华为eNSP配置USG防火墙网络联通实验
本次实验主要模拟总部与分布的防火墙通信实验,实验网络互通,以及防火墙上的配置,主要配置包过滤和路由,确保网络通畅
操作方法
- 01
一、搭建拓扑结构 防火墙三台 路由器两台
- 02
二、配置所有设备的接口信息 [R1]int g0/0/0[R1-GigabitEthernet0/0/0]ip add 10.0.10.2 24 [R1-GigabitEthernet0/0/0]int s3/0/0[R1-Serial3/0/0]ip add 10.0.12.1 24[R1-Serial3/0/0]int loop 0[R1-LoopBack0]ip add 10.0.1.1 24 R2]int g0/0/0[R2-GigabitEthernet0/0/0]ip add 10.0.20.1 24 [R2-GigabitEthernet0/0/0]int s3/0/0[R2-Serial3/0/0]ip add 10.0.12.2 24 [R2-Serial3/0/0]int s4/0/0[R2-Serial4/0/0]ip add 10.0.23.2 24[R2-Serial4/0/0]int loop 0[R2-LoopBack0]ip add 10.0.2.2 24 [R3]int s4/0/0[R3-Serial4/0/0]ip add 10.0.23.3 24[R3-Serial4/0/0]Aug 14 2017 15:00:53-08:00 R3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol PPP IPCP on the interface Serial4/0/0 has entered the UP state. [R3-Serial4/0/0]int loop 0[R3-LoopBack0]ip add 10.0.3.3 24
- 03
三、查看当前网络的连通性 [FW1-policy-security-rule-policy_sec_2]ping 10.0.20.2 PING 10.0.20.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out[FW1]ping 10.0.12.1 PING 10.0.12.1: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out
- 04
四、配置防火墙的包策略过滤行为 security-policy rule name policy_sec_1 source-zone trust destination-zone untrust action permit rule name policy_sec_2 source-zone local source-zone untrust destination-zone local destination-zone untrust action permit
- 05
五、配置OSPF协议保证网络的连通性 先从R1到R3再配置FW1、FW2 [R1]ospf 1 [R1-ospf-1]area 0.0.0.0 [R1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255 [R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 [R2]ospf 1 [R2-ospf-1]area 0.0.0.0 [R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255 [R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 [R2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255 [R3]ospf 1 [R3-ospf-1]area 0.0.0.0 [R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255 [FW1]ospf 1 [FW1-ospf-1]area 0.0.0.0 [FW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255 [FW2]ospf 1 [FW2-ospf-1]area 0.0.0.0 [FW2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255
- 06
六、查看当前各个设备的路由表,并开启防火墙端口的ping功能 [FW1]dis ip rouRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 7 Routes : 7 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.0.10.0/24 Direct 0 0 D 10.0.10.1 GigabitEthernet1/0/0 10.0.10.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0 10.0.12.0/24 OSPF 10 49 D 10.0.10.2 GigabitEthernet1/0/0 10.0.20.0/24 OSPF 10 50 D 10.0.10.2 GigabitEthernet1/0/0 10.0.23.0/24 OSPF 10 97 D 10.0.10.2 GigabitEthernet1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 开启ping功能 service-manager ping enable
- 07
七、测试网络的连通性 [FW1]ping 10.0.20.2 PING 10.0.20.2: 56 data bytes, press CTRL_C to break Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=253 time=23 ms Reply from 10.0.20.2: bytes=56 Sequence=2 ttl=253 time=21 ms Reply from 10.0.20.2: bytes=56 Sequence=3 ttl=253 time=15 ms Reply from 10.0.20.2: bytes=56 Sequence=4 ttl=253 time=21 ms Reply from 10.0.20.2: bytes=56 Sequence=5 ttl=253 time=20 ms --- 10.0.20.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 15/20/23 ms