华为防火墙基础配置实验:Local、DMZ、Trust、Untrust区域互联
创作时间:
作者:
@小白创作中心
华为防火墙基础配置实验:Local、DMZ、Trust、Untrust区域互联
引用
CSDN
1.
https://blog.csdn.net/m0_64218141/article/details/136516346
实验环境
- 设备清单:1台PC、2台路由器(AR2220)、1台防火墙(USG6000V)
- 试验拓扑:
- 实验目的:实现trust、untrust、local、dmz区域互通。PC可以ping通R-1和R-2。
- 试验说明:PC在trust内、R-2在untrust内、R-1在dmz内。IP地址见拓扑。
设备IP地址配置
R1的IP地址
<R1>dis ip in br
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 172.16.0.1/24 up up
GigabitEthernet0/0/1 unassigned down down
NULL0 unassigned up up(s)
R2的IP地址
<R2>dis ip in br
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.0.2/24 up up
GigabitEthernet0/0/1 unassigned down down
NULL0 unassigned up up(s)
防火墙(FW)的IP地址
华为防火墙默认账号/密码:admin/Admin@123 登录后要修改密码。
<FW>dis ip in br
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 192.168.1.254/24 up up
GigabitEthernet1/0/1 10.0.0.1/24 up up
GigabitEthernet1/0/2 172.16.0.1/24 up up
区域划分配置
在FW中将接口划入对应的区域:
[FW]firewall zone trust
[FW-zone-trust]add interface GigabitEthernet 1/0/0
[FW]firewall zone untrust
[FW-zone-untrust]add interface GigabitEthernet 1/0/1
[FW]firewall zone dmz
[FW-zone-dmz]add interface GigabitEthernet 1/0/2
防火墙安全策略配置
配置防火墙:
[FW]int g 1/0/0
[FW-GigabitEthernet1/0/0]service-manage ping permit
[FW-GigabitEthernet1/0/0]q
[FW]security-policy
[FW-policy-security]rule name ping
[FW-policy-security-rule-ping]source-zone local untrust trust dmz
[FW-policy-security-rule-ping]destination-zone local untrust trust dmz
//本意是让防护墙的区域互通,所以不做其他策略!
//工作中不建议这样配置!!!
[FW-policy-security-rule-ping]service icmp
[FW-policy-security-rule-ping]action permit
[FW-policy-security-rule-ping]dis th
#
rule name ping
source-zone dmz
source-zone local
source-zone trust
source-zone untrust
destination-zone dmz
destination-zone local
destination-zone trust
destination-zone untrust
service icmp
action permit
#
return
测试防火墙直连
[FW]ping 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=128 time=32 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=128 time=4 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=128 time=4 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=128 time=5 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=128 time=4 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/9/32 ms
[FW]ping 10.0.0.2
PING 10.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.0.2: bytes=56 Sequence=1 ttl=255 time=51 ms
Reply from 10.0.0.2: bytes=56 Sequence=2 ttl=255 time=14 ms
Reply from 10.0.0.2: bytes=56 Sequence=3 ttl=255 time=15 ms
Reply from 10.0.0.2: bytes=56 Sequence=4 ttl=255 time=4 ms
Reply from 10.0.0.2: bytes=56 Sequence=5 ttl=255 time=6 ms
--- 10.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/18/51 ms
[FW]ping 172.16.0.1
PING 172.16.0.1: 56 data bytes, press CTRL_C to break
Reply from 172.16.0.1: bytes=56 Sequence=1 ttl=255 time=47 ms
