|
|
防火墙GRE配置+域间策略+NAT策略(EASY-IP)
配置ISP模拟公网
<Huawei>system-view
[Huawei]sysname isp
[isp]interface gigabitethernet 0/0/0
[isp-GigabitEthernet0/0/0]ip address100.1.1.1 24
[isp-GigabitEthernet0/0/0]quit
[isp]interface gigabitethernet 0/0/1
[isp-GigabitEthernet0/0/1]ip address200.1.1.1 24
[isp-GigabitEthernet0/0/1]quit
[isp]interface loopback 0
[isp-LoopBack0]ip address 200.200.200.20032
[isp-LoopBack0]quit
FW1
Username:admin
Password:Admin@123
The password needs to be changed. Changenow? [Y/N]: y
Please enter old password: Admin@123
Please enter new password: Admin1234
Please confirm new password:Admin1234
配置接口地址并把接口加入安全域内
[fw1]interface gigabitethernet 1/0/6
[fw1-GigabitEthernet1/0/6]ip address192.168.10.1 24
[fw1-GigabitEthernet1/0/6]quit
[fw1]interface gigabitethernet 1/0/0
[fw1-GigabitEthernet1/0/0]ip address100.1.1.2 24
[fw1-GigabitEthernet1/0/0]quit
[fw1]interface tunnel 1 //创建遂道接口1
[fw1-Tunnel1]ip address 172.16.10.1 24
[fw1-Tunnel1]quit
[fw1]firewall zone trust //进入trust安全域
[fw1-zone-trust]add interfacegigabitethernet 1/0/6 //接口加入域
[fw1-zone-trust]quit
[fw1]firewall zone untrust
[fw1-zone-untrust]add interfacegigabitethernet 1/0/0
[fw1-zone-untrust]quit
[fw1]firewall zone dmz
[fw1-zone-dmz]add interface tunnel 1
[fw1-zone-dmz]quit
配置GRE隧道
[fw1]interface tunnel 1 //进入遂道接口1
[fw1-Tunnel1]tunnel-protocol gre //配置遂道接口封装协议为GRE
[fw1-Tunnel1]source 100.1.1.2 //源地址(公网)
[fw1-Tunnel1]destination 200.1.1.2 //对端目标地址(公网)
[fw1-Tunnel1]gre key 123456 //配置关键字验证
[fw1-Tunnel1]gre checksum //配置检验和验证
[fw1-Tunnel1]keepalive //配置保活机制
配置到对端的路由
[fw1]ospf 1 //创建OSPF 进程1
[fw1-ospf-1]area 0 //配置骨干区域
[fw1-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234 //配置身份认证模式为MD5 配置密文密码
[fw1-ospf-1-area-0.0.0.0]network172.16.10.0 0.0.0.255 //通告参与网络
[fw1-ospf-1-area-0.0.0.0]network192.168.10.0 0.0.0.255
[fw1-ospf-1-area-0.0.0.0]quit
[fw1-ospf-1]quit
配置默认路由
[fw1]ip route-static 0.0.0.0 0.0.0.0100.1.1.1 //默认路由下跳为运营商提供的网关地址
FW2
Username:admin
Password:Admin@123
The password needs to be changed. Changenow? [Y/N]: y
Please enter old password: Admin@123
Please enter new password: Admin1234
Please confirm new password:Admin1234
配置接口地址并把接口加入安全域内
<USG6000V1>system-view
[USG6000V1]sysname fw2
[fw2]interface gigabitethernet 1/0/6
[fw2-GigabitEthernet1/0/6]ip address192.168.20.1 24
[fw2-GigabitEthernet1/0/6]quit
[fw2]interface gigabitethernet 1/0/0
[fw2-GigabitEthernet1/0/0]ip address200.1.1.2 24
[fw2-GigabitEthernet1/0/0]quit
[fw2]interface tunnel 1
[fw2-Tunnel1]ip address 172.16.10.2 24
[fw2-Tunnel1]quit
[fw2]firewall zone trust
[fw2-zone-trust]add interfacegigabitethernet 1/0/6
[fw2-zone-trust]quit
[fw2]firewall zone untrust
[fw2-zone-untrust]add interface gigabitethernet1/0/0
[fw2-zone-untrust]quit
[fw2]firewall zone dmz
[fw2-zone-dmz]add interface tunnel 1
[fw2-zone-dmz]quit
配置GRE隧道
[fw2]interface tunnel 1
[fw2-Tunnel1]tunnel-protocol gre
