防火墙虚拟系统综合实验1

发布于:2024-08-17 ⋅ 阅读:(85) ⋅ 点赞:(0)

一、实验目的及拓扑

实验目的:防火墙FW1及虚拟墙VFR_A和VRF_B分别连接外网、内网服务器端和内网客户端,将内网服务器通过nat server向外网宣告,使外网能够访问服务器端,同时内网也能够访问服务器,网络拓扑及接口地址规划如下:

二、基本配置

1、接口地址配置:防火墙接口地址外网为.12,内网虚拟墙侧均为.254,内网PC1和server均为.10,外网PC为.105,如图所示配置相应接口地址及终端地址

2、新建虚拟系统并将防火墙各接口分配规划如下:

vsys enable
resource-class r0
#
#
vsys name VFR_A 1
 assign interface GigabitEthernet1/0/1
 assign resource-class r0
#
vsys name VRF_B 2
 assign interface GigabitEthernet1/0/2
#
 

[FW1]dis ip vpn-instance int
 Total VPN-Instances configured      : 4

 VPN-Instance Name and ID : VFR_A, 1
  Interface Number : 2 
  Interface list : GigabitEthernet1/0/1, 
                   Virtual-if1

 VPN-Instance Name and ID : VFR_B, 3
  Interface Number : 1 
  Interface list : Virtual-if3

 VPN-Instance Name and ID : VRF_B, 2
  Interface Number : 2 
  Interface list : GigabitEthernet1/0/2, 
                   Virtual-if2

 VPN-Instance Name and ID : default, 21
  Interface Number : 1 
  Interface list : GigabitEthernet0/0/0

3、防火墙各接口区域规划如下:
[FW1]dis zone
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (2):
    GigabitEthernet0/0/0
    Virtual-if0
#
untrust
 priority is 5
 interface of the zone is (1):
    GigabitEthernet1/0/0
#
dmz
 priority is 50
 interface of the zone is (0):
#
vpn-instance VFR_A local
 priority is 100
 interface of the zone is (0):
#
vpn-instance VFR_A trust
 priority is 85
 interface of the zone is (0):
#
vpn-instance VFR_A untrust
 priority is 5
 interface of the zone is (1):
    Virtual-if1
#
vpn-instance VFR_A dmz
 priority is 50
 interface of the zone is (1):
    GigabitEthernet1/0/1
#
vpn-instance VRF_B local
 priority is 100
 interface of the zone is (0):
#
vpn-instance VRF_B trust
 priority is 85
 interface of the zone is (1):
    GigabitEthernet1/0/2
#
vpn-instance VRF_B untrust
 priority is 5
 interface of the zone is (1):
    Virtual-if2
#
vpn-instance VRF_B dmz
 priority is 50
 interface of the zone is (0):
#
vpn-instance VFR_B local
 priority is 100
 interface of the zone is (0):
#
vpn-instance VFR_B trust
 priority is 85
 interface of the zone is (0):
#
vpn-instance VFR_B untrust
 priority is 5
 interface of the zone is (0):
#
vpn-instance VFR_B dmz
 priority is 50
 interface of the zone is (0):
#

三、详细配置

1、路由配置:

在根系统上配置路由使外网能够访问内网服务器端、使内网客户端访问内网服务器端,使内网能够访问外网

#
ip route-static 0.0.0.0 0.0.0.0 100.1.121.1
ip route-static 192.168.13.0 255.255.255.0 vpn-instance VFR_A
ip route-static 192.168.14.0 255.255.255.0 vpn-instance VRF_B
#

在两个虚拟系统设置路由使其能够访问根系统

#
ip route-static 0.0.0.0 0.0.0.0 public
#

2、安全策略配置

根系统

[FW1-policy-security]dis th
#
security-policy
 rule name LOCAL_TO_ANY
  source-zone local
  action permit
 rule name INT_TO_SER
  source-zone untrust
  destination-zone trust
  source-address 100.1.15.0 mask 255.255.255.0
  destination-address 192.168.13.0 mask 255.255.255.0
  action permit
#

虚拟系统连接服务器端

security-policy
 rule name OUT_TO_DMZ
  source-zone untrust
  destination-zone dmz
  source-address 192.168.14.0 mask 255.255.255.0
  destination-address 192.168.13.0 mask 255.255.255.0
  action permit
 rule name INT_TO_SER
  source-zone untrust
  destination-zone dmz
  source-address 100.1.15.0 mask 255.255.255.0
  destination-address 192.168.13.0 mask 255.255.255.0
  action permit
 rule name LOCAL_TO_ANY
  source-zone local
  action permit
#

3、nat server配置

nat server 1 global 100.1.121.100 inside 192.168.13.10 no-reverse

四、结果验证

内网pc访问服务器

PC>tracert 192.168.13.10

traceroute to 192.168.13.10, 8 hops max
(ICMP), press Ctrl+C to stop
 1    *  *  *
 2    *  *  *
 3  192.168.13.10   <1 ms  <1 ms  16 ms

外网pc访问服务器

PC>tracert 100.1.121.100

traceroute to 100.1.121.100, 8 hops max
(ICMP), press Ctrl+C to stop
 1  100.1.15.1   32 ms  47 ms  46 ms
 2  100.1.121.12   63 ms  62 ms  63 ms
 3    *  *  *
 4  100.1.121.100   78 ms  63 ms  62 ms

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布