目录
目的
器材
拓扑
步骤
一、基本配置
配置各路由器接口的IP地址【省略】
1、配置BGP协议实现Internet路由器之间互联
2、防火墙FW1接口IP配置与区域划分
3、创建免认证用户组group_teacher和密码认证用户组group_student并新增账户
4、配置用户认证策略
5、配置portal认证推送页面,认证后跳转到最近访问的Web页面
6、创建安全策略
7、配置easy-ip和默认路由
8、在路由器R5配置easy-ip和NAT Server,发布Baidu Web和FTP站点
验证【省略】
总结
掌握防火墙免认证用户和密码验证用户的配置过程。
路由器(AR2220):5台
接入层交换机(S3700):1台
主机:5台
防火墙(USG6000V):1台
[R1]isis 1
[R1-isis-1]network-entity 10.0001.0000.0000.0001.00
[R1-isis-1]is-level level-1
[R1-isis-1]quit
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]isis enable 1
[R1-GigabitEthernet0/0/0]quit
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]isis enable 1
[R1-GigabitEthernet0/0/1]quit
[R1]int lo 0
[R1-LoopBack0]isis enable 1
[R1-LoopBack0]quit
[R1]bgp 500
[R1-bgp]peer 10.0.2.2 as-number 500
[R1-bgp]peer 10.0.2.2 connect-interface LoopBack 0
[R2]isis 1
[R2-isis-1]network-entity 10.0001.0000.0010.00
[R2-isis-1]is-level level-1
[R2-isis-1]quit
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]isis enable 1
[R2-GigabitEthernet0/0/0]quit
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]isis enable 1
[R2-GigabitEthernet0/0/1]quit
[R2]int lo 0
[R2-LoopBack0]isis enable 1
[R2-LoopBack0]quit
[R2]bgp 500
[R2-bgp]peer 10.0.1.1 as-number 500
[R2-bgp]peer 10.0.1.1 connect-interface LoopBack 0
[R2-bgp]peer 117.32.32.2 as-number 300
[R2-bgp]import-route isis 1
[R2-bgp]quit
[R3]ospf 1
[R3-ospf-1]are 0
[R3-ospf-1-area-0.0.0.0]network 117.32.32.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 118.16.16.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 10.0.3.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]quit
[R3-ospf-1]quit
[R3]bgp 300
[R3-bgp]peer 10.0.4.4 as-number 300
[R3-bgp]peer 10.0.4.4 connect-interface LoopBack 0
[R3-bgp]peer 117.32.32.1 as-number 500
[R3-bgp]import-route ospf 1
[R3-bgp]quit
[R4]ospf 1
[R4-ospf-1]are 0
[R4-ospf-1-area-0.0.0.0]network 118.16.16.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]network 202.202.202.0 0.0.0.255 ?????
[R4-ospf-1-area-0.0.0.0]network 204.204.204.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]quit
[R4-ospf-1]quit
[R4]bgp 300
[R4-bgp]peer 10.0.3.3 as-number 300
[R4-bgp]peer 10.0.3.3 connect-interface LoopBack 0
[R4-bgp]quit
[R5]ip route-static 0.0.0.0 0 204.204.204.1 //配置默认路由,实现R5和Internet互联
防火墙默认用户名:admin
默认密码:Admin@123
需要进行修改密码:admin@123
配置如下:
sy
[USG6000V1]sy FW1
[FW1]
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip ad 192.168.10.1 24
[FW1-GigabitEthernet1/0/2]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip ad 192.168.20.1 24
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip ad 201.201.201.254 24
[FW1-GigabitEthernet1/0/2]quit
[FW1]firewall zone trust
[FW1-zone-trust]add interface g1/0/0
[FW1-zone-trust]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface g1/0/2
[FW1-zone-untrust]quit
[FW1]firewall zone name zone_student //新建zone_student区域
[FW1-zone-zone_student]set priority 60 //安全级别设置在DMZ(50)与Trust(85)之间
[FW1-zone-zone_student]add interface g1/0/1
[FW1-zone-zone_student]quit
[FW1]user-manage group /default/group_teacher //default是存放用户组的根目录
[FW1-usergroup-/default/group_teacher]quit
[FW1]user-manage group /default/group_student
[FW1-usergroup-/default/group_student]quit
[FW1]user-manage user 20210001 //创建账户20210001(学号)。可一次创建多个学生账户
[FW1-localuser-20210001]password gdcp@123 //自定义密码,需满足复杂度要求。学生登录后可自行修改密码
[FW1-localuser-20210001]parent-group /default/group_student //20210001账户隶属于:/default/group_student组
[FW1-localuser-20210001]quit
[FW1]auth-policy //配置用户认证策略