[fw2-Tunnel1]source 200.1.1.2
[fw2-Tunnel1]destination 100.1.1.2
[fw2-Tunnel1]gre key 123456
[fw2-Tunnel1]gre checksum
[fw2-Tunnel1]keepalive
[fw2-Tunnel1]quit
配置到对端的路由
[fw2]ospf 1
[fw2-ospf-1]area 0
[fw2-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234
[fw2-ospf-1-area-0.0.0.0]network172.16.10.0 0.0.0.255
[fw2-ospf-1-area-0.0.0.0]network192.168.20.0 0.0.0.255
[fw2-ospf-1-area-0.0.0.0]quit
[fw2-ospf-1]quit
配置默认路由
[fw2]ip route-static 0.0.0.0 0.0.0.0200.1.1.1
查看GRE接口状态
[fw2]display ip interface brief //查看IP接口信息
2021-04-28 06:06:50.350
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP inPhysical is 5
The number of interface that is DOWN inPhysical is 6
The number of interface that is UP inProtocol is 4
The number of interface that is DOWN inProtocol is 7
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 200.1.1.2/24 up up
……
GigabitEthernet1/0/6 192.168.20.1/24 up up
NULL0 unassigned up up(s)
Tunnel1 172.16.10.2/24 up down
Virtual-if0 unassigned up up(s)
协议为DOWN状态!
这是防火墙域间策略的原因:
先默认开启安全策略的默认动作为允许
[fw1]security-policy //安全策略
[fw1-policy-security]default action permit //配置安全策略的缺省动作为允许
[fw1-policy-security]quit
[fw2]security-policy
[fw2-policy-security]default action permit
[fw2-policy-security]quit
[fw2]display ip interface brief
2021-04-28 06:22:08.330
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP inPhysical is 5
The number of interface that is DOWN inPhysical is 6
The number of interface that is UP inProtocol is 5
The number of interface that is DOWN inProtocol is 6
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 200.1.1.2/24 up up
……
GigabitEthernet1/0/6 192.168.20.1/24 up up
NULL0 unassigned up up(s)
Tunnel1 172.16.10.2/24 up up
Virtual-if0 unassigned up up(s)
协议为UP状态!
使用PC1向PC2发送一个Ping包
PC>ping 192.168.20.100 -c 1
Ping 192.168.20.100: 32 data bytes, PressCtrl_C to break
From 192.168.20.100: bytes=32 seq=1 ttl=126time=32 ms
--- 192.168.20.100 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/32/32 ms
查看FW的防火墙会话表祥细说明:
[fw1]display firewall session table verbose
2021-04-28 14:31:47.740 +08:00
Current Total Sessions : 2
gre VPN: public --> public ID: c387f52c0a3720072560896f7a
Zone: local --> untrust TTL: 00:10:00 Left: 00:09:58
RecvInterface: GigabitEthernet1/0/0
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 0000-0000-0000
<--packets: 240 bytes: 11,520 -->packets: 308 bytes: 19,296
200.1.1.2:0 --> 200.1.1.2:0PolicyName: default
icmp VPN: public --> public ID: c487f52c0a379983b91608971d0
Zone: trust --> dmz TTL: 00:00:20 Left: 00:00:17
RecvInterface: GigabitEthernet1/0/6
Interface: Tunnel1 NextHop: 172.16.10.2 MAC: 0000-0000-0000
<--packets: 1 bytes: 60 --> packets: 1bytes: 60
192.168.10.100:18177 -->192.168.20.100:2048 PolicyName: default
分析PC到PC2报文的走向:
即FW1 PC1的数据报文从TrustàDMZ/LocalàUntrust;那FW2的走向就是UntrustàLocal/DMZàTrust;返之FW2到FW1同理。
根据此域间走向来配置域间策略!
