测试2

一,网络拓扑

二,规划说明

2.1IP地址规划

设备  接口 安全区域 IP地址
FW1 GE0/0/0 Local 192.168.0.10/24
GE1/0/0 Local 202.100.2.10/24
GE1/0/1 Local 202.100.1.10/24
GE1/0/2 Local 10.1.1.10/24
GE1/0/3 Local 10.1.2.10/24
GE1/0/4 Local 10.1.3.10/24
GE1/0/5 Local 192.168.34.10/24
ISP1 GE0/0/0 untrust 11.1.1.20/24
GE0/0/1 untrust 202.100.1.20/24
Loopback0 untrust 1.1.1.1/32
Loopback1 untrust 2.2.2.2/32
ISP2 GE0/0/0 untrust 12.1.1.20/24
GE0/0/1 untrust 202.100.2.20/24
Loopback0 untrust 3.3.3.3/32
Loopback1 untrust 4.4.4/32
Internet GE0/0/0  untrust 11.1.1.30/24 
GE0/0/1 untrust 12.1.1.30/24
GE0/0/2 untrust  120.1.1.30/24
http_server Ethernet0/0/0 untrust 120.1.1.2/24
DMZ_Server Ethernet0/0/0 dmz 192.168.34.1/24
kali_linux Ethernet0/0/0 trust 10.1.1.1/24
PC1 Ethernet0/0/0 trust 10.1.2.1/24
PC2 Ethernet0/0/0 trust 10.1.3.1/24
MGMT_PC Ethernet0/0/0 trust 192.168.0.1/24

 2.2实验需求

   通过配置ISP地址文件,使得访问1.1.1.1/32和2.2.2.2/32时选择最优路径ISP1,访问3.3.3.3/32和4.4.4.4/32时选择最优路径ISP2。在链路发生故障时也依然可以不影响访问这四个地址。

三,配置部分

3.1防火墙以外的配置

3.1.1 ISP1路由器

<Huawei>system-view 
[Huawei]sysname ISP1
[ISP1]user-interface  con 0
[ISP1-ui-console0]idle-timeout 0 0
[ISP1]interface GigabitEthernet 0/0/0
[ISP1-GigabitEthernet0/0/0]ip address 11.1.1.20 24
[ISP1-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[ISP1-GigabitEthernet0/0/1]ip address 202.100.1.20 24
[ISP1-GigabitEthernet0/0/1]interface Loopback 0
[ISP1-LoopBack0]ip address 1.1.1.1 32
[ISP1-LoopBack0]interface Loopback 1
[ISP1-LoopBack1]ip address 2.2.2.2 32
[ISP1-LoopBack1]ip route-static 0.0.0.0 0 11.1.1.30

3.1.2ISP2路由器

<Huawei>system-view 
[Huawei]sysname ISP2
[ISP2]user-interface  con 0
[ISP2-ui-console0]idle-timeout 0 0
[ISP2-ui-console0]interface GigabitEthernet 0/0/0
[ISP2-GigabitEthernet0/0/0]ip address 12.1.1.20 24
[ISP2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[ISP2-GigabitEthernet0/0/1]ip address 202.100.2.20 24
[ISP2-GigabitEthernet0/0/1]interface Loopback 0
[ISP2-LoopBack0]ip address 3.3.3.3 32
[ISP2-LoopBack0]interface Loopback 1
[ISP2-LoopBack1]ip address 4.4.4.4 32
[ISP2-LoopBack1]ip route-static 0.0.0.0 0 12.1.1.30

3.1.3Internet路由器

<Huawei>system-view 
[Huawei]sysname Internet
[Internet]user-interface  con 0
[Internet-ui-console0]idle-timeout 0 0
[Internet-ui-console0]interface GigabitEthernet 0/0/0
[Internet-GigabitEthernet0/0/0]ip address 11.1.1.30 24
[Internet-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[Internet-GigabitEthernet0/0/1]ip address 12.1.1.30 24
[Internet-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24
[Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24
[Internet-GigabitEthernet0/0/2]ip route-static 202.100.1.0 24 11.1.1.20
[Internet]ip route-static 1.1.1.1 32 11.1.1.20
[Internet]ip route-static 2.2.2.2 32 11.1.1.20
[Internet]ip route-static 202.100.2.0 24 12.1.1.20
[Internet]ip route-static 3.3.3.3 32 12.1.1.20
[Internet]ip route-static 4.4.4.4 32 12.1.1.20

3.1.4 Http Server

  Http Server是使用ENSP桥接的一台vmware workstation的一台虚机,简单的配置了http。

 

 

 3.1.5MGMT_PC

  MGPT_PC是ENSP桥接到我本地的物理机,可以通过浏览器进行图形化管理FW1。

 

 3.1.6 内网测试主机

 

 

 

