华为USG防火墙区域配置-阿里云开发者社区

学习目的

掌握防火墙安全区域的配置方法
掌握对安全区域的参数配置
掌握在区域之间进行包过滤的方法

拓扑图

场景

你是公司网络管理员。公司总部的网络分成了三个区域，包括内部区域（Trust）外部区域（Untrust）和服务器区域（DMZ）。现在设计通过防火墙来实现对数据的控制。在交换机上将G0/0/1与G0/0/21接口定义到vlan11，将G0/0/2与G0/0/22接口定义到vlan12，将G0/0/3与G0/0/23接口定义到vlan13.分别规划了三个网段。

现在满足一下要求：

“Trust”区域的用户可以访问“Untrust”的用户；

“Trust”和“Untrust”区域的用户可以访问“DMZ”区域的用户；

“Untrust”区域用户不能直接访问“Trust”区域用户；

“DMZ”区域用户不能直接访问“Trust”和“Untrust”区域的用户。

学习任务

步骤一.基本配置与IP编址

首先给三个路由器配置地址信息

[Huawei]sysname R1

[R1]interface g0/0/1

[R1-GigabitEthernet0/0/1]ip add 10.0.10.124

[R1-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/1

[R1-GigabitEthernet0/0/1]interfaceloopback0

[R1-LoopBack0]ip add 10.0.1.1 24

[R1-LoopBack0]q

[Huawei]sysname R2

[R2]interface g0/0/1

[R2-GigabitEthernet0/0/1]ip add 10.0.20.224

[R2-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/2

[R2-GigabitEthernet0/0/1]interfaceloopback0

[R2-LoopBack0]ip add 10.0.2.2 24

[R2-LoopBack0]q

[Huawei]sysname R3

[R3]interface g0/0/1

[R3-GigabitEthernet0/0/1]ip add 10.0.30.324

[R3-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/3

[R3-GigabitEthernet0/0/1]interfaceloopback0

[R3-LoopBack0]ip add 10.0.3.3 24

[R3-LoopBack0]q

给防火墙配置地址，G0/0/1IP地址：10.0.20.254/24.作为Inside区域的网关。

[SRG]sysname FW

08:34:20 2014/07/05

[FW]interface g0/0/1

08:35:50 2014/07/05

[FW-GigabitEthernet0/0/1]ip add 10.0.20.25424

08:36:01 2014/07/05

[FW-GigabitEthernet0/0/1]description thisport connect to S1-G0/0/22

08:38:06 2014/07/05

[FW-GigabitEthernet0/0/1]interface g0/0/0

08:39:08 2014/07/05

[FW-GigabitEthernet0/0/0]ip add 10.0.10.25424

08:39:27 2014/07/05

Info: The DHCP server configuration on thisinterface will be deleted.

[FW-GigabitEthernet0/0/0]desc tihis portconnect to S1-G0/0/21

08:40:02 2014/07/05

[FW-GigabitEthernet0/0/0]interface G0/0/2

08:40:15 2014/07/05

[FW-GigabitEthernet0/0/2]ip add 10.0.30.25424

08:40:30 2014/07/05

[FW-GigabitEthernet0/0/2]desc this portconnect to S1-G0/0/23

08:41:05 2014/07/05

[FW-GigabitEthernet0/0/2]q

08:41:07 2014/07/05

在交换机上需要按照需求定义vlan。

[Huawei]sysname S1

[S1]vlan batch 11 to 13

Info: This operation may take a fewseconds. Please wait for a moment...done.

[S1]interface g0/0/1

[S1-GigabitEthernet0/0/1]port link-typeaccess

[S1-GigabitEthernet0/0/1]port default vlan11

[S1-GigabitEthernet0/0/1]interface g0/0/2

[S1-GigabitEthernet0/0/2]port link-typeaccess

[S1-GigabitEthernet0/0/2]port default vlan12

[S1]interface g0/0/3

[S1-GigabitEthernet0/0/3]port link-typeaccess

[S1-GigabitEthernet0/0/3]port default vlan13

[S1-GigabitEthernet0/0/3]interface g0/0/21

[S1-GigabitEthernet0/0/21]port link-typeaccess

[S1-GigabitEthernet0/0/21]port default vlan11

[S1-GigabitEthernet0/0/21]interface g0/0/22

[S1-GigabitEthernet0/0/22]port link-typeaccess

[S1-GigabitEthernet0/0/22]port default vlan12

[S1-GigabitEthernet0/0/22]interface g0/0/23

[S1-GigabitEthernet0/0/23]port link-typeaccess

[S1-GigabitEthernet0/0/23]port default vlan13

步骤二.将接口配置到安全区域

防火墙上默认有四个区域，分别是“local”、“trust”“untrust”、“dmz”。

试验中我们用到“trust”“untrust”、“dmz”三个区域。G0/0/0加入untrust区域，G0/0/2加入DMZ区域，G0/0/1加入trust区域。

