华为防火墙基础配置实验:Local、DMZ、Trust、Untrust区域互联
创作时间:
作者:
@小白创作中心
华为防火墙基础配置实验:Local、DMZ、Trust、Untrust区域互联
引用
CSDN
1.
https://blog.csdn.net/m0_64218141/article/details/136516346
实验环境
- 设备清单:1台PC、2台路由器(AR2220)、1台防火墙(USG6000V)
- 试验拓扑:
- 实验目的:实现trust、untrust、local、dmz区域互通。PC可以ping通R-1和R-2。
- 试验说明:PC在trust内、R-2在untrust内、R-1在dmz内。IP地址见拓扑。
设备IP地址配置
R1的IP地址
<R1>dis ip in br
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 172.16.0.1/24 up up
GigabitEthernet0/0/1 unassigned down down
NULL0 unassigned up up(s)
R2的IP地址
<R2>dis ip in br
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.0.0.2/24 up up
GigabitEthernet0/0/1 unassigned down down
NULL0 unassigned up up(s)
防火墙(FW)的IP地址
华为防火墙默认账号/密码:admin/Admin@123 登录后要修改密码。
<FW>dis ip in br
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 192.168.1.254/24 up up
GigabitEthernet1/0/1 10.0.0.1/24 up up
GigabitEthernet1/0/2 172.16.0.1/24 up up
区域划分配置
在FW中将接口划入对应的区域:
[FW]firewall zone trust
[FW-zone-trust]add interface GigabitEthernet 1/0/0
[FW]firewall zone untrust
[FW-zone-untrust]add interface GigabitEthernet 1/0/1
[FW]firewall zone dmz
[FW-zone-dmz]add interface GigabitEthernet 1/0/2
防火墙安全策略配置
配置防火墙:
[FW]int g 1/0/0
[FW-GigabitEthernet1/0/0]service-manage ping permit
[FW-GigabitEthernet1/0/0]q
[FW]security-policy
[FW-policy-security]rule name ping
[FW-policy-security-rule-ping]source-zone local untrust trust dmz
[FW-policy-security-rule-ping]destination-zone local untrust trust dmz
//本意是让防护墙的区域互通,所以不做其他策略!
//工作中不建议这样配置!!!
[FW-policy-security-rule-ping]service icmp
[FW-policy-security-rule-ping]action permit
[FW-policy-security-rule-ping]dis th
#
rule name ping
source-zone dmz
source-zone local
source-zone trust
source-zone untrust
destination-zone dmz
destination-zone local
destination-zone trust
destination-zone untrust
service icmp
action permit
#
return
测试防火墙直连
[FW]ping 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=128 time=32 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=128 time=4 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=128 time=4 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=128 time=5 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=128 time=4 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/9/32 ms
[FW]ping 10.0.0.2
PING 10.0.0.2: 56 data bytes, press CTRL_C to break
Reply from 10.0.0.2: bytes=56 Sequence=1 ttl=255 time=51 ms
Reply from 10.0.0.2: bytes=56 Sequence=2 ttl=255 time=14 ms
Reply from 10.0.0.2: bytes=56 Sequence=3 ttl=255 time=15 ms
Reply from 10.0.0.2: bytes=56 Sequence=4 ttl=255 time=4 ms
Reply from 10.0.0.2: bytes=56 Sequence=5 ttl=255 time=6 ms
--- 10.0.0.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 4/18/51 ms
[FW]ping 172.16.0.1
PING 172.16.0.1: 56 data bytes, press CTRL_C to break
Reply from 172.16.0.1: bytes=56 Sequence=1 ttl=255 time=47 ms
