关注我们
安全产品那些事儿-H3C F1060防火墙透明模式典型组网配置案例1
组网说明:
本案例采用H3C HCL模拟器的F1060防火墙来模拟防火墙的透明模式典型组网配置1。为了实现PC之间相互PING通,因此需要在SW1、R1之间通过路由指向来实现路由可达。F1060处在R1、SW1之间,所以将F1060配置为透明模式,采用trunk的方式为R1、SW1透传业务。
配置思路:
1、按照网络拓扑图正确配置IP地址
2、R1与SW1之间运行ospf路由协议
3、将F1060防火墙配置为透明模式,采用trunk的方式为R1、SW1透传业务。
4、F1060防火墙上涉及到的物理接口或虚接口需要加入安全域并放通相应的安全策略。
配置过程:
SW1:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname SW1
[SW1]vlan 100
[SW1-vlan100]quit
[SW1]int vlan 100
[SW1-Vlan-interface100]ip address 172.16.1.1 24
[SW1-Vlan-interface100]quit
[SW1]int gi 1/0/1
[SW1-GigabitEthernet1/0/1]port link-type access
[SW1-GigabitEthernet1/0/1]port access vlan 100
[SW1-GigabitEthernet1/0/1]quit
[SW1]vlan 10
[SW1-vlan10]quit
[SW1]int vlan 10
[SW1-Vlan-interface10]ip address 10.0.0.1 30
[SW1-Vlan-interface10]quit
[SW1]int gi 1/0/2
[SW1-GigabitEthernet1/0/2]des <connect to FW1>
[SW1-GigabitEthernet1/0/2]port link-type trunk
[SW1-GigabitEthernet1/0/2]undo port trunk permit vlan 1
[SW1-GigabitEthernet1/0/2]port trunk permit vlan 10
[SW1-GigabitEthernet1/0/2]quit
[SW1]int loopback 0
[SW1-LoopBack0]ip address 1.1.1.1 32
[SW1-LoopBack0]quit
[SW1]ospf 1 router-id 1.1.1.1
[SW1-ospf-1]area 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 10.0.0.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[SW1-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[SW1-ospf-1-area-0.0.0.0]quit
[SW1-ospf-1]quit
[SW1]
R1:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname R1
[R1]int loopback 0
[R1-LoopBack0]ip address 2.2.2.2 32
[R1-LoopBack0]quit
[R1]int gi 0/1
[R1-GigabitEthernet0/1]ip address 192.168.1.1 24
[R1-GigabitEthernet0/1]quit
[R1]vlan 10
[R1-vlan10]quit
[R1]int vlan 10
[R1-Vlan-interface10]ip address 10.0.0.2 30
[R1-Vlan-interface10]quit
[R1]int gi 0/0
[R1-GigabitEthernet0/0]port link-mode bridge
[R1-GigabitEthernet0/0]port link-type trunk
[R1-GigabitEthernet0/0]undo port trunk permit vlan 1
[R1-GigabitEthernet0/0]port trunk permit vlan 10
[R1-GigabitEthernet0/0]quit
[R1]ospf 1 router-id 2.2.2.2
[R1-ospf-1]area 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 10.0.0.2 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 2.2.2.2 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]quit
[R1-ospf-1]quit
FW1 透明模式配置关键点:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname FW1
[FW1]vlan 10
[FW1-vlan10]quit
[FW1]int range gi 1/0/2 to gi 1/0/3
[FW1-if-range]port link-mode bridge //将防火墙接口模式修改为桥模式(二层模式)
[FW1-if-range]port link-type trunk //开启trunk
[FW1-if-range]undo port trunk permit vlan 1 //不允许vlan 1通过
[FW1-if-range]port trunk permit vlan 10 //允许vlan 10通过
[FW1-if-range]quit
[FW1]security-zone name Trust //进入trust安全域
[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/3 vlan 10 //将接口和vlan加入安全域
[FW1-security-zone-Trust]quit
[FW1]security-zone name Untrust
[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/2 vlan 10
[FW1-security-zone-Untrust]quit
配置ACL,并在域间策略放通。
[FW1]acl basic 2002
[FW1-acl-ipv4-basic-2002]rule 0 permit source any
[FW1-acl-ipv4-basic-2002]quit
[FW1]
[FW1]zone-pair security source trust destination untrust
[FW1-zone-pair-security-Trust-Untrust]packet-filter 2002
[FW1-zone-pair-security-Trust-Untrust]quit
[FW1]
[FW1]zone-pair security source untrust destination trust
[FW1-zone-pair-security-Untrust-Trust]packet-filter 2002
[FW1-zone-pair-security-Untrust-Trust]quit
[FW1]
[FW1]zone-pair security source trust destination local
[FW1-zone-pair-security-Trust-Local]packet-filter 2002
[FW1-zone-pair-security-Trust-Local]quit
[FW1]
[FW1]zone-pair security source local destination trust
[FW1-zone-pair-security-Local-Trust]packet-filter 2002
[FW1-zone-pair-security-Local-Trust]quit
[FW1]
[FW1]zone-pair security source untrust destination local
[FW1-zone-pair-security-Untrust-Local]packet-filter 2002
[FW1-zone-pair-security-Untrust-Local]quit
[FW1]
[FW1]zone-pair security source local destination untrust
[FW1-zone-pair-security-Local-Untrust]packet-filter 2002
[FW1-zone-pair-security-Local-Untrust]quit
[FW1]
[FW1]zone-pair security source trust destination trust
[FW1-zone-pair-security-Trust-Trust]packet-filter 2002
[FW1-zone-pair-security-Trust-Trust]quit
[FW1]
[FW1]zone-pair security source untrust destination untrust
[FW1-zone-pair-security-Untrust-Untrust]packet-filter 2002
[FW1-zone-pair-security-Untrust-Untrust]quit
测试:
所有PC都填写IP地址:
PC之间可以相互PING通:
分别查看SW1、R1的OSPF邻居信息:
分别查看SW1、R1的路由表:
查看FW1的zone-pair:
至此,F1060防火墙透明模式典型组网配置案例1已完成!
原文始发于微信公众号(NCVT CSTA):安全产品那些事儿-H3C F1060防火墙透明模式典型组网配置案例1
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论