Reply from 172.16.0.1: bytes=56 Sequence=2 ttl=255 time=7 ms
Reply from 172.16.0.1: bytes=56 Sequence=3 ttl=255 time=8 ms
Reply from 172.16.0.1: bytes=56 Sequence=4 ttl=255 time=9 ms
Reply from 172.16.0.1: bytes=56 Sequence=5 ttl=255 time=12 ms
--- 172.16.0.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/16/47 ms
OSPF配置
R1的OSPF配置
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 172.16.0.1 0.0.0.0
R2的OSPF配置
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.0.0.2 0.0.0.0
FW的OSPF配置
[FW]ospf 1 router-id 3.3.3.3
[FW-ospf-1]area 0
[FW-ospf-1-area-0.0.0.0]network 192.168.1.254 0.0.0.0
[FW-ospf-1-area-0.0.0.0]network 10.0.0.1 0.0.0.0
[FW-ospf-1-area-0.0.0.0]network 172.16.0.254 0.0.0.0
查看邻居是否建立:
[FW-ospf-1-area-0.0.0.0]dis ospf peer brief
OSPF Process 1 with Router ID 3.3.3.3
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet1/0/1 2.2.2.2 Full
0.0.0.0 GigabitEthernet1/0/2 1.1.1.1 Full
----------------------------------------------------------------------------
防火墙的OSPF策略配置
[FW]security-policy
[FW-policy-security]rule name OSPF
[FW-policy-security-rule-OSPF]service ospf
[FW-policy-security-rule-OSPF]source-zone local dmz untrust
[FW-policy-security-rule-OSPF]destination-zone dmz local untrust
[FW-policy-security-rule-OSPF]action permit
[FW-policy-security-rule-OSPF]dis th
#
rule name OSPF
source-zone dmz
source-zone local
source-zone untrust
destination-zone dmz
destination-zone local
destination-zone untrust
service ospf
action permit
#
return
最终测试
测试PC是否能ping通路由器:
PC>ping 10.0.0.2
Ping 10.0.0.2: 32 data bytes, Press Ctrl_C to break
From 10.0.0.2: bytes=32 seq=1 ttl=254 time=31 ms
From 10.0.0.2: bytes=32 seq=2 ttl=254 time=16 ms
--- 10.0.0.2 ping statistics ---
2 packet(s) transmitted
2 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/23/31 ms
PC>ping 172.16.0.1
Ping 172.16.0.1: 32 data bytes, Press Ctrl_C to break
From 172.16.0.1: bytes=32 seq=1 ttl=254 time=16 ms
From 172.16.0.1: bytes=32 seq=2 ttl=254 time=15 ms
From 172.16.0.1: bytes=32 seq=3 ttl=254 time=16 ms
--- 172.16.0.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/12/16 ms
PC>
结论
通过以上配置和测试,实现了Trust、Untrust、Local、DMZ区域的互联,PC能够成功ping通R-1和R-2,达到了实验目的。
热门推荐
水瓶座女生教你如何独立生活
水瓶座女生如何在科技和艺术圈闪耀?
物流到马来西亚怎么走(到马来西亚的物流)
缓解小肚子胀气的穴位按摩法
肠胀气腹痛难忍?热水袋热敷来缓解
蛇年春晚进入彩排阶段,期待借助网络实现破圈
“院店联动”新模式 助力慢病管理创新发展
中国品牌出海面临哪些挑战?
盘点数字人民币中的安全技术
常吃艾司唑仑,这5个问题一定要搞清楚
每天了解一个繁华都市—威尼斯
超威集团劳资纠纷背后的法律博弈
产后恢复饮食禁忌,这些食物要少吃
欧阳修与醉翁亭:一段跨越千年的文人佳话
欧阳修:北宋文学界的顶流大咖
《斯卡布罗集市》与《毕业生》:一首歌,一部电影,一个时代的缩影
保罗·西蒙和阿特·加芬克尔的反战神曲《斯卡布罗集市》
莎拉·布莱曼版《斯卡布罗集市》:一首治愈心灵的经典之作
广西发布“桂菜特色名菜”“广西风味名小吃”
冰箱不制冷了怎么办?维修师傅的7个实用排查步骤
冰箱不制冷的原因分析(探究冰箱制冷失效的根本原因及解决方法)
鼋头渚樱花节住宿攻略:3大区域推荐,从高端到经济全覆盖
涠洲灯塔:北海最美拍摄地
一次跨国社交平台的全球化大战!美媒对小红书的三篇报道,太逗了
基层矛盾的常见类型与处理策略
北海紫霞湾:冬日最美落日打卡地
北海探秘:合浦汉墓群&北海老街
跟着阿紫玩转北海:网红打卡与小众探索的完美融合
汽车内饰清洗全攻略:保持车内清新,提升驾驶体验
揭秘USB4与雷电技术:谁是下一代连接标准的王者?