防火墙虚拟系统综合实验1

一、实验目的及拓扑

实验目的：防火墙FW1及虚拟墙VFR_A和VRF_B分别连接外网、内网服务器端和内网客户端，将内网服务器通过nat server向外网宣告，使外网能够访问服务器端，同时内网也能够访问服务器，网络拓扑及接口地址规划如下：

二、基本配置

1、接口地址配置：防火墙接口地址外网为.12，内网虚拟墙侧均为.254，内网PC1和server均为.10，外网PC为.105，如图所示配置相应接口地址及终端地址

2、新建虚拟系统并将防火墙各接口分配规划如下：

vsys enable

resource-class r0

vsys name VFR_A 1

assign interface GigabitEthernet1/0/1

assign resource-class r0

vsys name VRF_B 2

assign interface GigabitEthernet1/0/2

FW1\]dis ip vpn-instance int Total VPN-Instances configured : 4 VPN-Instance Name and ID : VFR_A, 1 Interface Number : 2 Interface list : GigabitEthernet1/0/1, Virtual-if1 VPN-Instance Name and ID : VFR_B, 3 Interface Number : 1 Interface list : Virtual-if3 VPN-Instance Name and ID : VRF_B, 2 Interface Number : 2 Interface list : GigabitEthernet1/0/2, Virtual-if2 VPN-Instance Name and ID : default, 21 Interface Number : 1 Interface list : GigabitEthernet0/0/0 3、防火墙各接口区域规划如下： \[FW1\]dis zone local priority is 100 interface of the zone is (0): # trust priority is 85 interface of the zone is (2): GigabitEthernet0/0/0 Virtual-if0 # untrust priority is 5 interface of the zone is (1): GigabitEthernet1/0/0 # dmz priority is 50 interface of the zone is (0): # vpn-instance VFR_A local priority is 100 interface of the zone is (0): # vpn-instance VFR_A trust priority is 85 interface of the zone is (0): # vpn-instance VFR_A untrust priority is 5 interface of the zone is (1): Virtual-if1 # vpn-instance VFR_A dmz priority is 50 interface of the zone is (1): GigabitEthernet1/0/1 # vpn-instance VRF_B local priority is 100 interface of the zone is (0): # vpn-instance VRF_B trust priority is 85 interface of the zone is (1): GigabitEthernet1/0/2 # vpn-instance VRF_B untrust priority is 5 interface of the zone is (1): Virtual-if2 # vpn-instance VRF_B dmz priority is 50 interface of the zone is (0): # vpn-instance VFR_B local priority is 100 interface of the zone is (0): # vpn-instance VFR_B trust priority is 85 interface of the zone is (0): # vpn-instance VFR_B untrust priority is 5 interface of the zone is (0): # vpn-instance VFR_B dmz priority is 50 interface of the zone is (0): # 三、详细配置 1、路由配置： 在根系统上配置路由使外网能够访问内网服务器端、使内网客户端访问内网服务器端，使内网能够访问外网 # ip route-static 0.0.0.0 0.0.0.0 100.1.121.1 ip route-static 192.168.13.0 255.255.255.0 vpn-instance VFR_A ip route-static 192.168.14.0 255.255.255.0 vpn-instance VRF_B # 在两个虚拟系统设置路由使其能够访问根系统 # ip route-static 0.0.0.0 0.0.0.0 public # 2、安全策略配置 根系统 \[FW1-policy-security\]dis th # security-policy rule name LOCAL_TO_ANY source-zone local action permit rule name INT_TO_SER source-zone untrust destination-zone trust source-address 100.1.15.0 mask 255.255.255.0 destination-address 192.168.13.0 mask 255.255.255.0 action permit # 虚拟系统连接服务器端 security-policy rule name OUT_TO_DMZ source-zone untrust destination-zone dmz source-address 192.168.14.0 mask 255.255.255.0 destination-address 192.168.13.0 mask 255.255.255.0 action permit rule name INT_TO_SER source-zone untrust destination-zone dmz source-address 100.1.15.0 mask 255.255.255.0 destination-address 192.168.13.0 mask 255.255.255.0 action permit rule name LOCAL_TO_ANY source-zone local action permit # 3、nat server配置 nat server 1 global 100.1.121.100 inside 192.168.13.10 no-reverse 四、结果验证 内网pc访问服务器 PC\>tracert 192.168.13.10 traceroute to 192.168.13.10, 8 hops max (ICMP), press Ctrl+C to stop 1 \* \* \* 2 \* \* \* 3 192.168.13.10 \<1 ms \<1 ms 16 ms 外网pc访问服务器 PC\>tracert 100.1.121.100 traceroute to 100.1.121.100, 8 hops max (ICMP), press Ctrl+C to stop 1 100.1.15.1 32 ms 47 ms 46 ms 2 100.1.121.12 63 ms 62 ms 63 ms 3 \* \* \* 4 100.1.121.100 78 ms 63 ms 62 ms