[FW1-policy-auth]rule name auth-policy_teacher
[FW1-policy-auth-rule-auth-policy_teacher]source-address 192.168.10.0 24 //未指定destinaton,目的IP地址为any
[FW1-policy-auth-rule-auth-policy_teacher]action none //无须进行认证
[FW1-policy-auth-rule-auth-policy_teacher]quit
[FW1-policy-auth]rule name auth-policy_student
[FW1-policy-auth-rule-auth-policy_student]source-address 192.168.20.0 24
[FW1-policy-auth-rule-auth-policy_student]action auth //需进行portal认证
[FW1-policy-auth-rule-auth-policy_student]quit
[FW1]user-manage web-authentication security port 8887 //security参数表示认证页面需通过HTTPS登录,没有security参数表示认证页面通过http登录。portal端口默认8887
[FW1]user-manage redirect
//创建教师网段访问Internet安全策略
[FW1]security-policy
[FW1-policy-security]rule name security-policy_teacher
[FW1-policy-security-rule-security-policy_teacher]source-zone trust
[FW1-policy-security-rule-security-policy_teacher]destination-zone untrust
[FW1-policy-security-rule-security-policy_teacher]user user-group /default/group
_teacher //定义允许访问的用户组
[FW1-policy-security-rule-security-policy_teacher]action permit
[FW1-policy-security-rule-security-policy_teacher]quit
//创建学生网段访问Internet安全策略
[FW1-policy-security]rule name security-policy_student
[FW1-policy-security-rule-security-policy_student]source-zone zone_student
[FW1-policy-security-rule-security-policy_student]destination-zone untrust
[FW1-policy-security-rule-security-policy_student]user user-group /default/group
_student
[FW1-policy-security-rule-security-policy_student]action permit
//学生通过portal认证的端口为8887,需允许zone_student区域和防火墙Local区域之间8887端口流量,以推送学生网段认证信息
[FW1]ip service-set portal_8887 type object //创建自定义服务类型。服务名称为portal_8887。object对象可以人为指定服务id<16-271>,id不能与其他id冲突。如不能判断id是否冲突,可不指定具体id值,由系统自动分配id(从小到大分配)值
[FW1-object-service-set-portal_8887]service protocol tcp destination-port 8887 //服务协议:TCP;源端端口:如不指定,默认0-65535;目的端端口:8887
[FW1-object-service-set-portal_8887]quit
[FW1]security-policy
[FW1-policy-security]rule name student_local_8887
[FW1-policy-security-rule-student_local_8887]source-zone local
[FW1-policy-security-rule-student_local_8887]source-zone zone_student
[FW1-policy-security-rule-student_local_8887]destination-zone local
[FW1-policy-security-rule-student_local_8887]destination-zone zone_student
[FW1-policy-security-rule-student_local_8887]service portal_8887
[FW1-policy-security-rule-student_local_8887]action permit
[FW1]nat-policy
[FW1-policy-nat]rule name to_internet
[FW1-policy-nat-rule-to_internet]source-zone trust
[FW1-policy-nat-rule-to_internet]source-zone zone_student
[FW1-policy-nat-rule-to_internet]destination-zone untrust
[FW1-policy-nat-rule-to_internet]source-address any
[FW1-policy-nat-rule-to_internet]action source-nat easy-ip
[FW1-policy-nat-rule-to_internet]quit
[FW1-policy-nat]quit
[FW1]ip route-static 0.0.0.0 0 201.201.201.1
[R5]acl 2000
[R5-acl-basic-2000]rule permit source any
[R5-acl-basic-2000]quit
[R5]int g0/0/0
[R5-GigabitEthernet0/0/0]nat outbound 2000
[R5-GigabitEthernet0/0/0]nat server protocol tcp global current-interface 80 ins
ide 192.168.1.10 80
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
[R5-GigabitEthernet0/0/0]nat server protocol tcp global current-interface 21 ins
ide 192.168.1.20 21
主机1教师端无须经过认证 ,可以直接连通Internet IP地址204.204.204.2
主机1教师端无须经过认证,直接通过地址http://204.204.204.2访问主机3百度Web站点
1)如在路由器上只配置NAT Server,而不配置Easy-IP或者NAPT,仍不能发布内网站点,因为服务器不能访问Internet,无法返回应答报文。
2)在认证时,为避免内网用户盗号,建议采用HTTPS协议登录portal认证页面,即user-namage web-authentication security port 8887需加security参数。