华为防火墙基础配置实验:Local、DMZ、Trust、Untrust区域互联
创作时间:
作者:
@小白创作中心
华为防火墙基础配置实验:Local、DMZ、Trust、Untrust区域互联
引用
CSDN
1.
https://blog.csdn.net/m0_64218141/article/details/136516346
实验环境
- 设备清单:1台PC、2台路由器(AR2220)、1台防火墙(USG6000V)
- 试验拓扑:
- 实验目的:实现trust、untrust、local、dmz区域互通。PC可以ping通R-1和R-2。
- 试验说明:PC在trust内、R-2在untrust内、R-1在dmz内。IP地址见拓扑。
设备IP地址配置
R1的IP地址
<R1>dis ip in br
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 172.16.0.1/24 up up
GigabitEthernet0/0/1 unassigned down down
NULL0 unassigned up up(s)
R2的IP地址
<R2>dis ip in br
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.0.2/24 up up
GigabitEthernet0/0/1 unassigned down down
NULL0 unassigned up up(s)
防火墙(FW)的IP地址
华为防火墙默认账号/密码:admin/Admin@123 登录后要修改密码。
<FW>dis ip in br
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 192.168.1.254/24 up up
GigabitEthernet1/0/1 10.0.0.1/24 up up
GigabitEthernet1/0/2 172.16.0.1/24 up up
区域划分配置
在FW中将接口划入对应的区域:
[FW]firewall zone trust
[FW-zone-trust]add interface GigabitEthernet 1/0/0
[FW]firewall zone untrust
[FW-zone-untrust]add interface GigabitEthernet 1/0/1
[FW]firewall zone dmz
[FW-zone-dmz]add interface GigabitEthernet 1/0/2
防火墙安全策略配置
配置防火墙:
[FW]int g 1/0/0
[FW-GigabitEthernet1/0/0]service-manage ping permit
[FW-GigabitEthernet1/0/0]q
[FW]security-policy
[FW-policy-security]rule name ping
[FW-policy-security-rule-ping]source-zone local untrust trust dmz
[FW-policy-security-rule-ping]destination-zone local untrust trust dmz
//本意是让防护墙的区域互通,所以不做其他策略!
//工作中不建议这样配置!!!
[FW-policy-security-rule-ping]service icmp
[FW-policy-security-rule-ping]action permit
[FW-policy-security-rule-ping]dis th
#
rule name ping
source-zone dmz
source-zone local
source-zone trust
source-zone untrust
destination-zone dmz
destination-zone local
destination-zone trust
destination-zone untrust
service icmp
action permit
#
return
测试防火墙直连
[FW]ping 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=128 time=32 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=128 time=4 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=128 time=4 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=128 time=5 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=128 time=4 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/9/32 ms
[FW]ping 10.0.0.2
PING 10.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.0.2: bytes=56 Sequence=1 ttl=255 time=51 ms
Reply from 10.0.0.2: bytes=56 Sequence=2 ttl=255 time=14 ms
Reply from 10.0.0.2: bytes=56 Sequence=3 ttl=255 time=15 ms
Reply from 10.0.0.2: bytes=56 Sequence=4 ttl=255 time=4 ms
Reply from 10.0.0.2: bytes=56 Sequence=5 ttl=255 time=6 ms
--- 10.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/18/51 ms
[FW]ping 172.16.0.1
PING 172.16.0.1: 56 data bytes, press CTRL_C to break
Reply from 172.16.0.1: bytes=56 Sequence=1 ttl=255 time=47 ms
