hc防火墻基礎(chǔ)技術(shù)實(shí)驗(yàn)

1初始化配 2路由配 OSPF路由實(shí) BGP路由實(shí) 3NAT配 雙出口NAT實(shí) 4用戶認(rèn)證配 11實(shí)驗(yàn)步驟 ，進(jìn)行設(shè)備連接，打開(kāi)設(shè)備電源 PC1PC2PC2在瀏覽器中輸?shù)顷?，默認(rèn)賬號(hào)為admin/Admin@123. 為配置系統(tǒng)時(shí)間（夏令時(shí)可選DHCP——ISP通過(guò)DHCP給分配公網(wǎng)地址來(lái)公配置局域網(wǎng)DHCP服應(yīng)用配置后進(jìn)入完成頁(yè)面，如下所示，點(diǎn)擊“完成EthernetadapterLocalAreaConnection2:Connection-specificDNSSuffix.: :IPv4 :Subnet :Default :使用主機(jī)PC2地址或檢查互聯(lián) ing33with32bytesofReplyfrom33:bytes=32time<1msReplyfrom33:bytes=32time<1msReplyfrom33:bytes=32time<1msReplyfrom33:bytes=32time<1msstatisticsforPackets:Sent=4,Received=4,Lost=0(0%loss),Approximateroundtriptimesinmilli-seconds:Minimum=um=0ms,Average=15:19:182014/09/23CurrentTotalSessions::public-->public0:62034--:public-->public0:50178--:public-->public0:61546--:public-->public0:50725--:public-->public0:57631--:public-->public:52957--:public-->public0:52215--:public-->public0:50179-- 實(shí)驗(yàn)拓?fù)鋵?shí)驗(yàn)步實(shí)驗(yàn)步驟(命令行Step1使用Console使用Console線連接PC2，在PC上使用超級(jí)終端或Putty或登陸設(shè)備。登 上的配置參數(shù)如下（以SecCRT為例 NOTICE:ThisisaprivatecommunicationUnauthorizedaccessorusemayleadto15:54:242014/09/23Theactionwilldeletethesavedconfigurationinthedevice.Theconfigurationwillbeerasedtoreconfigure.Areyou15:54:302014/09/23Systemwillreboot!Doyouwanttosavetherunningconfiguration?[Y/N]:nSystemwillreboot!Continue?[Y/N]:yInfo:Savinglogdata.Itmaytakeabout1minute,pleaseInfo:Savinglog Forthesakeofsecurity,pleasemodifytheoriginalForthesakeofsecurity,pleasemodifytheoriginalpasswordofthePleaseinput Pleaseconfirm <USG6600A>clocktimezonebejingadd [USG6600A]interfaceg1/0/2[USG6600A]firewallzone[USG6600A]firewallzoneuntrust[USG6600A-zone-16:22:052014/09/23*down:administratively(s):IPPhysicalProtocol,,,,,,[USG6600A]diszone16:21:55[USG6600A]diszone16:21:55priorityisinterfaceofthezoneis(2):#interfaceofthezoneis#priorityisinterfaceofthezoneis(0):[USG6600A]dhcp[USG6600A]dhcp[USG6600A]dhcpserverforbidden-ip[USG6600A]dhcpserverforbidden-ip01[USG6600A]dhcpserverip-pool[USG6600A-dhcp-vlan1]expiredday0hour[USG6600A]inter[USG6600A-GigabitEthernet1/0/1]dhcpselectglobal[USG6600A]iproute-static配置完成后可以使用命令displaydhcpserverip-in-usepoolvlan1檢查地址分配情[USG6600A]displaydhcpserverip-in-usepoolvlan116:54:312014/09/23IPHardwareLease047d-7b84-2014-09-24 [USG6600A-GigabitEthernet1/0/1]service-manageenable[USG6600A-GigabitEthernet1/0/1]service-managehttppermit[USG6600A-GigabitEthernet1/0/1]service-manage[USG6600A-GigabitEthernet1/0/1]service-manageenable[USG6600A-GigabitEthernet1/0/1]service-managehttppermit[USG6600A-GigabitEthernet1/0/1]service-managehttpspermit[USG6600A-GigabitEthernet1/0/1]service-managesshpermit [USG6600A-GigabitEthernet1/0/1]service-managepermit[USG6600A]security-[USG6600A]security-[USG6600A-policy-security]rulename10[USG6600A-policy-security-rule-10]serviceany[USG6600A]nat-[USG6600A]nat-[USG6600A-policy-nat-rule-10]egress-interfaceg1/0/2[USG6600A-policy-nat-rule-17:26:432014/09/23(2675timesrulename10actionpermit17:26:482014/09/23(203timesrulenamesource-address24actionnateasy-17:27:162014/09/23CurrentTotalSessions::public-->public1:49510[0:49510]--:public-->public1:59971[0:59971]--:public-->public1:50545[0:50545]--:public-->public1:50872[0:50872]--:public-->public1:52872[0:52872]--system-policy-無(wú)system權(quán)限；只讀其network-只讀其[USG6600A-aaa-role-system-admin]dashboardread-only[USG6600A-aaa-role-system-admin]monitorread-only[USG6600A-aaa-role-system-admin]policyread-only[USG6600A-aaa-role-system-admin]objectread-only[USG6600A-aaa-role-system-admin]networkread-only[USG6600A-aaa-role-system-admin]systemread-write[USG6600A-aaa-role-system-admin]rolepolicy-admin[USG6600A-aaa-role-policy-admin]dashboardread-only[USG6600A-aaa-role-policy-admin]monitorread-only[USG6600A-aaa-role-policy-admin]policyread-write[USG6600A-aaa-role-policy-admin]objectread-write[USG6600A-aaa-role-policy-admin]networkread-only[USG6600A-aaa-role-policy-admin]systemread-only[USG6600A-aaa-role-policy-admin]rolenetwork-admin[USG6600A-aaa-role-network-admin]monitorread-only[USG6600A-aaa-role-network-admin]policyread-only[USG6600A-aaa-role-network-admin]objectread-only[USG6600A-aaa-role-network-admin]monitorread-only[USG6600A-aaa-role-network-admin]policyread-only[USG6600A-aaa-role-network-admin]objectread-only[USG6600A-aaa]manager-user[USG6600A-aaa-manager-user-sysadmin001]service-typewebterminal [USG6600A-aaa-manager-user-sysadmin001]level15[USG6600A-aaa-manager-user-sysadmin001]sshauthentication-typepassword[USG6600A-aaa-manager-user-sysadmin001]sshservice-typesnet[USG6600A-aaa]manager-user[USG6600A-aaa-manager-user-plyadmin001]service-typewebterminal [USG6600A-aaa-manager-user-plyadmin001]level15[USG6600A-aaa-manager-user-plyadmin001]sshservice-typesnet[USG6600A-aaa-manager-user-plyadmin001]quit[USG6600A-aaa]manager-user[USG6600A-aaa-manager-user-netadmin001]password[USG6600A-aaa-manager-user-netadmin001]service-typewebterminal [USG6600A-aaa-manager-user-netadmin001]level15[USG6600A-aaa-manager-user-netadmin001]sshauthentication-typepassword[USG6600A-aaa-manager-user-netadmin001]sshservice-typesnet[USG6600A-aaa-manager-user-netadmin001][USG6600A-aaa]bindmanager-usersysadmin001rolesystem-admin[USG6600A-aaa]bindmanager-userplyadmin001rolepolicy-admin[USG6600A-aaa]bindmanager-usernetadmin001rolenetwork-實(shí)驗(yàn)步驟 system-policy-無(wú)system權(quán)限；只讀其network-只讀其實(shí)驗(yàn)拓?fù)鋵?shí)驗(yàn)步驟(命令行Step1[Quidway]sysnameSW1[SW1]dhcp[SW1]dhcpenable[SW1]interface[SW1-GigabitEthernet0/0/1]portlink-typeaccess[SW1-GigabitEthernet0/0/1]portdefaultvlan100[SW1-GigabitEthernet0/0/2]portdefaultvlan10[SW1]inter[SW1-GigabitEthernet0/0/3]portdefaultvlan20[SW1]interfacevlan[SW1-Vlanif10]dhcpselectinterface[SW1]interfacevlan[SW1-Vlanif20]dhcpselectinterface[SW1]interfacevlanrulename30trustlocal之間所有流量OSPF的流量才可以正常收發(fā)，可也可定義策略的