拓扑图
步骤一. 基本配置与IP编址
给路由器和防火墙配置地址,并配置静态路由,在交换机上配置VLAN。
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R1
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ip address 1.1.1.1 24
[R1-GigabitEthernet0/0/1]interface loopback 0
[R1-LoopBack0]ip address 11.11.11.11 24
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2
[R2]interface GigabitEthernet0/0/1
[R2-GigabitEthernet0/0/1]ip address 10.0.20.2 24
[R2-GigabitEthernet0/0/1]interface loopback 0
[R2-LoopBack0]ip address 10.0.2.2 24
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R3
[R3]interface GigabitEthernet0/0/1
[R3-GigabitEthernet0/0/1]ip address 10.0.20.3 24
[R3-GigabitEthernet0/0/1]interface loopback 0
[R3-LoopBack0]ip address 10.0.3.3 24
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R4
[R4]interface GigabitEthernet 0/0/1
[R4-GigabitEthernet0/0/1]ip address 10.0.40.4 24
[R4-GigabitEthernet0/0/1]interface loopback 0
[R4-LoopBack0]ip address 10.0.4.4 24
防火墙默认会启用GigabitEthernet0/0/0接口的ip地址,为避免干扰,可以删除。
<USG6300>system-view
Enter system view, return user view with Ctrl+Z.
[USG6300]sysname FW
[FW]int GigabitEthernet 0/0/0
[FW-GigabitEthernet0/0/0]undo ip address
[FW-GigabitEthernet0/0/0]interface GigabitEthernet 1/0/0
[FW-GigabitEthernet1/0/0]ip address 10.0.10.254 24
[FW-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1]ip address 10.0.20.254 24
[FW-GigabitEthernet1/0/1]interface GigabitEthernet 1/0/2
[FW-GigabitEthernet1/0/2]ip address 10.0.40.254 24
[FW-GigabitEthernet1/0/2]quit
交换机上需要按照需求定义VLAN。
[Quidway]sysname S1
[S1]vlan batch 11 to 13
[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1]port link-type access
[S1-GigabitEthernet0/0/1]port default vlan 11
[S1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2]port link-type access
[S1-GigabitEthernet0/0/2]port default vlan 12
[S1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/3
[S1-GigabitEthernet0/0/3]port link-type access
[S1-GigabitEthernet0/0/3]port default vlan 12
[S1-GigabitEthernet0/0/2]interface GigabitEthernet 0/0/4
[S1-GigabitEthernet0/0/3]port link-type access
[S1-GigabitEthernet0/0/3]port default vlan 13
[S1-GigabitEthernet0/0/3]interface GigabitEthernet 0/0/21
[S1-GigabitEthernet0/0/21]port link-type access
[S1-GigabitEthernet0/0/21]port default vlan 11
[S1-GigabitEthernet0/0/21]interface GigabitEthernet 0/0/22
[S1-GigabitEthernet0/0/22]port link-type access
[S1-GigabitEthernet0/0/22]port default vlan 12
[S1-GigabitEthernet0/0/22]interface GigabitEthernet 0/0/23
[S1-GigabitEthernet0/0/23]port link-type access
[S1-GigabitEthernet0/0/23]port default vlan 13
在R2、R3和R4上配置缺省路由,在FW上配置明确的静态路由,实现四个Loopback0接口连接的网段之间的互通。R1无需定义缺省路由,原因是其作为Internet设备,它不需要知道内部和DMZ区域的私有网络信息。
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.20.254
[R4]ip route-static 0.0.0.0 0 10.0.40.254
[FW]ip route-static 10.0.2.0 24 10.0.20.2
[FW]ip route-static 10.0.3.0 24 10.0.20.3
[FW]ip route-static 10.0.4.0 24 10.0.40.4
[FW]ip route-static 0.0.0.0 0 1.1.1.1
配置完成后检查防火墙路由信息。
步骤二. 将接口配置到安全区域
