防火墙GRE配置+域间策略+NAT策略(EASY-IP)
防火墙GRE配置+域间策略+NAT策略(EASY-IP)配置ISP模拟公网
<Huawei>system-view
sysname isp
interface gigabitethernet 0/0/0
ip address100.1.1.1 24
quit
interface gigabitethernet 0/0/1
ip address200.1.1.1 24
quit
interface loopback 0
ip address 200.200.200.20032
quit
FW1
Username:admin
Password:Admin@123
The password needs to be changed. Changenow? : y
Please enter old password: Admin@123
Please enter new password: Admin1234
Please confirm new password:Admin1234
配置接口地址并把接口加入安全域内
interface gigabitethernet 1/0/6
ip address192.168.10.1 24
quit
interface gigabitethernet 1/0/0
ip address100.1.1.2 24
quit
interface tunnel 1//创建遂道接口1
ip address 172.16.10.1 24
quit
firewall zone trust//进入trust安全域
add interfacegigabitethernet 1/0/6//接口加入域
quit
firewall zone untrust
add interfacegigabitethernet 1/0/0
quit
firewall zone dmz
add interface tunnel 1
quit
配置GRE隧道
interface tunnel 1//进入遂道接口1
tunnel-protocol gre//配置遂道接口封装协议为GRE
source 100.1.1.2//源地址(公网)
destination 200.1.1.2//对端目标地址(公网)
gre key 123456//配置关键字验证
gre checksum//配置检验和验证
keepalive//配置保活机制
配置到对端的路由
ospf 1 //创建OSPF 进程1
area 0//配置骨干区域
authentication-modemd5 1 cipher admin1234//配置身份认证模式为MD5 配置密文密码
network172.16.10.0 0.0.0.255//通告参与网络
network192.168.10.0 0.0.0.255
quit
quit
配置默认路由
ip route-static 0.0.0.0 0.0.0.0100.1.1.1//默认路由下跳为运营商提供的网关地址
FW2
Username:admin
Password:Admin@123
The password needs to be changed. Changenow? : y
Please enter old password: Admin@123
Please enter new password: Admin1234
Please confirm new password:Admin1234
配置接口地址并把接口加入安全域内
<USG6000V1>system-view
sysname fw2
interface gigabitethernet 1/0/6
ip address192.168.20.1 24
quit
interface gigabitethernet 1/0/0
ip address200.1.1.2 24
quit
interface tunnel 1
ip address 172.16.10.2 24
quit
firewall zone trust
add interfacegigabitethernet 1/0/6
quit
firewall zone untrust
add interface gigabitethernet1/0/0
quit
firewall zone dmz
add interface tunnel 1
quit
配置GRE隧道
interface tunnel 1
tunnel-protocol gre
source 200.1.1.2
destination 100.1.1.2
gre key 123456
gre checksum
keepalive
quit
配置到对端的路由
ospf 1
area 0
authentication-modemd5 1 cipher admin1234
network172.16.10.0 0.0.0.255
network192.168.20.0 0.0.0.255
quit
quit
配置默认路由
ip route-static 0.0.0.0 0.0.0.0200.1.1.1
查看GRE接口状态
display ip interface brief//查看IP接口信息
2021-04-28 06:06:50.350
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP inPhysical is 5
The number of interface that is DOWN inPhysical is 6
The number of interface that is UP inProtocol is 4
The number of interface that is DOWN inProtocol is 7
Interface IP Address/Mask PhysicalProtocol
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 200.1.1.2/24 up up
……
GigabitEthernet1/0/6 192.168.20.1/24 up up
NULL0 unassigned up up(s)
Tunnel1 172.16.10.2/24 up down
Virtual-if0 unassigned up up(s)
协议为DOWN状态!
这是防火墙域间策略的原因:
先默认开启安全策略的默认动作为允许
security-policy//安全策略
default action permit//配置安全策略的缺省动作为允许
quit
security-policy
default action permit
quit
display ip interface brief
2021-04-28 06:22:08.330
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP inPhysical is 5
The number of interface that is DOWN inPhysical is 6
The number of interface that is UP inProtocol is 5
The number of interface that is DOWN inProtocol is 6
Interface IP Address/Mask PhysicalProtocol
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 200.1.1.2/24 up up
……
GigabitEthernet1/0/6 192.168.20.1/24 up up
NULL0 unassigned up up(s)
Tunnel1 172.16.10.2/24 up up
Virtual-if0 unassigned up up(s)
协议为UP状态!
使用PC1向PC2发送一个Ping包
PC>ping 192.168.20.100 -c 1
Ping 192.168.20.100: 32 data bytes, PressCtrl_C to break
From 192.168.20.100: bytes=32 seq=1 ttl=126time=32 ms
--- 192.168.20.100 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/32/32 ms
查看FW的防火墙会话表祥细说明:
display firewall session table verbose
2021-04-28 14:31:47.740 +08:00
Current Total Sessions : 2
greVPN: public --> publicID: c387f52c0a3720072560896f7a
Zone: local --> untrustTTL: 00:10:00 Left: 00:09:58
RecvInterface: GigabitEthernet1/0/0
Interface: InLoopBack0NextHop: 127.0.0.1MAC: 0000-0000-0000
<--packets: 240 bytes: 11,520 -->packets: 308 bytes: 19,296
200.1.1.2:0 --> 200.1.1.2:0PolicyName: default
icmpVPN: public --> publicID: c487f52c0a379983b91608971d0
Zone: trust --> dmzTTL: 00:00:20 Left: 00:00:17
RecvInterface: GigabitEthernet1/0/6
Interface: Tunnel1NextHop: 172.16.10.2MAC: 0000-0000-0000
<--packets: 1 bytes: 60 --> packets: 1bytes: 60
192.168.10.100:18177 -->192.168.20.100:2048 PolicyName: default
分析PC到PC2报文的走向:
即FW1 PC1的数据报文从TrustàDMZ/LocalàUntrust;那FW2的走向就是UntrustàLocal/DMZàTrust;返之FW2到FW1同理。
根据此域间走向来配置域间策略!
