0]interface Loopback 1 [ISP1-LoopBack1]ip address 2.2.2.2 32 [ISP1-LoopBack1]ip route-static 0.0.0.0 0 11.1.1.30
3.1.2ISP2路由器
<Huawei>system-view [Huawei]sysname ISP2 [ISP2]user-interface con 0 [ISP2-ui-console0]idle-timeout 0 0 [ISP2-ui-console0]interface GigabitEthernet 0/0/0 [ISP2-GigabitEthernet0/0/0]ip address 12.1.1.20 24 [ISP2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [ISP2-GigabitEthernet0/0/1]ip address 202.100.2.20 24 [ISP2-GigabitEthernet0/0/1]interface Loopback 0 [ISP2-LoopBack0]ip address 3.3.3.3 32 [ISP2-LoopBack0]interface Loopback 1 [ISP2-LoopBack1]ip address 4.4.4.4 32 [ISP2-LoopBack1]ip route-static 0.0.0.0 0 12.1.1.30
3.1.3Internet路由器
<Huawei>system-view [Huawei]sysname Internet [Internet]user-interface con 0 [Internet-ui-console0]idle-timeout 0 0 [Internet-ui-console0]interface GigabitEthernet 0/0/0 [Internet-GigabitEthernet0/0/0]ip address 11.1.1.30 24 [Internet-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [Internet-GigabitEthernet0/0/1]ip address 12.1.1.30 24 [Internet-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2 [Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24 [Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24 [Internet-GigabitEthernet0/0/2]ip route-static 202.100.1.0 24 11.1.1.20 [Internet]ip route-static 1.1.1.1 32 11.1.1.20 [Internet]ip route-static 2.2.2.2 32 11.1.1.20 [Internet]ip route-static 202.100.2.0 24 12.1.1.20 [Internet]ip route-static 3.3.3.3 32 12.1.1.20 [Internet]ip route-static 4.4.4.4 32 12.1.1.20
3.1.4 Http Server
Http Server是使用ENSP桥接的一台vmware workstation的一台虚机,简单的配置了http。
3.1.5MGMT_PC
MGPT_PC是ENSP桥接到我本地的物理机,可以通过浏览器进行图形化管理FW1。
3.1.6 内网测试主机
3.2 防火墙配置
3.2.1接口地址以及安全区域
<USG6000V1>system-view [USG6000V1]sysname FW1 [FW1]user-interface con 0 [FW1-ui-console0]idle-timeout 0 0 [FW1-ui-console0]interface GigabitEthernet 0/0/0 [FW1-GigabitEthernet0/0/0]ip address 192.168.0.10 24 [FW1-GigabitEthernet0/0/0]service-manage http permit [FW1-GigabitEthernet0/0/0]service-manage https permit [FW1-GigabitEthernet0/0/0]service-manage ping permit [FW1-GigabitEthernet0/0/0]interface GigabitEthernet 1/0/0 [FW1-GigabitEthernet1/0/0]ip address 202.100.2.10 24 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1 [FW1-GigabitEthernet1/0/1]ip address 202.100.1.10 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1-GigabitEthernet1/0/1]interface GigabitEthernet 1/0/2 [FW1-GigabitEthernet1/0/2]ip address 10.1.1.10 24 [FW1-GigabitEthernet1/0/2]service-manage ping permit [FW1-GigabitEthernet1/0/2]interface GigabitEthernet 1/0/3 [FW1-GigabitEthernet1/0/3]ip address 10.1.2.10 24 [FW1-GigabitEthernet1/0/3]service-manage ping permit [FW1-GigabitEthernet1/0/3]interface GigabitEthernet 1/0/4 [FW1-GigabitEthernet1/0/4]ip address 10.1.3.10 24 [FW1-GigabitEthernet1/0/4]service-manage ping permit [FW1-GigabitEthernet1/0/4]interface GigabitEthernet 1/0/5 [FW1-GigabitEthernet1/0/5]ip address 192.168.34.10 24 [FW1-GigabitEthernet1/0/5]service-manage ping permit [FW1-GigabitEthernet1/0/5]firewall zone trust [FW1-zone-trust]add interface GigabitEthernet 0/0/0 [FW1-zone-trust]add interface GigabitEthernet 1/0/2 [FW1-zone-trust]add interface GigabitEthernet 1/0/3 [FW1-zone-trust]add interface GigabitEthernet 1/0/4 [FW1-zone-trust]firewall zone dmz [FW1-zone-dmz]add interface GigabitEthernet 1/0/5 [FW1-zone-dmz]firewall zone untrust [FW1-zone-untrust]add interface GigabitEthernet 1/0/0 [FW1-zone-untrust]add interface GigabitEthernet 1/0/1 [FW1-zone-untrust]add interface GigabitEthernet 1/0/1
3.2.2 ISP选路配置
1.编辑ISP文件
2.导入ISP文件,选择进入网络界面,选择路由中的智能选路,点击运营商地址库,点击导入。先命名名称和选择地址库,文件,如果不知道怎么编辑可以下载地址库文件模板下载。也可以前往https://isecurity.huawei.com/。
3.开启并配置健康检查
[FW1]healthcheck enable [FW1]healthcheck name isp1 [FW1-healthcheck-isp1]destination 202.100.1.20 interface GigabitEthernet 1/0/1 protocol icmp [FW1-healthcheck-isp1]tx-interval 3 [FW1-healthcheck-isp1]times 2 [FW1]healthcheck name isp2 [FW1-healthcheck-isp2]destination 202.100.2.20 interface GigabitEthernet 1/0/0 protocol icmp [FW1-healthcheck-isp2]tx-interval 3 [FW1-healthcheck-isp2]times 2
4.在链路接口调用运营商库和健康检查,指定下一跳并且配置缺省路由
[FW1]link-interface 0 name isp1 [FW1-linkif-0]interface GigabitEthernet 1/0/1 next-hop 202.100.1.20 [FW1-linkif-0]healthcheck isp1 [FW1-linkif-0]isp isp1 route enable [FW1-linkif-0]link-interface 1 name isp2 [FW1-linkif-1] interface GigabitEthernet1/0/0 next-hop 202.100.2.20 [FW1-linkif-1] healthcheck isp2 [FW1-linkif-1] isp isp1 route enable
3.2.3 安全策略
[FW1]ip address-set pc type object [FW1-object-address-set-pc]address 10.1.1.0 mask 24 [FW1-object-address-set-pc]address 10.1.2.0 mask 24 [FW1-object-address-set-pc]address 10.1.3.0 mask 24 [FW1]security-policy [FW1-policy-security]rule name trust_untrust [FW1-policy-security-rule-trust_untrust]source-zone trust [FW1-policy-security-rule-trust_untrust]destination-zone untrust [FW1-policy-security-rule-trust_untrust]source-address address-set pc [FW1-policy-security-rule-trust_untrust]action permit
3.2.4 源NAT
[FW1]nat-policy [FW1-policy-nat]rule name easy-ip [FW1-policy-nat-rule-easy-ip]source-zone trust [FW1-policy-nat-rule-easy-ip]destination-zone untrust [FW1-policy-nat-rule-easy-ip]source-address address-set pc [FW1-policy-nat-rule-easy-ip]action source-nat easy-ip
四,效果测试
①查看健康检查状态
[FW1]display healthcheck 2022-04-14 08:00:41.020 Current Total Healthcheck Number : 2 Name Member State Up/Down/Init isp1 1 up 1 0 0 isp2 1 up 1 0 0
②查看路由表,产生了Unr路由
③分别ping ISP1和ISP2,查看会话表,ISP1地址库的地址从GE1/0/1口出下一跳是202.100.1.20,ISP2地址库的地址从GE1/0/0口出下一跳是202.100.2.20。
④安全检查的探测报文,新版本后不需要放行,特征是policyname:---
⑤使得与ISP1连接的链路故障,在FW的GE1/0/1接口上shutdown。
⑥立刻切换到ISP2
文章来源: 博客园
- 还没有人评论,欢迎说说您的想法!