防火墙上默认有四个区域,分别是“local“、”trust“、”untrust“、”dmz“。实验中我们使用到“trust“、”untrust“和”dmz“三个区域,分别将对应接口加入各安全区域,由于默认配置将GE0/0/0加入了“trust”区域,为避免干扰,将其删除。
[FW]firewall zone dmz
[FW-zone-dmz]add interface GigabitEthernet 1/0/2
[FW-zone-dmz]firewall zone trust
[FW-zone-trust]add interface GigabitEthernet 1/0/1
[FW-zone-trust]undo add interface GigabitEthernet 0/0/0
[FW-zone-trust]fire zone untrust
[FW-zone-untrust]add interface GigabitEthernet 1/0/0
[FW-zone-untrust]quit
检查各接口的区域:
检查各区域的优先级:
可以看到三个接口已经被划分到相应的区域内,默认情况下不同区域间是不可互通的,因此此时路由器之间流量无法通过。
步骤三. 配置安全策略
如果防火墙域间没有配置安全策略,或查找安全策略时,所有的安全策略都没有命中,则默认执行域间的缺省包过滤动作(拒绝通过)。
配置从Trust区域的网段10.0.2.0和10.0.3.0发往Untrust区域的数据包被放行。从Untrust区域发往DMZ目标服务器10.0.4.4的Telnet和FTP请求被放行。
[FW]security-policy
[FW-policy-security]rule name policy_sec_1
[FW-policy-security-rule-policy_sec_1]source-zone trust
[FW-policy-security-rule-policy_sec_1]destination-zone untrust
[FW-policy-security-rule-policy_sec_1]source-address 10.0.2.0 mask 255.255.255.0
[FW-policy-security-rule-policy_sec_1]source-address 10.0.3.0 mask 255.255.255.0
[FW-policy-security-rule-policy_sec_1]action permit
[FW-policy-security-rule-policy_sec_1]rule name policy_sec_2
[FW-policy-security-rule-policy_sec_2]source-zone untrust
[FW-policy-security-rule-policy_sec_2]destination-zone dmz
[FW-policy-security-rule-policy_sec_2]destination-address 10.0.4.4 mask 255.255.255.255
[FW-policy-security-rule-policy_sec_2]service ftp
[FW-policy-security-rule-policy_sec_2]service telnet
[FW-policy-security-rule-policy_sec_2]action permit
步骤四. 配置基于源的NAT
使用公网地址1.1.1.254转换源地址。
[FW]nat address-group group1
[FW-nat-address-group-group1]section 1.1.1.254 1.1.1.254
配置完成后,检查地址池状态。
配置源NAT策略。
[FW]nat-policy
[FW-policy-nat]rule name policy_nat_1
[FW-policy-nat-rule-policy_nat_1]source-zone trust
[FW-policy-nat-rule-policy_nat_1]destination-zone untrust
[FW-policy-nat-rule-policy_nat_1]source-address 10.0.2.2 24
[FW-policy-nat-rule-policy_nat_1]source-address 10.0.3.3 24
[FW-policy-nat-rule-policy_nat_1]action nat address-group group1
[FW-policy-nat-rule-policy_nat_1]
测试连通性:
注意,直接测试R2和R3与11.11.11.11之间的连通性,显示不通。使用扩展Ping,指定了发送数据包的源地址为10.0.2.2后,实现了连通性。
原因是,直接发送数据包到10.0.1.1时,数据包的源地址为10.0.20.2,该地址不属于NAT转换的客户端地址范围。
步骤五. 配置NAT Server和源NAT将服务器发布
配置NAT Server 对外服务地址1.1.1.254,telnet端口2323,ftp端口2121:
[FW]nat server policy_natserver_1 protocol tcp global 1.1.1.254 2323 inside 10.0.4.4 telnet no-reverse
[FW]nat server policy_natserver_2 protocol tcp global 1.1.1.254 2121 inside 10.0.4.4 ftp no-reverse
在R4上启用服务:
[R4]telnet server enable
[R4]ftp server enable
[R4-ui-vty0-4]authentication-mode aaa
[R4-ui-vty0-4]protocol inbound telnet
[R4-ui-vty0-4]quit
[R4]aaa
[R4-aaa]local-user test pass irreversible-cipher Admin@123
[R4-aaa]local-user test service telnet ftp
[R4-aaa]local-user test ftp-directory flash:/
[R4-aaa]local-user test privilege level 3
[R4-aaa]quit
FTP是多通道协议,NAT转换过程中需要配置NAT ALG功能。
在DMZ和Untrust域间配置NAT ALG,使服务器可以正常对外提供FTP服务。
[FW]firewall interzone dmz untrust
[FW-interzone-dmz-untrust]detect ftp
在R1上测试效果:
Untrust区域可以访问DMZ区域提供的Telnet和FTP服务。
最终设备配置