security-policy
default action deny//恢复策略缺省动作为拒绝
quit
security-policy
default action deny
quit
配置域间策略
FW1
security-policy//安全策略
rule name td-dt//创建名为TD-DT的规则
source-zonetrust dmz//源安全区域trust和dmz
destination-zonedmz trust//目标安全区域为dmz和trust
actionpermit//动作为允许
quit
source-zonelocal untrust
destination-zoneuntrust local
actionpermit
service gre//配置允许封装后的gre报文通过
quit
quit
FW2
security-policy
rule name td-dt
source-zonetrust dmz
destination-zonedmz trust
actionpermit
quit
rule name lu-ul
source-zonelocal untrust
destination-zoneuntrust local
actionpermit
service gre
quit
quit
验证结果:
display interface Tunnel 1
2021-04-28 06:56:25.420
Tunnel1current state : UP
Lineprotocol current state : UP
Last line protocol up time : 2021-04-2806:52:38
Description:Huawei, USG6000V1-ENSP Series,Tunnel1 Interface
Route Port,The Maximum Transmit Unit is1500
Internet Address is 172.16.10.2/24
……
测试PC1与PC2的通信
PC>ping 192.168.20.100 -c 1
Ping 192.168.20.100: 32 data bytes, PressCtrl_C to break
From 192.168.20.100: bytes=32 seq=1 ttl=126time=16 ms
--- 192.168.20.100 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/16/16 ms
访问对端PC2成功,说明GRE遂道运行正常。
PC>ping 200.200.200.200
Ping 200.200.200.200: 32 data bytes, PressCtrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 200.200.200.200 ping statistics ---
5packet(s) transmitted
0packet(s) received
100.00% packet loss
此时Ping公网是不OK的,原因没有做NAT转换!!和域间安全策略!!
需要在防火墙的GE1/0/0接口做NAT转换(此处配置EASY-IP)
FW1
nat-policy//nat策略
rule name zurkj//配置规则名称
source-zonetrust//源安全区域trust
destination-zoneuntrust//目标区域
source-address192.168.10.0 0.0.0.255//配置原地址段
actionsource-nat easy-ip//动作为源nat转换模式为easy-ip 即借用FW公网地址访问公网
quit
qui
security-policy
rule name t-u//配置trustàuntrust的域间安全策略
source-zonetrust
destination-zoneuntrust
action permit
quit
quit
FW2
nat-policy
rule name zurkj
source-zonetrust
destination-zoneuntrust
source-address192.168.20.0 0.0.0.255
action source-nateasy-ip
quit
quit
security-policy
rule name t-u
source-zonetrust
destination-zoneuntrust
action permit
quit
quit
测试PC访问公网IP
PC>ping 200.200.200.200
Ping 200.200.200.200: 32 data bytes, PressCtrl_C to break
From 200.200.200.200: bytes=32 seq=1ttl=254 time=15 ms
From 200.200.200.200: bytes=32 seq=2ttl=254 time=16 ms
From 200.200.200.200: bytes=32 seq=3ttl=254 time=16 ms
From 200.200.200.200: bytes=32 seq=4ttl=254 time=15 ms
From 200.200.200.200: bytes=32 seq=5ttl=254 time=16 ms
--- 200.200.200.200 ping statistics ---
5packet(s) transmitted
5packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/15/16 ms
衍生问题,如果现要求PC从200-254的IP地址不可访问公网,如何操作?
有两个方向可以达成目标:
[*]1.在nat-policy中对目标地址不进行转换,使得不无连接公网
[*]2.在trustàuntrust域间策略中对目标址址执行deny动作!
nat-policy
rule name zurkj
undo source-address192.168.10.0 0.0.0.255
source-addressrange 192.168.10.1 192.168.10.200//配置源直址范围为.1~.200
quit
quit
此方案的配置逻辑是指仅对.1~.200的地址范围进行nat的转换,非范围内的则不在nat的转换内。
undosource-address range 192.168.10.1 192.168.10.200//恢复原有配置
source-address192.168.10.0 0.0.0.255
quit
quit
security-policy
rule name t-u
source-addressrange 192.168.10.0 192.168.10.200
display this
2021-04-28 15:51:50.940 +08:00
#
rulename t-u
source-zone trust
destination-zone untrust
source-address range 192.168.10.0 192.168.10.200
action permit
#
Return
此方案的配置逻辑是指仅对.1~.200的地址范围进行域间安全策略匹配,不在范围内的则是无法通过域间安全策略的。
结束。
页:
[1]