[fw1]security-policy
[fw1-policy-security]default action deny //恢复策略缺省动作为拒绝
[fw1-policy-security]quit
[fw2]security-policy
[fw2-policy-security]default action deny
[fw2-policy-security]quit
配置域间策略
FW1
[fw1]security-policy //安全策略
[fw1-policy-security]rule name td-dt //创建名为TD-DT的规则
[fw1-policy-security-rule-td-dt]source-zonetrust dmz //源安全区域trust和dmz
[fw1-policy-security-rule-td-dt]destination-zonedmz trust //目标安全区域为dmz和trust
[fw1-policy-security-rule-td-dt]actionpermit //动作为允许
[fw1-policy-security-rule-td-dt]quit
[fw1-policy-security-rule-lu-ul]source-zonelocal untrust
[fw1-policy-security-rule-lu-ul]destination-zoneuntrust local
[fw1-policy-security-rule-lu-ul]actionpermit
[fw1-policy-security-rule-lu-ul]service gre //配置允许封装后的gre报文通过
[fw1-policy-security-rule-lu-ul]quit
[fw1-policy-security]quit
FW2
[fw2]security-policy
[fw2-policy-security]rule name td-dt
[fw2-policy-security-rule-td-dt]source-zonetrust dmz
[fw2-policy-security-rule-td-dt]destination-zonedmz trust
[fw2-policy-security-rule-td-dt]actionpermit
[fw2-policy-security-rule-td-dt]quit
[fw2-policy-security]rule name lu-ul
[fw2-policy-security-rule-lu-ul]source-zonelocal untrust
[fw2-policy-security-rule-lu-ul]destination-zoneuntrust local
[fw2-policy-security-rule-lu-ul]actionpermit
[fw2-policy-security-rule-lu-ul]service gre
[fw2-policy-security-rule-lu-ul]quit
[fw2-policy-security]quit
验证结果:
[fw2]display interface Tunnel 1
2021-04-28 06:56:25.420
Tunnel1current state : UP
Lineprotocol current state : UP
Last line protocol up time : 2021-04-2806:52:38
Description:Huawei, USG6000V1-ENSP Series,Tunnel1 Interface
Route Port,The Maximum Transmit Unit is1500
Internet Address is 172.16.10.2/24
……
测试PC1与PC2的通信
PC>ping 192.168.20.100 -c 1
Ping 192.168.20.100: 32 data bytes, PressCtrl_C to break
From 192.168.20.100: bytes=32 seq=1 ttl=126time=16 ms
--- 192.168.20.100 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/16/16 ms
访问对端PC2成功,说明GRE遂道运行正常。
PC>ping 200.200.200.200
Ping 200.200.200.200: 32 data bytes, PressCtrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 200.200.200.200 ping statistics ---
5packet(s) transmitted
0packet(s) received
100.00% packet loss
此时Ping公网是不OK的,原因没有做NAT转换!!和域间安全策略!!