[FW]firewall zone trust

09:09:15 2014/07/05

[FW-zone-trust]dis this

09:09:19 2014/07/05

firewall zone trust

setpriority 85

addinterface GigabitEthernet0/0/0

return

[FW-zone-trust]undo add inter

[FW-zone-trust]undo add interface g0/0/0

09:09:35 2014/07/05

[FW-zone-trust]add interface g0/0/1

09:10:01 2014/07/05

[FW]firewall zone untrust

09:11:24 2014/07/05

[FW-zone-untrust]add interface g0/0/0

09:11:36 2014/07/05

[FW-zone-untrust]q

[FW]firewall zone dmz

09:12:07 2014/07/05

[FW-zone-dmz]add interface g0/0/2

09:12:16 2014/07/05

[FW-zone-dmz]q

默认情况下，防火请并不允许除local区域外的其他区域之间的通信。为了方便于验证配置的正确性，我们首先将防火墙区域之间的默认规则配置为允许所有区域之间通讯。配置完成后在FW设备上测试相同区域的连通性。

[FW]firewall packet-filter default permitall

09:17:33 2014/07/05

Warning:Setting the default packetfiltering to permit poses security risks. You

are advised to configure the securitypolicy based on the actual data flows. Are

you sure you want to continue?[Y/N]y

[FW]ping -c 1 10.0.10.1

09:18:04 2014/07/05

PING 10.0.10.1: 56 data bytes,press CTRL_C to break

Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=180 ms

---10.0.10.1 ping statistics ---

1packet(s) transmitted

1packet(s) received

0.00% packet loss

round-trip min/avg/max = 180/180/180 ms

[FW]ping -c 1 10.0.20.2

09:18:11 2014/07/05

PING 10.0.20.2: 56 data bytes,press CTRL_C to break

Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=120 ms

---10.0.20.2 ping statistics ---

1packet(s) transmitted

1 packet(s) received

0.00% packet loss

round-trip min/avg/max = 120/120/120 ms

[FW]ping -c 1 10.0.30.3

09:18:16 2014/07/05

PING 10.0.30.3: 56 data bytes,press CTRL_C to break

Reply from 10.0.30.3: bytes=56 Sequence=1 ttl=255 time=110 ms

---10.0.30.3 ping statistics ---

1packet(s) transmitted

1packet(s) received

0.00% packet loss

round-tripmin/avg/max = 110/110/110 ms

在R1、R2、R3上配置缺省路由，在FW上配置明确的静态路由。实现三个loopback0接口连接的网段之间的互通。

[R1]ip route-static 0.0.0.0 0.0.0.010.0.10.254

[R2]ip route-static 0.0.0.0 0.0.0.010.0.20.254

[R3]ip route-static 0.0.0.0 0.0.0.010.0.30.254

[FW]ip route-static 10.0.1.0 24 10.0.10.1

09:24:57 2014/07/05

[FW]ip route-static 10.0.2.0 24 10.0.20.2

09:25:14 2014/07/05

[FW]ip route-static 10.0.3.0 24 10.0.30.3

09:25:29 2014/07/05

[FW]

配置完成后，测试个路由器loopback0接口的网段之间的通讯情况。

[R1]ping -a 10.0.1.1 10.0.2.2

PING 10.0.2.2: 56 data bytes,press CTRL_C to break

Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=254 time=110 ms

Reply from 10.0.2.2: bytes=56 Sequence=2 ttl=254 time=60 ms

Reply from 10.0.2.2: bytes=56 Sequence=3 ttl=254 time=100 ms

Reply from 10.0.2.2: bytes=56 Sequence=4 ttl=254 time=90 ms

Reply from 10.0.2.2: bytes=56 Sequence=5 ttl=254 time=50 ms

---10.0.2.2 ping statistics ---

5packet(s) transmitted

5packet(s) received

0.00% packet loss

round-tripmin/avg/max = 50/82/110 ms

[R1]ping -a 10.0.1.1 10.0.3.3

PING 10.0.3.3: 56 data bytes,press CTRL_C to break

Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=90 ms

Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=40 ms

Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=70 ms

Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=50 ms

Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=60 ms

---10.0.3.3 ping statistics ---

5packet(s) transmitted

5packet(s) received

0.00% packet loss

round-tripmin/avg/max = 40/62/90 ms

步骤四.配置区域安全策略

配置区域之间的策略，首先将防火墙的区域间默认过滤策略配置为拒绝所有通信，然后配置仅允许Trust区域访问其他区域，不允许其他区域之间访问。

[FW]firewall packet-filter default deny all

[FW]firewall packet-filter default permitinterzone trust untrust direction outbound

