ENSP防火墙的配置实验,防火墙配置安全策略和GRE以及配置NAT进行路由通信
该实验要求如下:
配置GRE
实现总部和分部客户端PC之间私有IPv4地址和IPv6相互通信
隧道IPv4地址:10.1.12.0/24
隧道IPv6地址:2001:12::/64
NAT
实现所有的PC通过NAT转换访问client1,使用Easy-ip技术实现
NAT Server
FTP公网IP地址为110.1.1.100,client1通过此公网IP访问FTP服务
路由
全网使用静态路由来实现通信
该实验拓扑图如下
1、配置底层IP地址信息
FW1的配置
interface GigabitEthernet0/0/0
ip binding -instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
interface GigabitEthernet1/0/0
ipv6 enable
ip address 10.1.1.254 255.255.255.0
ipv6 address 100::2/64
interface GigabitEthernet1/0/1
ip address 10.1.3.254 255.255.255.0
interface GigabitEthernet1/0/2
ip address 110.1.1.1 255.255.255.0
#
ISP的配置
vlan batch 69 110 202
interface GigabitEthernet0/0/1
port link-type access
port default vlan 110
interface GigabitEthernet0/0/2
port link-type access
port default vlan 202
interface GigabitEthernet0/0/3
port link-type access
port default vlan 69
interface Vlanif69
ip address 69.1.1.2 255.255.255.0
interface Vlanif110
ip address 110.1.1.2 255.255.255.0
interface Vlanif202
ip address 202.1.1.2 255.255.255.0
FW2的地址配置
interface GigabitEthernet1/0/0
ipv6 enable
ip address 10.1.2.254 255.255.255.0
ipv6 address 200::2/64
interface GigabitEthernet1/0/2
undo shutdown
ip address 202.1.1.1 255.255.255.0
2、在FW1和FW2上创建firewall zong区域
FW1
firewall zone trust
add interface GigabitEthernet1/0/0
firewall zone untrust
add interface GigabitEthernet1/0/2
firewall zone dmz
add interface GigabitEthernet1/0/1
FW2的配置
firewall zone trust
add interface GigabitEthernet1/0/0
firewall zone untrust
add interface GigabitEthernet1/0/2
3、配置GRE和tunnel隧道
静态路由配置—提供FW1与FW2之间可达
FW1
ip route-static 202.1.1.0 24 110.1.1.2
FW2
ip route-static 110.1.1.0 24 202.1.1.2
FW1
interface Tunnel1
ipv6 enable
ip address 10.1.12.1 255.255.255.0
ipv6 address 2001:12::1/64
tunnel-protocol gre
source 110.1.1.1
destination 202.1.1.1
#
firewall zone untrust
add interface Tunnel1
FW2
interface Tunnel1
ipv6 enable
ip address 10.1.12.2 255.255.255.0
ipv6 address 2001:12::2/64
tunnel-protocol gre
source 202.1.1.1
destination 110.1.1.1
#
firewall zone untrust
add interface Tunnel1
4、配置安全策略—GRE协议策略
FW1/FW2
security-policy
rule name gre
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
service gre
action permit
静态路由配置—提供到达对方内部网段路由走TUNNEL接口
FW1
ip route-static 10.1.2.0 24 Tunnel1
ipv6 route-static 200:: 64 Tunnel1
FW2
ip route-static 10.1.1.0 24.0 Tunnel1
ipv6 route-static 100:: 64 Tunnel1
5、配置安全策略—能够放行V4和V6流量
FW1/FW2
security-policy
rule name data_v4 #放行IPV4的流量
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.1.1.1 32
source-address 10.1.2.1 32
destination-address 10.1.1.1 32
destination-address 10.1.2.1 32
service icmp
action permit
rule name data_v6 #放行IPV6的流量
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 100::1 128
source-address 200::1 128
destination-address 100::1 128
destination-address 200::1 128
service icmpv6
action permit
6、配置NAT
静态路由—FW和client之间的可达
FW1
ip route-static 69.1.1.0 24 110.1.1.2
FW2
ip route-static 69.1.1.0 24 202.1.1.2
FW1
nat-policy
rule name easy_ip
source-zone trust
destination-zone untrust
source-address 10.1.1.1 32
action source-nat easy-ip
#
security-policy
rule name pc1_c1
source-zone trust
destination-zone untrust
source-address 10.1.1.1 32
destination-address 69.1.1.1 32
service icmp
action permit
FW2
nat-policy
rule name easy_ip
source-zone trust
destination-zone untrust
source-address 10.1.2.1 32
action source-nat easy-ip
#
security-policy
rule name pc1_c1
source-zone trust
destination-zone untrust
source-address 10.1.2.1 32
destination-address 69.1.1.1 32
service icmp
action permit
7.NAT server
NAT Server
FTP公网IP地址为110.1.1.100,client1通过此公网IP访问FTP服务
FW1
nat server FTP protocol tcp global 110.1.1.100 ftp inside 10.1.3.1 ftp
FW1
security-policy
rule name c1_ftp
source-zone untrust
destination-zone dmz
source-address 69.1.1.1 mask 255.255.255.255
destination-address 10.1.3.1 mask 255.255.255.255
service ftp
action permit
8、进行测试
PC1ping通PC2的IPV4/IPV6地址
PC1ping通client1
在client1上通过110.1.1.100访问FTP服务器
测试成功,实验完成