防火墙虚拟系统综合实验1

一、实验目的及拓扑

实验目的:防火墙FW1及虚拟墙VFR_A和VRF_B分别连接外网、内网服务器端和内网客户端,将内网服务器通过nat server向外网宣告,使外网能够访问服务器端,同时内网也能够访问服务器,网络拓扑及接口地址规划如下:

二、基本配置

1、接口地址配置:防火墙接口地址外网为.12,内网虚拟墙侧均为.254,内网PC1和server均为.10,外网PC为.105,如图所示配置相应接口地址及终端地址

2、新建虚拟系统并将防火墙各接口分配规划如下:

vsys enable

resource-class r0

vsys name VFR_A 1

assign interface GigabitEthernet1/0/1

assign resource-class r0

vsys name VRF_B 2

assign interface GigabitEthernet1/0/2

[FW1]dis ip vpn-instance int

Total VPN-Instances configured : 4

VPN-Instance Name and ID : VFR_A, 1
Interface Number : 2
Interface list : GigabitEthernet1/0/1,
Virtual-if1

VPN-Instance Name and ID : VFR_B, 3

Interface Number : 1

Interface list : Virtual-if3

VPN-Instance Name and ID : VRF_B, 2
Interface Number : 2
Interface list : GigabitEthernet1/0/2,
Virtual-if2

VPN-Instance Name and ID : default, 21
Interface Number : 1
Interface list : GigabitEthernet0/0/0

3、防火墙各接口区域规划如下:

[FW1]dis zone

local

priority is 100

interface of the zone is (0):

trust

priority is 85

interface of the zone is (2):

GigabitEthernet0/0/0

Virtual-if0

untrust

priority is 5

interface of the zone is (1):

GigabitEthernet1/0/0

dmz

priority is 50

interface of the zone is (0):

vpn-instance VFR_A local

priority is 100

interface of the zone is (0):

vpn-instance VFR_A trust

priority is 85

interface of the zone is (0):

vpn-instance VFR_A untrust

priority is 5

interface of the zone is (1):

Virtual-if1

vpn-instance VFR_A dmz

priority is 50

interface of the zone is (1):

GigabitEthernet1/0/1

vpn-instance VRF_B local

priority is 100

interface of the zone is (0):

vpn-instance VRF_B trust

priority is 85

interface of the zone is (1):

GigabitEthernet1/0/2

vpn-instance VRF_B untrust

priority is 5

interface of the zone is (1):

Virtual-if2

vpn-instance VRF_B dmz

priority is 50

interface of the zone is (0):

vpn-instance VFR_B local

priority is 100

interface of the zone is (0):

vpn-instance VFR_B trust

priority is 85

interface of the zone is (0):

vpn-instance VFR_B untrust

priority is 5

interface of the zone is (0):

vpn-instance VFR_B dmz

priority is 50

interface of the zone is (0):

三、详细配置

1、路由配置:

在根系统上配置路由使外网能够访问内网服务器端、使内网客户端访问内网服务器端,使内网能够访问外网

ip route-static 0.0.0.0 0.0.0.0 100.1.121.1

ip route-static 192.168.13.0 255.255.255.0 vpn-instance VFR_A

ip route-static 192.168.14.0 255.255.255.0 vpn-instance VRF_B

在两个虚拟系统设置路由使其能够访问根系统

ip route-static 0.0.0.0 0.0.0.0 public

2、安全策略配置

根系统

[FW1-policy-security]dis th

security-policy

rule name LOCAL_TO_ANY

source-zone local

action permit

rule name INT_TO_SER

source-zone untrust

destination-zone trust

source-address 100.1.15.0 mask 255.255.255.0

destination-address 192.168.13.0 mask 255.255.255.0

action permit

虚拟系统连接服务器端

security-policy

rule name OUT_TO_DMZ

source-zone untrust

destination-zone dmz

source-address 192.168.14.0 mask 255.255.255.0

destination-address 192.168.13.0 mask 255.255.255.0

action permit

rule name INT_TO_SER

source-zone untrust

destination-zone dmz

source-address 100.1.15.0 mask 255.255.255.0

destination-address 192.168.13.0 mask 255.255.255.0

action permit

rule name LOCAL_TO_ANY

source-zone local

action permit

3、nat server配置

nat server 1 global 100.1.121.100 inside 192.168.13.10 no-reverse

四、结果验证

内网pc访问服务器

PC>tracert 192.168.13.10

traceroute to 192.168.13.10, 8 hops max

(ICMP), press Ctrl+C to stop

1 * * *

2 * * *

3 192.168.13.10 <1 ms <1 ms 16 ms

外网pc访问服务器

PC>tracert 100.1.121.100

traceroute to 100.1.121.100, 8 hops max

(ICMP), press Ctrl+C to stop

1 100.1.15.1 32 ms 47 ms 46 ms

2 100.1.121.12 63 ms 62 ms 63 ms

3 * * *

4 100.1.121.100 78 ms 63 ms 62 ms

相关推荐
中科岩创6 分钟前
中科岩创边坡自动化监测解决方案
大数据·网络·物联网
冷曦_sole17 分钟前
linux-19 根文件系统(一)
linux·运维·服务器
AI大模型学徒20 分钟前
Linux(二)_清理空间
linux·运维·服务器
tntlbb44 分钟前
Ubuntu20.4 VPN+Docker代理配置
运维·ubuntu·docker·容器
brrdg_sefg2 小时前
WEB 漏洞 - 文件包含漏洞深度解析
前端·网络·安全
Linux运维技术栈2 小时前
Ansible(自动化运维)环境搭建及ansible-vault加密配置
运维·自动化·ansible
H轨迹H2 小时前
SolidState靶机通关教程及提权
网络安全·渗透测试·靶机·oscp
D1TAsec3 小时前
Powercat 无文件落地执行技巧,你确定不进来看看?
网络安全
Bessssss3 小时前
centos权限大集合,覆盖多种权限类型,解惑权限后有“. + t s”问题!
linux·运维·centos