Reply from 172.16.0.1: bytes=56 Sequence=2 ttl=255 time=7 ms
Reply from 172.16.0.1: bytes=56 Sequence=3 ttl=255 time=8 ms
Reply from 172.16.0.1: bytes=56 Sequence=4 ttl=255 time=9 ms
Reply from 172.16.0.1: bytes=56 Sequence=5 ttl=255 time=12 ms
--- 172.16.0.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/16/47 ms
OSPF配置
R1的OSPF配置
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 172.16.0.1 0.0.0.0
R2的OSPF配置
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.0.0.2 0.0.0.0
FW的OSPF配置
[FW]ospf 1 router-id 3.3.3.3
[FW-ospf-1]area 0
[FW-ospf-1-area-0.0.0.0]network 192.168.1.254 0.0.0.0
[FW-ospf-1-area-0.0.0.0]network 10.0.0.1 0.0.0.0
[FW-ospf-1-area-0.0.0.0]network 172.16.0.254 0.0.0.0
查看邻居是否建立:
[FW-ospf-1-area-0.0.0.0]dis ospf peer brief
OSPF Process 1 with Router ID 3.3.3.3
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet1/0/1 2.2.2.2 Full
0.0.0.0 GigabitEthernet1/0/2 1.1.1.1 Full
----------------------------------------------------------------------------
防火墙的OSPF策略配置
[FW]security-policy
[FW-policy-security]rule name OSPF
[FW-policy-security-rule-OSPF]service ospf
[FW-policy-security-rule-OSPF]source-zone local dmz untrust
[FW-policy-security-rule-OSPF]destination-zone dmz local untrust
[FW-policy-security-rule-OSPF]action permit
[FW-policy-security-rule-OSPF]dis th
#
rule name OSPF
source-zone dmz
source-zone local
source-zone untrust
destination-zone dmz
destination-zone local
destination-zone untrust
service ospf
action permit
#
return
最终测试
测试PC是否能ping通路由器:
PC>ping 10.0.0.2
Ping 10.0.0.2: 32 data bytes, Press Ctrl_C to break
From 10.0.0.2: bytes=32 seq=1 ttl=254 time=31 ms
From 10.0.0.2: bytes=32 seq=2 ttl=254 time=16 ms
--- 10.0.0.2 ping statistics ---
2 packet(s) transmitted
2 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/23/31 ms
PC>ping 172.16.0.1
Ping 172.16.0.1: 32 data bytes, Press Ctrl_C to break
From 172.16.0.1: bytes=32 seq=1 ttl=254 time=16 ms
From 172.16.0.1: bytes=32 seq=2 ttl=254 time=15 ms
From 172.16.0.1: bytes=32 seq=3 ttl=254 time=16 ms
--- 172.16.0.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/12/16 ms
PC>
结论
通过以上配置和测试,实现了Trust、Untrust、Local、DMZ区域的互联,PC能够成功ping通R-1和R-2,达到了实验目的。
热门推荐
从《乔家的儿女》看“恋爱脑”:乔四美的醒悟之路
摆脱恋爱脑:建立健康情感关系的实用指南
腹部疼痛可能是胰腺癌信号!这些症状需警惕
北京协和医院专家解析:胰腺癌早期信号识别与预防
科学吃鱼:营养价值与安全指南
《眼泪女王》里的“恋爱脑”:一场关于爱的深度思考
恋爱脑:小心甜蜜变陷阱!
《心居》顾清俞:一个“恋爱脑”的自我救赎之路
中医养生:你的脏腑相表里了解多少?
心与小肠的中医关系:从表里相合到日常调理
脏腑相表里的秘密:中医VS西医
挠痒竟激活免疫反应?科学家揭秘背后真相!
羊奶大揭秘:为什么它成为众多人的健康饮品首选?
如何破解钢琴技术难点
哈尔滨地铁带你探秘731遗址:一段不容忘却的历史
国家矿山安全监察局公布3个煤矿典型执法案例
长痘痘了?来,我们聊聊……
香蕉助眠的科学真相:从成分到食用方法全解析
春节必备:桃符箓的艺术设计与现代应用
道家符咒:神秘背后的文化宝藏
黄帝时代的神秘符箓之术:考古发现与文献记载中的文化传承
天心派符箓修炼心得:道教法术的秘密
探索iOS音乐游戏的无限乐趣
西沙群岛在哪里?西沙群岛位置地图
胰腺癌早期症状识别与预防:专家提醒这些人群需警惕
胰腺癌患者的内心世界:如何应对心理挑战?
警惕!这些习惯正在悄悄伤害你的胰腺
最新研究:多不饱和脂肪酸能降低胰腺癌风险
专家提醒:职场人要防胰腺癌,这些习惯要改掉
HR如何应对个税政策变化?5大实用策略助力企业合规