hcnp-hcie理論-4.ipsec站點(diǎn)到技術(shù)_第1頁(yè)
hcnp-hcie理論-4.ipsec站點(diǎn)到技術(shù)_第2頁(yè)
hcnp-hcie理論-4.ipsec站點(diǎn)到技術(shù)_第3頁(yè)
hcnp-hcie理論-4.ipsec站點(diǎn)到技術(shù)_第4頁(yè)
hcnp-hcie理論-4.ipsec站點(diǎn)到技術(shù)_第5頁(yè)
免費(fèi)預(yù)覽已結(jié)束,剩余40頁(yè)可下載查看

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶(hù)提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

乾頤堂網(wǎng)絡(luò)236733656IPSec站點(diǎn)到站點(diǎn)技術(shù)乾頤堂網(wǎng)絡(luò)目標(biāo)學(xué)完本課程后,您將能夠:掌握IPSec

的各種場(chǎng)景配置236733656第1頁(yè)乾頤堂網(wǎng)絡(luò)1. Site

to

Site

IPSec(預(yù)共享認(rèn)證)2.

Hub

Spoke

IPSec236733656第2頁(yè)乾頤堂網(wǎng)絡(luò)Site

to

Site

IPSec組網(wǎng)10.1.1.0/2410.1.2.0/24.1

.10USG1202.100.1.0/24

Internet

202.100.2.0/24USG2Site2-TrustSite1-Trust默認(rèn)網(wǎng)關(guān)默認(rèn)網(wǎng)關(guān)默認(rèn)網(wǎng)關(guān)默認(rèn)網(wǎng)關(guān)加密點(diǎn)通信網(wǎng)絡(luò)G0/0/0.10G0/0/0.1G0/0/1.1G0/0/1

G0/0/0

G0/0/1.10

.10

.1G0/0/0

G0/0/0236733656第3頁(yè)乾頤堂網(wǎng)絡(luò)基本網(wǎng)絡(luò)配置(路由器)sysname

Site1-Trust#interface

GigabitEthernet

0/0/0ip

address

10.1.1.10

255.255.255.0#ip

route-static0.0.0.0

0.0.0.010.1.1.1sysname

Site2-Trust#interface

GigabitEthernet

0/0/0ip

address

10.1.2.10

255.255.255.0#ip

route-static

0.0.0.0

0.0.0.0

10.1.2.1sysname

Internet#interface

GigabitEthernet

0/0/1ip

address

202.100.1.10

255.255.255.0#interface

GigabitEthernet

0/0/0ip

address

202.100.2.10

255.255.255.0236733656第4頁(yè)乾頤堂網(wǎng)絡(luò)基本網(wǎng)絡(luò)配置()sysname

USG1#interface

GigabitEthernet

0/0/0ip

address

10.1.1.1

255.255.255.0#interface

GigabitEthernet

0/0/1ip

address

202.100.1.1

255.255.255.0#firewall

zone

untrustadd

interface

GigabitEthernet

0/0/1#ip

route-static

0.0.0.0

0.0.0.0202.100.1.10sysname

USG2#interface

GigabitEthernet

0/0/0ip

address

10.1.2.1

255.255.255.0#interface

GigabitEthernet

0/0/1ip

address

202.100.2.1

255.255.255.0#firewall

zone

untrustadd

interface

GigabitEthernet

0/0/1#ip

route-static

0.0.0.0

0.0.0.0202.100.2.10236733656第5頁(yè)乾頤堂網(wǎng)絡(luò)Rule

Permit

IP(定義感流)Security

ACL

AIPSec安全策略配置流程圖1.定義需要保護(hù)的數(shù)據(jù)流IKE

Proposal

B3.配置IKE對(duì)等體IKE

Peer

CUndo

version(選擇版本)Authentication-methodExchange-Mode(IKE交換模式)4.配置IPSec安全提議IPSec

Proposal

DTransformESPencryption-algorithmESPauthentication-algorithmAHauthentication-algorithmEncapsulation-mode2.配置IKE安全提議IKE

Proposal

BEncryption-algorithmAuthentication-methodAuthentication-algorithmIntegrity-algorithmDH5.配置IKE方式的IPSec安全策略IPSec

Policy

ESecurity

ACL

AIKE-Peer

CIPSec

Proposal

DPFSSpeed-LimitInterface

Policy

E6.應(yīng)用IPSec安全策略Interface虛線表示實(shí)線表示是可選的是必選的236733656第6頁(yè)乾頤堂網(wǎng)絡(luò)步驟一:配置ACL通過(guò)