<S1>display current-configuration
!Software Version V200R008C00SPC500
#
sysname S1
#
vlan batch 11 to 13
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 11
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 12
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 12
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 13
#
interface GigabitEthernet0/0/21
port link-type access
port default vlan 11
#
interface GigabitEthernet0/0/22
port link-type access
port default vlan 12
#
interface GigabitEthernet0/0/23
port link-type access
port default vlan 13
#
return
<R1>display current-configuration
[V200R007C00SPC600]
#
sysname R1
#
interface GigabitEthernet0/0/1
ip address 1.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 11.11.11.11 255.255.255.0
#
return
<R2>display current-configuration
[V200R007C00SPC600]
#
sysname R2
#
interface GigabitEthernet0/0/1
ip address 10.0.20.2 255.255.255.0
#
interface LoopBack0
ip address 10.0.2.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
return
<R3>display current-configuration
[V200R007C00SPC600]
#
sysname R3
#
interface GigabitEthernet0/0/1
ip address 10.0.20.3 255.255.255.0
#
interface LoopBack0
ip address 10.0.3.3 255.255.255.0 #
ip route-static 0.0.0.0 0.0.0.0 10.0.20.254
#
return
<R4>display current-configuration
[V200R007C00SPC600]
#
sysname R4
#
aaa
local-user test password irreversible-cipher Admin@123
local-user test privilege level 3
local-user test ftp-directory flash:/
local-user test service-type telnet ftp
#
interface GigabitEthernet0/0/1
ip address 10.0.40.4 255.255.255.0
#
interface LoopBack0
ip address 10.0.4.4 255.255.255.0
#
ftp server enable
#
telnet server enable
#
ip route-static 0.0.0.0 0.0.0.0 10.0.40.254
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound telnet
#
return
<FW>display current-configuration
#
nat server policy_natserver_1 protocol tcp global 1.1.1.254 2323 inside 10.0.4.4 telnet no-reverse
nat server policy_natserver_2 protocol tcp global 1.1.1.254 2121 inside 10.0.4.4 ftp no-reverse
#
sysname FW
#
interface GigabitEthernet1/0/0
ip address 1.1.1.254 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 10.0.20.254 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.0.40.254 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
firewall interzone dmz untrust
detect ftp
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
ip route-static 10.0.2.0 255.255.255.0 10.0.20.2
ip route-static 10.0.3.0 255.255.255.0 10.0.20.3
ip route-static 10.0.4.0 255.255.255.0 10.0.40.4
#
nat address-group group1
section 0 1.1.1.254 1.1.1.254
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.0.2.0 mask 255.255.255.0
source-address 10.0.3.0 mask 255.255.255.0
action permit
rule name policy_sec_2
source-zone untrust
destination-zone dmz
destination-address 10.0.4.4 mask 255.255.255.255
service ftp
service telnet
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address 10.0.2.0 mask 255.255.255.0
source-address 10.0.3.0 mask 255.255.255.0
action nat address-group group1
#
return