協(xié)議為OSPF[USG6600A-GigabitEthernet1/0/1]ipaddress024[USG6600-GigabitEthernet1/0/1]service-manageenable[USG6600-GigabitEthernet1/0/1]service-managehttppermit[USG6600A-[USG6600A]interfaceg1/0/3[USG6600A]firewallzone[USG6600A]firewallzoneuntrust[USG6600A]firewallzonedmz[USG6600A]security-[USG6600A-policy-security]rulename10[USG6600A-policy-security-rule-10]serviceany[USG6600A-policy-security-rule-10]actionpermit[USG6600A-policy-security]rulename20[USG6600A-policy-security-rule-20]source-zonetrust[USG6600A-policy-security-rule-20]serviceany[USG6600A-policy-security-rule-20]actionpermit[USG6600-policy-security]rulename30[USG6600-policy-security-rule-30]source-zonelocal[USG6600-policy-security-rule-30]source-zonetrust[USG6600-policy-security-rule-30]destination-zonelocal[USG6600-policy-security-rule-30]destination-zonetrust[USG6600-policy-security-rule-30]actionpermit[USG6600A]nat-[USG6600A]nat-[USG6600A-policy-nat-rule-10]egress-interfaceg1/0/2[USG6600A-policy-nat-rule-INTEGER<1-2147483648>Thereferencebandwidth(Mbits/s)[USG6600-ospf-1]bandwidth-reference10000#交換機(jī)：[SW1]disiprouting-[SW1]disiprouting-RouteFlags:R-relay,D-downloadtoRoutingTables:Destinations:Routes: PreFlags[USG6600]iproute-static[USG6600-ospf-1]default-route-150 00D00D 00D00D [SW1-Vlanif100]ospfauthentication-modemd51 [USG6600]inter[USG6600-GigabitEthernet1/0/1]ospfauthentication-modemd51 實(shí)驗(yàn)步驟Step7配置OSPF以創(chuàng)建和編輯區(qū)域，“網(wǎng)絡(luò)配置”可以接口到相應(yīng)的區(qū)域里，“接口配置”11:01:1111:01:112014/09/24OSPFProcess1withRouterIDArea:(MPLSTEnotIP Cost Area:(MPLSTEnotIP Cost 11:01:162014/09/24OSPFProcess1withRouterIDRouterID:Address:GRState:State:FullMode:NbrisSlavePriority:1DR:BDR:0MTU:Deadtimerduein34LinkStateArea:110Sum-1221Area:LinkStateAge791Sum-1221Destinations:Routes:Flags11Neighborisupfor00:02:04Neighborisupfor00:02:0411:01:222014/09/24LinkState11:01:532014/09/24RouteFlags:R-relay,D-downloadtoPublicRoutingTable:Destinations:Routes:OSPFRoutingTableStatus:<Active>Destinations:0 RouteFlags:R-relay,D-downloadtoOSPFRoutingTableStatus:ingwith32bytesofReplyReplyfrom:bytes=32time<1msTTL=253Replyfrom:bytes=32time<1msTTL=253Replyfrom:bytes=32time<1msTTL=253Replyfrom:bytes=32time=1msTTL=253statisticsforPackets:Sent=4,Received=4,Lost=0(0%loss),Approximateroundtriptimesinmilli-seconds:Minimum=um=1ms,Average=通過(guò)本實(shí)驗(yàn)，你將了解BGPUSG一臺(tái)，PC機(jī)三臺(tái)實(shí)驗(yàn)拓?fù)鋵?shí)驗(yàn)步驟(命令行Step1[SW1]bgp[SW1]bgp[SW1-bgp]network[SW1-bgp]network[SW1-bgp]network[SW1-bgp]peer0as-number[USG6600]bgp[USG6600-bgp]peeras-number##交換機(jī)上配[SW1-bgp]peer[SW1-bgp]peer0password#[USG6600-bgp]peerpassword實(shí)驗(yàn)步驟Step 33.1IPUSG一臺(tái)，PC機(jī)兩臺(tái)實(shí)驗(yàn)拓?fù)?