控制列表匹配兩端通信網(wǎng)絡(luò)之間的IPSec

加密感

流。USG1

配置:acl

number3000rule

5

permit

ip

source

10.1.1.0

0.0.0.255

destination

10.1.2.00.0.0.255USG2

配置:acl

number3000rule

5

permit

ip

source

10.1.2.0

0.0.0.255

destination

10.1.1.00.0.0.255236733656第7頁(yè)乾頤堂網(wǎng)絡(luò)步驟二:配置IKE

ProposalUSG1

配置:ike

proposal

10encryption-algorithm

3des-cbcdh

group2authentication-algorithm

md5USG2

配置:ike

proposal

10encryption-algorithm

3des-cbcdh

group2authentication-algorithm

md5配置后IKE

Proposal策略:authentication

method(認(rèn)證方式)authentication

algorithm(驗(yàn)證算法)encryption

algorithm(加密算法)Diffie-man

group(DH組)duration(seconds)(IKE秘鑰有效期):PRE_SHARED

(保持默認(rèn)):MD5:3DES_CBC:Group2(1024):86400秒(保持默認(rèn))236733656第8頁(yè)乾頤堂網(wǎng)絡(luò)步驟三:配置IKE

Peer使用Remote-address互指對(duì)方的加密點(diǎn)IP地址,配置相同的預(yù)共享密鑰用于認(rèn)證,并且調(diào)用之前配置的IKE-Proposal。USG1

配置:ike

peer

usg2pre-shared-key

qythciesike-proposal

10remote-address

202.100.2.1USG2

配置:ike

peer

usg1pre-shared-key

qythciesike-proposal

10remote-address

202.100.1.1236733656第9頁(yè)乾頤堂網(wǎng)絡(luò)步驟四:配置IPSec

ProposalIPSecProposal決定了IPSec

對(duì)實(shí)際感

流的處理方式,如果只創(chuàng)建IPSec

Proposal,并不配置任何具體策略,將繼承默認(rèn)策略。本次配置后結(jié)果為:encapsulation

mode

:tunnelTransform

:esp-newESP

protocol:authentication

sha1-hmac-96:encryptionaesUSG1

配置:ipsec

proposal

qyt-proposalesp

authentication-algorithm

sha1esp

encryption-algorithm

aesUSG2

配置:ipsec

proposal

qyt-proposalesp

authentication-algorithm

sha1esp

encryption-algorithm

aes236733656第10頁(yè)乾頤堂網(wǎng)絡(luò)步驟五:配置IPSec

PolicyIPSec

Policy是對(duì)IPSec策略的匯總,并且調(diào)用IPSec

Policy到外部接口。USG1

配置:ipsec

policy

qytmap

10

isakmpsecurity

acl

3000ike-peer

usg2proposal

qyt-proposalinterface

GigabitEthernet0/0/1ip

address

202.100.1.1

255.255.255.0ipsec

policy

qytmapUSG2

配置:ipsec

policy

qytmap

10

isakmpsecurity

acl

3000ike-peer

usg1proposal

qyt-proposalinterface

GigabitEthernet0/0/1ip

address

202.100.2.1

255.255.255.0ipsec

policy

qytmap236733656第11頁(yè)乾頤堂網(wǎng)絡(luò)步驟六:配置Zone間策略放行Untrust到Local

Zone

雙方向上的遠(yuǎn)端加密點(diǎn)到本端加密點(diǎn)的ESP和IKE流量。USG1

配置:ip

service-setike

type

objectservice

0

protocol

udp

source-port

0

to65535

destination-port

500#security

policyrule

name

Local_Untrust_IPsec1source-zone

localdestination-zone

untrustsource-address

202.100.1.1

32destination-address

202.100.2.1

32service

ikeservice

espaction

permitrule

nameUntrust_Local_IPsec2source-zone

untrustdestination-zone

localsource-address

202.100.2.1

32destination-address

202.100.1.132service

ikeservice

espaction

permit236733656第12頁(yè)乾頤堂網(wǎng)絡(luò)步驟六:配置Zone間策略(續(xù))USG1

配置:rule

name

Trust_Untrust_IPsec3source-zonetrustsource-zoneuntrustdestination-zone

trustdestination-zone

untrustsource-address

10.1.1.0

24source-address

10.1.2.0

24destination-address

10.1.1.0

24destination-address

10.1.2.0

24action

permit放行Untrust到Trust

Zone雙方向上通信網(wǎng)絡(luò)之間的流量。236733656第13頁(yè)乾頤堂網(wǎng)絡(luò)步驟六:配置Zone間策略(續(xù))放行Untrust到Local