 3.2 防火墙配置

3.2.1接口地址以及安全区域

<USG6000V1>system-view 
[USG6000V1]sysname FW1
[FW1]user-interface  con 0
[FW1-ui-console0]idle-timeout 0 0
[FW1-ui-console0]interface GigabitEthernet 0/0/0
[FW1-GigabitEthernet0/0/0]ip address 192.168.0.10 24
[FW1-GigabitEthernet0/0/0]service-manage http permit
[FW1-GigabitEthernet0/0/0]service-manage https permit
[FW1-GigabitEthernet0/0/0]service-manage ping permit
[FW1-GigabitEthernet0/0/0]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]ip address  202.100.2.10 24
[FW1-GigabitEthernet1/0/0]service-manage ping permit
[FW1-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 202.100.1.10 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW1-GigabitEthernet1/0/1]interface GigabitEthernet  1/0/2
[FW1-GigabitEthernet1/0/2]ip address  10.1.1.10 24
[FW1-GigabitEthernet1/0/2]service-manage ping permit
[FW1-GigabitEthernet1/0/2]interface GigabitEthernet   1/0/3
[FW1-GigabitEthernet1/0/3]ip address 10.1.2.10  24
[FW1-GigabitEthernet1/0/3]service-manage ping permit
[FW1-GigabitEthernet1/0/3]interface GigabitEthernet   1/0/4
[FW1-GigabitEthernet1/0/4]ip address 10.1.3.10 24
[FW1-GigabitEthernet1/0/4]service-manage ping permit
[FW1-GigabitEthernet1/0/4]interface GigabitEthernet   1/0/5
[FW1-GigabitEthernet1/0/5]ip address 192.168.34.10 24
[FW1-GigabitEthernet1/0/5]service-manage ping permit
[FW1-GigabitEthernet1/0/5]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 0/0/0
[FW1-zone-trust]add interface GigabitEthernet 1/0/2
[FW1-zone-trust]add interface GigabitEthernet 1/0/3
[FW1-zone-trust]add interface GigabitEthernet 1/0/4
[FW1-zone-trust]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet 1/0/5
[FW1-zone-dmz]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/0
[FW1-zone-untrust]add interface GigabitEthernet 1/0/1
[FW1-zone-untrust]add interface GigabitEthernet 1/0/1

3.2.2 ISP选路配置

1.编辑ISP文件

 

 

 2.导入ISP文件,选择进入网络界面,选择路由中的智能选路,点击运营商地址库,点击导入。先命名名称和选择地址库,文件,如果不知道怎么编辑可以下载地址库文件模板下载。也可以前往https://isecurity.huawei.com/。

 

 

 3.开启并配置健康检查

[FW1]healthcheck  enable
[FW1]healthcheck name isp1
[FW1-healthcheck-isp1]destination 202.100.1.20  interface  GigabitEthernet  1/0/1 protocol  icmp  
[FW1-healthcheck-isp1]tx-interval  3
[FW1-healthcheck-isp1]times 2
[FW1]healthcheck  name isp2
[FW1-healthcheck-isp2]destination 202.100.2.20 interface GigabitEthernet 1/0/0 protocol icmp 
[FW1-healthcheck-isp2]tx-interval  3
[FW1-healthcheck-isp2]times 2

4.在链路接口调用运营商库和健康检查,指定下一跳并且配置缺省路由

[FW1]link-interface 0 name isp1
[FW1-linkif-0]interface  GigabitEthernet  1/0/1 next-hop  202.100.1.20 
[FW1-linkif-0]healthcheck  isp1
[FW1-linkif-0]isp isp1 route enable 
[FW1-linkif-0]link-interface 1 name isp2
[FW1-linkif-1] interface GigabitEthernet1/0/0 next-hop 202.100.2.20
[FW1-linkif-1] healthcheck isp2
[FW1-linkif-1] isp isp1 route enable

3.2.3 安全策略

[FW1]ip address-set  pc type  object  
[FW1-object-address-set-pc]address 10.1.1.0 mask 24
[FW1-object-address-set-pc]address 10.1.2.0 mask 24
[FW1-object-address-set-pc]address 10.1.3.0 mask 24
[FW1]security-policy
[FW1-policy-security]rule name trust_untrust
[FW1-policy-security-rule-trust_untrust]source-zone trust
[FW1-policy-security-rule-trust_untrust]destination-zone untrust
[FW1-policy-security-rule-trust_untrust]source-address address-set  pc 
[FW1-policy-security-rule-trust_untrust]action  permit

3.2.4  源NAT

[FW1]nat-policy 
[FW1-policy-nat]rule name easy-ip
[FW1-policy-nat-rule-easy-ip]source-zone trust
[FW1-policy-nat-rule-easy-ip]destination-zone  untrust
[FW1-policy-nat-rule-easy-ip]source-address address-set pc 
[FW1-policy-nat-rule-easy-ip]action   source-nat  easy-ip

四,效果测试

①查看健康检查状态

[FW1]display  healthcheck 
2022-04-14 08:00:41.020 
Current Total Healthcheck Number : 2
Name                              Member   State   Up/Down/Init
isp1                              1        up      1  0    0   
isp2                              1        up      1  0    0

②查看路由表,产生了Unr路由

 

 

 ③分别ping ISP1和ISP2,查看会话表,ISP1地址库的地址从GE1/0/1口出下一跳是202.100.1.20,ISP2地址库的地址从GE1/0/0口出下一跳是202.100.2.20。

 

 

 

 

 ④安全检查的探测报文,新版本后不需要放行,特征是policyname:---

 

 

 ⑤使得与ISP1连接的链路故障,在FW的GE1/0/1接口上shutdown。

 

 

 

 

 

 ⑥立刻切换到ISP2

 

 

 

 

 

 

 

 

 

 

内容来源于网络如有侵权请私信删除

文章来源: 博客园

原文链接: https://www.cnblogs.com/l-f-a-l/p/16144344.html

标签: 网络安全
你还没有登录,请先登录注册
  • 还没有人评论,欢迎说说您的想法!

相关课程

基于 OpenVINO™ 的 AI 视觉应用基础课
56106 0元 限免
英特尔 OpenCV 初级认证课程
7945 0元 限免