Reply from 172.16.0.1: bytes=56 Sequence=2 ttl=255 time=7 ms
Reply from 172.16.0.1: bytes=56 Sequence=3 ttl=255 time=8 ms
Reply from 172.16.0.1: bytes=56 Sequence=4 ttl=255 time=9 ms
Reply from 172.16.0.1: bytes=56 Sequence=5 ttl=255 time=12 ms
--- 172.16.0.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/16/47 ms
OSPF配置
R1的OSPF配置
[R1]ospf 1 router-id 1.1.1.1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 172.16.0.1 0.0.0.0
R2的OSPF配置
[R2]ospf 1 router-id 2.2.2.2
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]network 10.0.0.2 0.0.0.0
FW的OSPF配置
[FW]ospf 1 router-id 3.3.3.3
[FW-ospf-1]area 0
[FW-ospf-1-area-0.0.0.0]network 192.168.1.254 0.0.0.0
[FW-ospf-1-area-0.0.0.0]network 10.0.0.1 0.0.0.0
[FW-ospf-1-area-0.0.0.0]network 172.16.0.254 0.0.0.0
查看邻居是否建立:
[FW-ospf-1-area-0.0.0.0]dis ospf peer brief
OSPF Process 1 with Router ID 3.3.3.3
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet1/0/1 2.2.2.2 Full
0.0.0.0 GigabitEthernet1/0/2 1.1.1.1 Full
----------------------------------------------------------------------------
防火墙的OSPF策略配置
[FW]security-policy
[FW-policy-security]rule name OSPF
[FW-policy-security-rule-OSPF]service ospf
[FW-policy-security-rule-OSPF]source-zone local dmz untrust
[FW-policy-security-rule-OSPF]destination-zone dmz local untrust
[FW-policy-security-rule-OSPF]action permit
[FW-policy-security-rule-OSPF]dis th
#
rule name OSPF
source-zone dmz
source-zone local
source-zone untrust
destination-zone dmz
destination-zone local
destination-zone untrust
service ospf
action permit
#
return
最终测试
测试PC是否能ping通路由器:
PC>ping 10.0.0.2
Ping 10.0.0.2: 32 data bytes, Press Ctrl_C to break
From 10.0.0.2: bytes=32 seq=1 ttl=254 time=31 ms
From 10.0.0.2: bytes=32 seq=2 ttl=254 time=16 ms
--- 10.0.0.2 ping statistics ---
2 packet(s) transmitted
2 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/23/31 ms
PC>ping 172.16.0.1
Ping 172.16.0.1: 32 data bytes, Press Ctrl_C to break
From 172.16.0.1: bytes=32 seq=1 ttl=254 time=16 ms
From 172.16.0.1: bytes=32 seq=2 ttl=254 time=15 ms
From 172.16.0.1: bytes=32 seq=3 ttl=254 time=16 ms
--- 172.16.0.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/12/16 ms
PC>
结论
通过以上配置和测试,实现了Trust、Untrust、Local、DMZ区域的互联,PC能够成功ping通R-1和R-2,达到了实验目的。
热门推荐
预防老人跌倒十大重点
发烧后没胃口,怎么吃恢复更快?
厦金大桥最新进展!
新时代的格斗游戏,走上了一条殊途同归的道路
父亲去世后户主身份归属:儿子还是配偶?
父亲遗产分配指南:遗嘱继承与法定继承详解
古诗词里的小暑:烈日炎炎下的丝丝凉意与宁静恬淡
股权融资计划书撰写指南与要点
痛风怎么检查出来
石墨烯导电的原因是什么?这一特性有哪些潜在的应用领域?
石涛的这些山水画,让人震撼!
水果冻干机的工作原理与技术详解
乘坐绿皮火车游走中国最美的4条线路,看祖国的大好河山
绿皮火车:历史与风景
揭秘:咖啡背后的健康秘密
皇冠三间鱼好养吗,怎么养
Stable Diffusion最全提示词写法教程(附10000+提示词库)
脸上长痣的原因及治疗方法
小孩为什么会长那么多痣
来武当过大年!不可错过的武当素斋
土鲫、良种鲫鱼与野生鲫鱼:"野生"与否取决于食物和环境并非品种
草莓种植周期和管理技术
盘点:NBA 历史上 10 大最长连胜纪录
不可思议的七大《心经功效》立即改善你的生活品质
怎么在照片上加特效?3种方法让你的图片更加出色
曾经靠《射雕英雄传》走红,桃花岛有了新的“打开方式”!
虎宝宝取名,吉祥名字选择与文化内涵探究-专业取名解析
WANet与WALoss:突破量子化学中的哈密顿量计算瓶颈
原生IP VPS比普通IP VPS价格要贵一些吗
不再画蛇添足!揭秘成语背后的精彩故事与深刻道理!