Zone雙方向上的遠(yuǎn)端加密點(diǎn)到本端加密點(diǎn)的ESP和IKE流量。USG2

配置:ip

service-setike

type

objectservice

0

protocol

udp

source-port

0

to65535

destination-port

500#security

policyrule

name

Local_Untrust_IPsec1source-zone

localdestination-zone

untrustsource-address

202.100.2.1

32destination-address

202.100.1.1

32service

ikeservice

espaction

permitrule

nameUntrust_Local_IPsec2source-zone

untrustdestination-zone

localsource-address

202.100.1.1

32destination-address

202.100.2.132service

ikeservice

espaction

permit236733656第14頁(yè)乾頤堂網(wǎng)絡(luò)步驟六:配置Zone間策略(續(xù))放行Untrust到Trust

Zone雙方向上通信網(wǎng)絡(luò)之間的流量。USG2

配置:rule

name

Trust_Untrust_IPsec3source-zone

trustsource-zone

untrustdestination-zone

trustdestination-zone

untrustsource-address

10.1.1.0

24source-address

10.1.2.0

24destination-address

10.1.1.0

24destination-address

10.1.2.0

24action

permit236733656第15頁(yè)乾頤堂網(wǎng)絡(luò)Site1-Trust上測(cè)試通信網(wǎng)絡(luò)之間感流:[Site1-Trust]

10.1.2.1010.1.2.10:

56

data

bytes,

press

CTRL_C

to

breakRequest

time

outReply

from10.1.2.10:

bytes=56

Sequence=2

ttl=253time=30

msReply

from10.1.2.10:

bytes=56

Sequence=3

ttl=253time=60

msReply

from10.1.2.10:

bytes=56

Sequence=4

ttl=253time=40

msReply

from

10.1.2.10:

bytes=56

Sequence=5

ttl=253

time=60

ms---

10.1.2.10 statistics

---5

packet(s)

transmitted4

packet(s)

received20.00%

packet

lossround-trip

min/avg/max

=

30/47/60ms第一個(gè)包丟失的主要原因?yàn)镮KE協(xié)商延時(shí)造成。配置驗(yàn)證236733656第16頁(yè)乾頤堂網(wǎng)絡(luò)查看IKE

SAUSG1

上查看IKE

SA:<USG1>display

ike

sa11:10:09

2014/07/27current

ike

sa

number:

2conn-id

peer

flagphase40004202.100.2.1RD|STv2:2

public4202.100.2.1RD|STv2:1

publicflag

meaningRD--READYST--STAYALIVE

RL--REPLACED

FD--FADINGNEG--NEGOTIATING

D—DPDTO--TIMEOUT

TD--DELETING使用如下命令清除IKE

SA:<USG1>reset

ike

sa236733656第17頁(yè)乾頤堂網(wǎng)絡(luò)查看IPSec

SAUSG1

上查看IPSec

SA:<USG1>display

ipsec

sa===============================Interface:GigabitEthernet0/0/1path

MTU:1500===============================IPsec

policyname:“qytmap”sequence

number:10mode:isakmp

:public(根

)-----------------------------connection

id:40004rulenumber:5encapsulation

mode:

tunnelholding

time:0d

0h

3m

27stunnel

local:202.100.1.1

tunnelremote:202.100.2.1(加密點(diǎn))flow

source:10.1.1.0-10.1.1.255

0-65535

0flow

destination:10.1.2.0-10.1.2.255

0-65535

0(感 流)[inbound

ESP

SAs]spi:2927742797

(0xae81cf4d):public

said:6

cpuid:0x0000proposal:ESP-ENCRYPT-AES

ESP-AUTH-SHA1sa

remaining

key

duration(bytes/sec):1887436464/3393max

received

sequence-number:4udp

encapsulation

used

for

nat

traversal:N(未使用Nat

Traversal)[outbound

ESP

SAs]spi:2544566290

(0x97ab0012):

public

said:

7

cpuid:

0x0000proposal:

ESP-ENCRYPT-AES

ESP-AUTH-SHA1sa

remaining

key

duration(bytes/sec):1887436464/3393max

sent

sequence-number:5udp

encapsulation

used

for

nat

traversal:N)使用如下命令清除IPSec

SA:<USG1>reset

ipsec

sa236733656第18頁(yè)乾頤堂網(wǎng)絡(luò)查看加數(shù)量USG1

上查看加

數(shù)量:<USG1>display

ipsec

statistics11:13:28

2014/07/27the

security

packet

statistics:input/output

security

packets:19/33(加

包)input/output

security

bytes:1596/2772(加

字節(jié))input/output

dropped

security

packets:0/0the

encrypt

packet

statisticssend

sae:33,

recv

sae:33,

send

err:0local

cpu:33,

other

cpu:0,

recv

other

cpu:0intact

packet:12, slice:0,

after

slice:0the

decrypt

packet

statisticssend

sae:19,

recv

sae:19,

send

err:0local

cpu:19,

other

cpu:0,

recv

other

cpu:0reass slice:0,

after

slice:0,

len

err:0236733656第19頁(yè)乾頤堂網(wǎng)絡(luò)1.

Site

to

Site

IPSec(預(yù)共享認(rèn)證)2. Hub

Spoke

IPSec236733656第20頁(yè)乾頤堂網(wǎng)絡(luò)Hub

Spoke

IPSec組網(wǎng)202.100.1.0/24.1010.1.1.0/24.1

.10Branch1-USGBranch1-TrustCenter-Trust默認(rèn)網(wǎng)關(guān)默認(rèn)網(wǎng)關(guān)G0/0/0.10G0/0/0.1G0/0/1.1G0/0/0.10Center-USG10.1.10.0/24

202.100.10.0/24

Internet

G0/0/1G0/0/1.1G0/0/0

G0/0/010.1.2.0/24.1

.10Branch2-Trust默認(rèn)網(wǎng)關(guān)G0/0/0

G0/0/0202.100.2.0/24.10G0/0/2.1G0/0/1Branch2-USG默認(rèn)網(wǎng)關(guān)236733656第21頁(yè)乾頤堂網(wǎng)絡(luò)基本網(wǎng)絡(luò)配置(路由器)sysname

Center-Trust#interface

GigabitEthernet

0/0/0ip

address

10.1.10.10255.255.255.0#ip

route-static

0.0.0.0

0.0.0.010.1.10.1sysname

Branch1-Trust#interface

GigabitEthernet

0/0/0ip

address

10.1.1.10

255.255.255.0#ip

route-static0.0.0.0

0.0.0.0

10.1.1.1sysname

Internet#interface

GigabitEthernet

0/0/0ip

address

202.100.10.10

255.255.255.0#interface

GigabitEthernet

0/0/1ip

address

202.100.1.10

255.255.255.0#interface

GigabitEthernet

0/0/2ip

address

202.100.2.10

255.255.255.0sysname

Branch2-Trust#interface

GigabitEthernet

0/0/0ip

address

10.1.2.10255.255.255.0#ip

route-static

0.0.0.00.0.0.010.1.2.1236733656第22頁(yè)乾頤堂網(wǎng)絡(luò)基本網(wǎng)絡(luò)配置()sysname

Center-USG#interface

GigabitEthernet

0/0/0ip

address

10.1.10.1

255.255.255.0#interface

GigabitEthernet

0/0/1ip

address

202.100.10.1

255.255.255.0#firewall

zone

untrustadd

interface

GigabitEthernet

0/0/1#ip

route-static

0.0.0.00.0.0.0202.100.10.10sysname

Branch1-USG#interface

GigabitEthernet

0/0/0ip

address

10.1.1.1

255.255.255.0#interface

GigabitEthernet

0/0/1ip

address

202.100.1.1

255.255.255.0#firewall

zone

untrustadd

interface

GigabitEthernet

0/0/1#ip

route-static

0.0.0.00.0.0.0202.100.1.10236733656第23頁(yè)乾頤堂網(wǎng)絡(luò)基本網(wǎng)絡(luò)配置(

)sysname

Branch2-USG#interface

GigabitEthernet0/0/0ip

address

10.1.2.1

255.255.255.0#interface

GigabitEthernet

0/0/1ip

address

202.100.2.1

255.255.255.0#firewall

zone

untrustadd

interface

GigabitEthernet

0/0/1#ip

route-static0.0.0.0

0.0.0.0

202.100.2.10236733656第24頁(yè)乾頤堂網(wǎng)絡(luò)配置流程圖1.定義需要保護(hù)的數(shù)據(jù)流Rule

Permit

IP(定義感流)Security

ACL

AIKE

Proposal

B3.配置IKE對(duì)等體IKE

Peer

CUndo

version(選擇版本)Authentication-

methodExchange-Mode(IKE交換模式)4.配置IPSec安全提議IPSec

Proposal

DTransformESP

encryption-algorithmESP

authentication-

algorithmAH

authentication-algorithmEncapsulation-mode2.配置IKE安全提議IKE

Proposal

BEncryption-algorithmAuthentication-methodAuthentication-algorithmIntegrity-algorithmDHSecurity

ACL

A5.配置模板方式的IPSec

安全策略PFS1.ipsec

policy-template

EIKE-Peer

DIPSec

Proposal

CSpeed-LimitInterface

Policy

F6.應(yīng)用IPSec安全策略Interface虛線表示實(shí)線表示是可選的是必選的2.

ipsec

policy F

isakmp

template

E236733656第25頁(yè)乾頤堂網(wǎng)絡(luò)步驟一:配置ACLCenter-USG

配置:acl

number

3000rule

5

permit

ip

source

10.1.10.0

0.0.0.255

destination

10.1.1.0

0.0.0.255rule

10

permit

ip

source

10.1.10.0

0.0.0.255

destination

10.1.2.0

0.0.0.255Branch1-USG

配置:

acl

number

3000rule

5

permit

ip

source

10.1.1.0

0.0.0.255

destination

10.1.10.0

0.0.0.255Branch2-USG

配置:

acl

number

3000rule

5

permit

ip

source

10.1.2.0

0.0.0.255

destination

10.1.10.0

0.0.0.255236733656第26頁(yè)乾頤堂網(wǎng)絡(luò)步驟二:配置IKE

ProposalCenter-USG

配置:ike

proposal

10encryption-algorithm

3des-cbcdh

group2authentication-algorithm

md5配置:Branch1-USGike

proposal

10encryption-algorithm

3des-cbcdh

group2authentication-algorithm

md5配置:Branch2-USGike

proposal

10encryption-algorithm

3des-cbcdh

group2authentication-algorithm

md5236733656第27頁(yè)乾頤堂網(wǎng)絡(luò)步驟三:配置IKE

PeerCenter-USG

配置:ike

peer

Branchspre-shared-key

qythciesike-proposal

10Branch1-USG

配置:ike

peer

Center-USGpre-shared-key

qythciesike-proposal

10remote-address

202.100.10.1Branch2-USG

配置:ike

peer

Center-USGpre-shared-key

qythciesike-proposal

10remote-address

202.100.10.1Center-USG在配置IKE

Peer時(shí)不指定Remote-Address,因?yàn)榉种д军c(diǎn)過(guò)多,并且沒(méi)有固定地址。所有分支站點(diǎn)都需要指定Remote-Address,為中心站點(diǎn)全局可路由地址。236733656第28頁(yè)乾頤堂網(wǎng)絡(luò)步驟四:配置IPSec

ProposalCenter-USG

配置:ipsec

proposal

qyt-proposalesp

authentication-algorithm

sha1esp

encryption-algorithmaesBranch1-USG

配置:ipsec

proposal

qyt-proposalesp

authentication-algorithm

sha1esp

encryption-algorithm

aesBranch2-USG

配置:ipsec

proposal

qyt-proposalesp

authentication-algorithm

sha1espencryption-algorithm

aes236733656第29頁(yè)乾頤堂網(wǎng)絡(luò)步驟五:配置IPSec

Policy-TemplateCenter-USG

配置:ipsec

policy-template

qyttemplate10security

acl

3000ike-peer

branchsproposal

qyt-proposal236733656第30頁(yè)乾頤堂網(wǎng)絡(luò)步驟六:配置IPSec

PolicyCenter-USG

配置:ipsec

policy

qytmap

10

isakmp

template

qyttemplateBranch1-USG

配置:ipsec

policy

qytmap

10

isakmpsecurity

acl

3000ike-peer

center-usgproposal

qyt-proposalinterface

GigabitEthernet0/0/1ipsec

policy

qytmapBranch2-USG

配置:ipsec

policy

qytmap

10

isakmpsecurity

acl

3000ike-peer

center-usgproposal

qyt-proposalinterface

GigabitEthernet0/0/1ipsec

policy

qytmap236733656第31頁(yè)乾頤堂網(wǎng)絡(luò)步驟七:配置Zone間策略(續(xù))放行Untrust到Local

Zone雙方向上的遠(yuǎn)端加密點(diǎn)到本端加密點(diǎn)的ESP和IKE流量。Center-USG

配置:ip

service-set

ike

type

objectservice

0

protocol

udp

source-port

0

to65535

destination-port

500#security

policyrule

name

Local_Untrust_IPsec1source-zone

localdestination-zone

untrustsource-address

202.100.10.1

32destination-address

202.100.1.1

32destination-address

202.100.2.1

32service

ikeservice

espaction

permitrule

nameUntrust_Local_IPsec2source-zone

untrustdestination-zone

localsource-address

202.100.1.1

32source-address

202.100.2.1

32destination-address

202.100.10.1

32service

ikeservice

espaction

permit236733656第32頁(yè)乾頤堂網(wǎng)絡(luò)步驟七:配置Zone間策略(續(xù))放行Untrust到Trust

Zone雙方向上通信網(wǎng)絡(luò)之間的流量。Center-USG

配置:rule

name

Trust_Untrust_IPsec3source-zone

trustsource-zone

untrustdestination-zone

trustdestination-zone

untrustsource-address

10.1.1.0

24source-address

10.1.2.0

24source-address

10.1.10.0

24destination-address

10.1.1.0

24destination-address

10.1.2.0

24destination-address

10.1.10.0

24action

permit236733656第33頁(yè)乾頤堂網(wǎng)絡(luò)步驟七:配置Zone間策略(續(xù))放行Untrust到Local

Zone

Inbound雙方向上的遠(yuǎn)端加密點(diǎn)到本端加密點(diǎn)的

ESP和IKE流量。Branch1-USG

配置:ip

service-setike

type

objectservice

0

protocol

udp

destination-port

500#security

policyrule

name

Local_Untrust_IPsec1source-zone

localdestination-zone

untrustsource-address

202.100.1.1

32destination-address

202.100.10.132service

ikeservice

espaction

permitrule

nameUntrust_Local_IPsec2source-zone

untrustdestination-zone

localsource-address

202.100.10.1

32destination-address

202.100.1.1

32service

ikeservice

espaction

permit236733656第34頁(yè)乾頤堂網(wǎng)絡(luò)步驟七:配置Zone間策略(續(xù))放行Untrust到Trust

Zone雙方向上通信網(wǎng)絡(luò)之間的流量。Branch1-USG

配置:rule

name

Trust_Untrust_IPsec3source-zone

trustsource-zone

untrustdestination-zone

trustdestination-zone

untrustsource-address

10.1.1.0

24source-address

10.1.10.0

24destination-address

10.1.1.0

24destination-address

10.1.10.0

24action

permit236733656第35頁(yè)乾頤堂網(wǎng)絡(luò)步驟七:配置Zone間策略(續(xù))放行Untrust到LocalZoneInbound雙方向上的遠(yuǎn)端加密點(diǎn)到本端加密點(diǎn)的ESP和IKE流量。Branch2-USG

配置:ip

service-setike

type

objectservice

0

protocol

udp

destination-port

500#security

policyrule

name

Local_Untrust_IPsec1source-zone

localdestination-zoneuntrustsource-address

202.100.2.1

32destination-address

202.100.10.1

32service

ikeservice

espaction

permitrule

nameUntrust_Local_IPsec2source-zone

untrustdestination-zone

localsource-address

202.100.10.1

32destination-address

202.100.2.1

32service

ikeservice

espaction

permit236733656第36頁(yè)乾頤堂網(wǎng)絡(luò)步驟七:配置Zone間策略(續(xù))放行Untrust到Trust

Zone雙方向上通信網(wǎng)絡(luò)之間的流量。Branch2-USG

配置:rule

name

Trust_Untrust_IPsec3source-zone

trustsource-zone

untrustdestination-zone

trustdestination-zone

untrustsource-address

10.1.2.0

24source-address

10.1.10.0

24destination-address

10.1.2.0

24destination-address

10.1.10.0

24action

permit236733656第37頁(yè)乾頤堂網(wǎng)絡(luò)Branch1-Trust上測(cè)試通信網(wǎng)絡(luò)之間感流:(注意不能在Center-Trust上測(cè)試)<Branch1-Trust>

10.1.10.1010.1.10.10:

56

data

bytes,

press

CTRL_C

to

breakRequest

time

outReply

from

10.1.10.10:bytes=56

Sequence=2

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶(hù)所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶(hù)上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶(hù)上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶(hù)因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

最新文檔

評(píng)論

0/150

提交評(píng)論