ENSP防火墙的配置实验,防火墙配置安全策略和GRE以及配置NAT进行路由通信

该实验要求如下:

配置GRE
实现总部和分部客户端PC之间私有IPv4地址和IPv6相互通信
隧道IPv4地址:10.1.12.0/24
隧道IPv6地址:2001:12::/64
NAT
实现所有的PC通过NAT转换访问client1,使用Easy-ip技术实现
NAT Server
FTP公网IP地址为110.1.1.100,client1通过此公网IP访问FTP服务
路由
全网使用静态路由来实现通信

该实验拓扑图如下
ENSP防火墙的配置实验,防火墙配置安全策略和GRE以及配置NAT进行路由通信_第1张图片

1、配置底层IP地址信息

FW1的配置

interface GigabitEthernet0/0/0
 ip binding -instance default
 ip address 192.168.0.1 255.255.255.0
 alias GE0/METH
interface GigabitEthernet1/0/0
 ipv6 enable
 ip address 10.1.1.254 255.255.255.0
 ipv6 address 100::2/64
interface GigabitEthernet1/0/1
ip address 10.1.3.254 255.255.255.0
interface GigabitEthernet1/0/2
 ip address 110.1.1.1 255.255.255.0
#

ISP的配置

vlan batch 69 110 202
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 110
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 202
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 69
interface Vlanif69
 ip address 69.1.1.2 255.255.255.0
interface Vlanif110
 ip address 110.1.1.2 255.255.255.0
interface Vlanif202
 ip address 202.1.1.2 255.255.255.0

FW2的地址配置

interface GigabitEthernet1/0/0
 ipv6 enable
 ip address 10.1.2.254 255.255.255.0
 ipv6 address 200::2/64
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 202.1.1.1 255.255.255.0

2、在FW1和FW2上创建firewall zong区域

FW1

firewall zone trust
 add interface GigabitEthernet1/0/0
firewall zone untrust
 add interface GigabitEthernet1/0/2
firewall zone dmz
 add interface GigabitEthernet1/0/1

FW2的配置

firewall zone trust
 add interface GigabitEthernet1/0/0
firewall zone untrust
 add interface GigabitEthernet1/0/2

3、配置GRE和tunnel隧道

静态路由配置—提供FW1与FW2之间可达
FW1

ip route-static 202.1.1.0 24 110.1.1.2

FW2

ip route-static 110.1.1.0 24 202.1.1.2

FW1

interface Tunnel1
 ipv6 enable
 ip address 10.1.12.1 255.255.255.0
 ipv6 address 2001:12::1/64
 tunnel-protocol gre
 source 110.1.1.1
 destination 202.1.1.1
#
firewall zone untrust
 add interface Tunnel1

FW2

interface Tunnel1
 ipv6 enable
 ip address 10.1.12.2 255.255.255.0
 ipv6 address 2001:12::2/64
 tunnel-protocol gre
 source 202.1.1.1
 destination 110.1.1.1
#
firewall zone untrust
 add interface Tunnel1

4、配置安全策略—GRE协议策略

FW1/FW2

security-policy
 rule name gre
  source-zone local
  source-zone untrust
  destination-zone local
  destination-zone untrust
  service gre
  action permit

静态路由配置—提供到达对方内部网段路由走TUNNEL接口
FW1

ip route-static 10.1.2.0 24 Tunnel1
ipv6 route-static 200:: 64 Tunnel1

FW2

ip route-static 10.1.1.0 24.0 Tunnel1
ipv6 route-static 100:: 64 Tunnel1

5、配置安全策略—能够放行V4和V6流量

FW1/FW2

security-policy
 rule name data_v4	#放行IPV4的流量
  source-zone trust
  source-zone untrust
  destination-zone trust
  destination-zone untrust
  source-address 10.1.1.1 32
  source-address 10.1.2.1 32
  destination-address 10.1.1.1 32
  destination-address 10.1.2.1 32
  service icmp
  action permit
 rule name data_v6	#放行IPV6的流量
  source-zone trust
  source-zone untrust
  destination-zone trust
  destination-zone untrust
  source-address 100::1 128
  source-address 200::1 128
  destination-address 100::1 128
  destination-address 200::1 128
  service icmpv6
  action permit

6、配置NAT

静态路由—FW和client之间的可达
FW1

ip route-static 69.1.1.0 24 110.1.1.2

FW2

ip route-static 69.1.1.0 24 202.1.1.2

FW1

nat-policy
 rule name easy_ip
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.1 32
  action source-nat easy-ip
#
security-policy
 rule name pc1_c1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.1 32
  destination-address 69.1.1.1 32
  service icmp
  action permit

FW2

nat-policy
 rule name easy_ip
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.1 32
  action source-nat easy-ip
#
security-policy
 rule name pc1_c1
  source-zone trust
  destination-zone untrust
  source-address 10.1.2.1 32
  destination-address 69.1.1.1 32
  service icmp
  action permit

7.NAT server

NAT Server
FTP公网IP地址为110.1.1.100,client1通过此公网IP访问FTP服务
FW1

 nat server FTP protocol tcp global 110.1.1.100 ftp inside 10.1.3.1 ftp

FW1

security-policy
 rule name c1_ftp
  source-zone untrust
  destination-zone dmz
  source-address 69.1.1.1 mask 255.255.255.255
  destination-address 10.1.3.1 mask 255.255.255.255
  service ftp
  action permit

8、进行测试
PC1ping通PC2的IPV4/IPV6地址

ENSP防火墙的配置实验,防火墙配置安全策略和GRE以及配置NAT进行路由通信_第2张图片
PC1ping通client1
ENSP防火墙的配置实验,防火墙配置安全策略和GRE以及配置NAT进行路由通信_第3张图片
在client1上通过110.1.1.100访问FTP服务器
ENSP防火墙的配置实验,防火墙配置安全策略和GRE以及配置NAT进行路由通信_第4张图片
测试成功,实验完成

你可能感兴趣的:(网络实验,网络,运维,网络协议,tcp/ip,网络安全)