實(shí)驗(yàn)步驟-Step1IP<USG>system-[USG]interfaceGigabitEthernet[USG-GigabitEthernet1/0/0]ipaddress[USG-GigabitEthernet1/0/0]ipaddress[USG]firewallzonetrust[USG-zone-untrust]addinterface[USG-zone-Step2ip_denyIP[USG]ipaddress-setip_denytype[USG-object-address-set-0[USG-object-address-set-0[USG-object-address-set-[USG-object-address-set-0Step3創(chuàng) [USG][USG]security-[USG-policy-security-rule-trust_to_untrust]source-addressaddress-set[USG-policy-security-rule-trust_to_untrust][USG-policy-security-rule-trust_to_untrust]source- [USG-policy-security-rule-trust_to_untrust]destination- [USG-policy-security-rule- [USG-policy-security-rule-[USG-policy-security-rule-trust_to_untrust2]source- [USG-policy-security-rule-trust_to_untrust2]destination- [USG-policy-security-rule-trust_to_untrust2]source-address[USG-policy-security-rule- [USG-policy-security-rule-[USG-policy-security-rule-trust_to_untrust2]source- [USG-policy-security-rule-trust_to_untrust2]destination- [USG-policy-security-rule-trust_to_untrust2]source-address[USG-policy-security-rule- [USG-policy-security-rule-實(shí)驗(yàn)步StepStep1IP：Step2Step2配置名稱為ip_deny的地址集，將幾個(gè)不允許上網(wǎng)的IP地址加入地址集。選址組的Step3創(chuàng)建 特殊的幾個(gè)IP地址 Internet的轉(zhuǎn)發(fā)策略。選擇“策略>安全策略>安全策略”。Step4創(chuàng)建允許/24這個(gè)網(wǎng) 驗(yàn)證和這3臺(tái)PCInternet是否被。驗(yàn)證/24中的其他IP地址是否可以正常Internet。44NAT雙出口NAT實(shí)USG一臺(tái)，PC機(jī)三臺(tái)，交換機(jī)一臺(tái)，雙公網(wǎng)出口或路由器兩臺(tái)模擬公實(shí)實(shí)驗(yàn)拓?fù)鋵?shí)驗(yàn)步驟(命令行[Quidway]sysnameSW1[SW1]dhcpenable[SW1]interfaceg0/0/1[SW1-GigabitEthernet0/0/1]portlink-typeaccess[SW1-GigabitEthernet0/0/1]portdefaultvlan100[SW1-GigabitEthernet0/0/2]portdefaultvlan10[SW1]inter[SW1-GigabitEthernet0/0/3]portdefaultvlan20[SW1]interfacevlan[SW1-Vlanif10]dhcpselectinterface[SW1]interfacevlan[SW1-Vlanif20]dhcpselectinterface[SW1]interfacevlan[USG6600A-GigabitEthernet1/0/1]ipaddress024[USG6600-GigabitEthernet1/0/1]service-manageenable[USG6600-GigabitEthernet1/0/1]service-managehttppermit[USG6600A]interfaceg1/0/3[USG6600A]interfaceg1/0/4[USG6600A]firewallzonenameISP1[USG6600A-zone-ISP1]setpriority10[USG6600A]firewallzonenameISP1[USG6600A-zone-ISP1]setpriority20[USG6600A]firewallzone[USG6600A]firewallzonedmz[USG6600A]firewallzone[USG6600-ospf-1]area0[USG6600A]ip[USG6600A]iproute-static25NULL[USG6600A]iproute-static2825NULL[USG6600A]iproute-static25NULL[USG6600A]iproute-static2825NULL[USG6600A]ip[USG6600A]iproute-staticg1/0/2[USG6600A]iproute-staticg1/0/4preference[USG6600A]isp[USG6600A]ispset.csvnext-hop[USG6600A]ispset.csvnext-hop[USG6600A]isp[USG6600A]ispenable[USG6600A]ispenable14:43:462014/09/24Route14:43:462014/09/24RouteFlags:R-relay,D-downloadtoRoutingTables:Destinations:Routes: ProtoPreFlagsStatic0D0RD0RD0RDDDirect0DDirect0DDirect0DDirect0D0RD0RD0RD0RD0RD0RD0RD0RD0RD0RD0RD0RD0RD0RD0RD0000Step4址池為1-5范圍；址池為1-5范圍； [USG6600A]security-[USG6600A]security-[USG6600A-policy-security]rulename10[USG6600A-policy-security-rule-10]destination-zoneisp1[USG6600A-policy-security-rule-10]actionpermit[USG6600A-policy-security-rule-20]source-zonetrust[USG6600A-policy-security-rule-20]destination-zoneisp2[USG6600A-policy-security-rule-20]actionpermit[USG6600A-policy-security-rule-[USG6600A]nat[USG6600A]nataddress-group[USG6600A]nataddress-group[USG6600A]nat-[USG6600A-policy-nat]rulename10[USG6600A-policy-nat-rule-10]destination-zoneISP1[USG6600A-policy-nat]rulename20[USG6600A-policy-nat-rule-20]destination-zoneISP2 [USG6600A]security-[USG6600A]security-[USG6600A-policy-security]rulename30[USG6600A-policy-security-rule-30]destination-zone[USG6600A-policy-security-rule-30]actionpermit[USG6600A-policy-security-rule-40]source-zoneISP2[USG6600A][USG6600A]natserverpolicy_natserver_1protocoltcpglobal00wwwinside00wwwno-reverse[USG6600A]natserverpolicy_natserver_2protocoltcpglobal00wwwinside00wwwno-reverse實(shí)驗(yàn)步驟Step7配置安全策略 公司的WEB服 00-n1ing00with32bytesofdata:Replyfrom00:bytes=32time<1msTTL=253statisticsfor00:Packets:Sent=1,Received=1,Lost=0(0%Approximateroundtriptimesinmilli-使用使用displaynat-policyalldisplayfirewallsessiontablenat表16:32:582014/09/24RULEIDRULE[USG6600A]displayfirewallsessiontablenatservicehttp16:39:152014/09/24CurrentTotalSessions:MinimumMinimum= -ningwith32bytesofReplyfrom:bytes=32time=1msTTL=252statisticsfor:Packets:Sent=1,Received=1,Lost=0(0%Approximateroundtriptimesinmilli-Minimum=um=1ms,Average=C:\Users\test2>net00Trying00PressCTRL+KtoConnectedto00...HTTP/1.1200Date:SUN,24Sep2014Content-Length:2340no-232:public-->public1:51274[1:51274]--:public-->public:53045--實(shí)驗(yàn)拓?fù)鋵?shí)驗(yàn)步驟(命令行果使用嚴(yán)格策略，可以只放行www服務(wù)即可。[USG6600A]ip[USG6600A]ipaddress-setwwwg1type[USG6600A]security-[USG6600A-policy-security]rulename50[USG6600A-policy-security-rule-50]destination-zone[USG6600A-policy-security-rule-50]actionpermit[USG6600A-policy-security-rule-60]source-zoneISP2[USG6600A-policy-security-rule-60]actionpermit[USG6600A-policy-security-rule-[USG6600A-policy-security-rule-70]actionpermit[USG6600A]sb[USG6600A-slb]rserver1rip01weight32[USG6600A-slb]rserver2rip02weight32[USG6600A-slb]rserver3rip03weight32[USG6600A-slb]rserver4rip04weight32[USG6600A-slb-group-www_group1]addrserver1[USG6600A-slb]groupwww_group2[USG6600A-slb-group-www_group2]addrserver3[USG6600A-slb]vserverwww_group1vip10groupwww_group1tcpvport80rport80[USG6600A-slb]vserverwww_group2vip10groupwww_group2tcpvport80rport80實(shí)驗(yàn)步驟Step4基礎(chǔ)配置（略Step5安全策略配置（略）選擇“策略-NAT策略-服務(wù)器 可以使用如下命令檢查SLB的配置情況17:42:542014/09/2417:42:592014/09/24RealServer:Group::VirtualServer:Virtual:RealServer:: Group::VirtualServer:Virtual:RealServer:: RealServer:RealServer:RealServerHealthCheck :RealServerStatus AppliedGroupNumber Virtual:RealServer:RealServer:RealServerHealthCheckMethod RealServerStatus :activeAppliedGroup Virtual:RealServer:RealServer:RealServerHealthCheckMethod RealServerStatus :activeAppliedGroup Virtual:RealServer:RealServer:RealServerHealthCheck :RealServerStatus AppliedGroupNumber Virtual:17:44:262014/09/24VirtualVirtualServer:VirtualServer:Group::VirtualServer::VirtualServer:VirtualServer:Group::VirtualServer: