1.网络安全案例2
1)站点1/2可以访问internet,ISP1为主线路,ISP2为备用线路
2)站点1内部署web/ftp服务器,FTP只能对内网提供服务,WEB服务器允许对internet提供单独固定IP访问,地址为100.1.2.3
3)总部通过IPS1购买了出口固定IP,允许公司用户通过该IP登录接入到公司内网,访问内网WEB/FTP服务器
4)站点1与站点2之间要求建立安全VPN隧道实现站点间通信![图片[1]-第11章 网络安全综合案例2-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片1-1024x532.png)
2.公网配置
1)R1
#配置BGP
bgp 100
peer 200.100.0.2 as-number 200
network 100.1.1.0 255.255.255.0
network 100.1.20.0 255.255.255.0
network 100.100.1.0 255.255.255.252
network 100.100.2.0 255.255.255.2522)R2
#配置BGP
bgp 200
peer 200.100.0.1 as-number 100
network 200.1.1.0 255.255.255.0
network 200.1.2.0 255.255.255.0
network 200.99.2.0 255.255.255.0
network 200.200.1.0 255.255.255.252
network 200.200.2.0 255.255.255.2523.内网配置
#FW1
#地址配置
interface GigabitEthernet1/0/3
ip address 172.17.1.254 255.255.255.0
service-manage all permit
interface GigabitEthernet1/0/4
ip address 172.17.2.254 255.255.255.0
service-manage all permit
interface GigabitEthernet1/0/0
ip address 100.100.2.2 255.255.255.252
service-manage all permit
interface GigabitEthernet1/0/1
ip address 200.200.2.2 255.255.255.252
service-manage all permit
#配置安全区域
firewall zone trust
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
firewall zone untrust
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#配置安全策略
security-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置路由(主备)
ip route-static 0.0.0.0 0.0.0.0 100.100.2.1
ip route-static 0.0.0.0 0.0.0.0 200.200.2.1 preference 70
#FW2
#地址配置
interface GigabitEthernet1/0/1
ip address 100.100.1.2 255.255.255.252
service-manage all permit
interface GigabitEthernet1/0/2
ip address 200.200.1.2 255.255.255.252
service-manage http permit
interface GigabitEthernet1/0/0
ip address 172.16.1.254 255.255.255.0
service-manage all permit
#配置安全区域
firewall zone trust
add interface GigabitEthernet1/0/0
firewall zone untrust
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
#配置安全策略
security-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 172.16.1.0 mask 255.255.255.0
action permit
#配置NAT策略
nat-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 172.16.1.0 mask 255.255.255.0
action source-nat easy-ip
#配置路由(主备)
ip route-static 0.0.0.0 0.0.0.0 100.100.1.1
ip route-static 0.0.0.0 0.0.0.0 200.200.1.1 preference 70
4.配置公网客户机访问私网WEB服务器
#R1(WEB对应公网地址)
ip route-static 100.1.2.3 32 100.100.2.2
#FW1
#安全区域配置
security-policy
rule name nat_server_web
source-zone untrust
destination-zone trust
destination-address 172.17.2.3 mask 255.255.255.255
action permit
#配置nat server
nat server web_01 protocol tcp global 100.1.2.3 80 inside 172.17.2.3 80 no-reverse unr-route 5.配置SSL VPN
#创建
v-gateway sslvpn interface GigabitEthernet 1/0/0 port 20443 private www.abc.com ![图片[2]-第11章 网络安全综合案例2-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片2-1024x519.png)
![图片[3]-第11章 网络安全综合案例2-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片3-1024x492.png)
![图片[4]-第11章 网络安全综合案例2-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片4-1024x534.png)
[FW1-GigabitEthernet1/0/0]undo service-manage enable
security-policy
rule name ssl_vpn
source-zone untrust
destination-zone local
destination-address 100.100.2.2 mask 255.255.255.255
action permit
rule name ftp_server
source-zone untrust
destination-zone trust
destination-address 172.17.2.5 mask 255.255.255.255
action permit![图片[5]-第11章 网络安全综合案例2-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片5.png)
![图片[6]-第11章 网络安全综合案例2-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片6.png)
6.配置IPSEC
#FW1-IKE
security-policy
rule name IKE_IN
source-zone untrust
destination-zone local
destination-address 100.100.2.2 mask 255.255.255.255
action permit
rule name IKE_OUT
source-zone local
destination-zone untrust
source-address 100.100.2.2 mask 255.255.255.255
action permit
#FW2-IKE
security-policy
rule name IKE_IN
source-zone untrust
destination-zone local
source-address 100.100.2.2 mask 255.255.255.255
action permit
rule name IKE_OUT
source-zone local
destination-zone untrust
destination-address 100.100.2.2 mask 255.255.255.255
action permit
#IPSEC
#FW1-IPSEC
security-policy
rule name ipsec_flow_in
source-zone untrust
destination-zone trust
source-address 172.16.0.0 mask 255.255.0.0
destination-address 172.17.0.0 mask 255.255.0.0
action permit
rule name ipsec_flow_out
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action permit
#FW2-IPSEC
security-policy
rule name ipsec_flow_in
source-zone untrust
destination-zone trust
source-address 172.17.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action permit
rule name ipsec_flow_out
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
destination-address 172.17.0.0 mask 255.255.0.0
action permit
#感兴趣流
#FW1
acl number 3001
rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
#FW2
acl number 3001
rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
#NAT流排除
#FW1
nat-policy
rule name no-nat_ipsec
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action no-nat
#上移到top
rule move no-nat_ipsec top
#FW2
nat-policy
rule name no-nat_ipsec
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
destination-address 172.17.0.0 mask 255.255.0.0
action no-nat
#上移到top
rule move no-nat_ipsec top
#FW1配置IPSEC
#配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#配置IKE peer
ike peer branch
undo version 2
pre-shared-key huawei@123
exchange-mode main
ike-proposal 5
#配置IPSEC proposal
ipsec proposal pps1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#配置IPSEC 模板
ipsec policy-template branch_tem 10
security acl 3001
ike-peer branch
proposal pps1
#配置IPSEC
ipsec policy pl01 5 isakmp template branch_tem
#接口调用IPSEC
interface GigabitEthernet1/0/0
ipsec policy pl01
#FW2配置IPSEC
#配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#配置IKE peer
ike peer fw1
undo version 2
pre-shared-key huawei@123
ike-proposal 5
exchange-mode main
remote-address 100.100.2.2
#配置IPSEC proposal
ipsec proposal pps1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#配置IPSEC 模板
ipsec policy pl01 5 isakmp
security acl 3001
ike-peer fw1
proposal pps1
#接口调用IPSEC
interface GigabitEthernet1/0/1
ipsec policy pl01© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容