需要在防火墙的GE1/0/0接口做NAT转换(此处配置EASY-IP)
FW1
[fw1]nat-policy //nat策略
[fw1-policy-nat]rule name zurkj //配置规则名称
[fw1-policy-nat-rule-zurkj]source-zonetrust //源安全区域trust
[fw1-policy-nat-rule-zurkj]destination-zoneuntrust //目标区域
[fw1-policy-nat-rule-zurkj]source-address192.168.10.0 0.0.0.255 //配置原地址段
[fw1-policy-nat-rule-zurkj]actionsource-nat easy-ip //动作为源nat转换模式为easy-ip 即借用FW公网地址访问公网
[fw1-policy-nat-rule-zurkj]quit
[fw1-policy-nat]qui
[fw1]security-policy
[fw1-policy-security]rule name t-u //配置trustàuntrust的域间安全策略
[fw1-policy-security-rule-t-u]source-zonetrust
[fw1-policy-security-rule-t-u]destination-zoneuntrust
[fw1-policy-security-rule-t-u]action permit
[fw1-policy-security-rule-tu-ut]quit
[fw1-policy-security]quit
FW2
[fw2]nat-policy
[fw2-policy-nat]rule name zurkj
[fw2-policy-nat-rule-zurkj]source-zonetrust
[fw2-policy-nat-rule-zurkj]destination-zoneuntrust
[fw2-policy-nat-rule-zurkj]source-address192.168.20.0 0.0.0.255
[fw2-policy-nat-rule-zurkj]action source-nateasy-ip
[fw2-policy-nat-rule-zurkj]quit
[fw2-policy-nat]quit
[fw2]security-policy
[fw2-policy-security]rule name t-u
[fw2-policy-security-rule-t-u]source-zonetrust
[fw2-policy-security-rule-t-u]destination-zoneuntrust
[fw2-policy-security-rule-t-u]action permit
[fw2-policy-security-rule-t-u]quit
[fw2-policy-security]quit
测试PC访问公网IP
PC>ping 200.200.200.200
Ping 200.200.200.200: 32 data bytes, PressCtrl_C to break
From 200.200.200.200: bytes=32 seq=1ttl=254 time=15 ms
From 200.200.200.200: bytes=32 seq=2ttl=254 time=16 ms
From 200.200.200.200: bytes=32 seq=3ttl=254 time=16 ms
From 200.200.200.200: bytes=32 seq=4ttl=254 time=15 ms
From 200.200.200.200: bytes=32 seq=5ttl=254 time=16 ms
--- 200.200.200.200 ping statistics ---
5packet(s) transmitted
5packet(s) received
0.00% packet loss
round-trip min/avg/max = 15/15/16 ms
衍生问题,如果现要求PC从200-254的IP地址不可访问公网,如何操作?
有两个方向可以达成目标:
- 1. 在nat-policy中对目标地址不进行转换,使得不无连接公网
- 2. 在trustàuntrust域间策略中对目标址址执行deny动作!
[fw1]nat-policy
[fw1-policy-nat]rule name zurkj
[fw1-policy-nat-rule-zurkj]undo source-address192.168.10.0 0.0.0.255
[fw1-policy-nat-rule-zurkj]source-addressrange 192.168.10.1 192.168.10.200 //配置源直址范围为.1~.200
[fw1-policy-nat-rule-zurkj]quit
[fw1-policy-nat]quit
此方案的配置逻辑是指仅对.1~.200的地址范围进行nat的转换,非范围内的则不在nat的转换内。
[fw1-policy-nat-rule-zurkj]undosource-address range 192.168.10.1 192.168.10.200 //恢复原有配置
[fw1-policy-nat-rule-zurkj]source-address192.168.10.0 0.0.0.255
[fw1-policy-nat-rule-zurkj]quit
[fw1-policy-nat]quit
[fw1]security-policy
[fw1-policy-security]rule name t-u
[fw1-policy-security-rule-t-u]source-addressrange 192.168.10.0 192.168.10.200
[fw1-policy-security-rule-t-u]display this
2021-04-28 15:51:50.940 +08:00
#
rulename t-u
source-zone trust
destination-zone untrust
source-address range 192.168.10.0 192.168.10.200
action permit
#
Return
此方案的配置逻辑是指仅对.1~.200的地址范围进行域间安全策略匹配,不在范围内的则是无法通过域间安全策略的。
结束。
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?立即注册
x
|
|Archiver|手机版|小黑屋|祖瑞科技 全国计算机 网络IT运维社区!
( 沪ICP备16021636号-2 )
发表于 2021-4-28 16:45:27