09:41:35 2014/07/05

Warning:Setting the default packetfiltering to permit poses security risks. You

are advised to configure the securitypolicy based on the actual data flows. Are

you sure you want to continue?[Y/N]y

[FW]firewall packet-filter default permitinterzone trust dmz direction outbound

Warning:Setting the default packet filteringto permit poses security risks. You

are advised to configure the securitypolicy based on the actual data flows. Are

you sure you want to continue?[Y/N]y

[FW]firewall session link-state check

09:43:20 2014/07/05

配置完成后，测试区域之间的连通性。

Untrust区域到Trust区域

<R1>ping -a 10.0.1.1 10.0.2.2

PING 10.0.2.2: 56 data bytes,press CTRL_C to break

Request time out

---10.0.2.2 ping statistics ---

5packet(s) transmitted

0packet(s) received

100.00% packetloss

Untrust区域到DMZ区域

<R1>ping -a 10.0.1.1 10.0.3.3

PING 10.0.3.3: 56 data bytes,press CTRL_C to break

Request time out

---10.0.3.3 ping statistics ---

5packet(s) transmitted

0packet(s) received

100.00% packetloss

Trust区域到Untrust区域

<R2>ping -a 10.0.2.2 10.0.1.1

PING 10.0.1.1: 56 data bytes,press CTRL_C to break

Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=100 ms

Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=70 ms

Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=100 ms

Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=80 ms

Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=90 ms

---10.0.1.1 ping statistics ---

5packet(s) transmitted

5packet(s) received

0.00% packet loss

round-trip min/avg/max = 70/88/100 ms

Trust区域到DMZ区域

<R2>ping -a 10.0.2.2 10.0.3.3

PING 10.0.3.3: 56 data bytes,press CTRL_C to break

Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=70 ms

Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=254 time=110 ms

Reply from 10.0.3.3: bytes=56 Sequence=3 ttl=254 time=50 ms

Reply from 10.0.3.3: bytes=56 Sequence=4 ttl=254 time=40 ms

Reply from 10.0.3.3: bytes=56 Sequence=5 ttl=254 time=60 ms

---10.0.3.3 ping statistics ---

5packet(s) transmitted

5packet(s) received

0.00% packet loss

round-trip min/avg/max = 40/66/110 ms

DMZ区域到Untrust区域

<R3>ping -a 10.0.3.3 10.0.1.1

PING 10.0.1.1: 56 data bytes,press CTRL_C to break

Request time out

---10.0.1.1 ping statistics ---

5packet(s) transmitted

0packet(s) received

100.00% packet loss

DMZ区域到Trust区域

<R3>ping -a 10.0.3.3 10.0.2.2

PING 10.0.2.2: 56 data bytes,press CTRL_C to break

Request time out

---10.0.2.2 ping statistics ---

5packet(s) transmitted

0packet(s) received

100.00% packet loss

步骤五.配置允许Untrust区域访问DMZ区域的特定服务器

DMZ区域有一台服务器，IP地址为10.0.3.3。需要对Untrust区域开放Telnet服务，同时为了测试网络，需要开放ICMP ping测试功能。

[FW]policy interzone dmz untrust inbound

09:54:29 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound]policy1

09:54:39 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound-1]policyservice service-set icmp

09:54:58 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound-1]policydestination 10.0.3.3 0

09:55:19 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound-1]actionpermit

09:55:29 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound-1]q

09:55:30 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound]policy2

09:55:38 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound-2]policyservice service-set telnet

09:55:55 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound-2]policydestination 10.0.3.3 0

09:56:05 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound-2]actionpermit

09:56:25 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound-2]q

09:56:27 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound]policy3

09:56:30 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound-3]actiondeny

09:56:37 2014/07/05

[FW-policy-interzone-dmz-untrust-inbound-3]

为了能进行telnet测试，在R3上开启telnet功能。

[R3]user-interface vty 0 4

[R3-ui-vty0-4]auth

[R3-ui-vty0-4]authentication-mode pass

[R3-ui-vty0-4]authentication-mode password

Please configure the login password(maximum length 16):16

[R3-ui-vty0-4]set auth

[R3-ui-vty0-4]set authentication pass

[R3-ui-vty0-4]set authentication password ?

cipher Set the password withcipher text

[R3-ui-vty0-4]set authentication passwordcp

[R3-ui-vty0-4]set authentication passwordci

[R3-ui-vty0-4]set authentication passwordcipher huawei

[R3-ui-vty0-4]user pri

[R3-ui-vty0-4]user privilege lev

[R3-ui-vty0-4]user privilege level 3

[R3-ui-vty0-4]

测试网络连通性

<R1>ping -c 1 10.0.3.3

PING 10.0.3.3: 56 data bytes,press CTRL_C to break

Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=60 ms

---10.0.3.3 ping statistics ---

1packet(s) transmitted

1packet(s) received

0.00% packet loss

round-trip min/avg/max = 60/60/60 ms

<R1>ping -c 1 -a 10.0.1.1 10.0.3.3

PING10.0.3.3: 56 data bytes, press CTRL_C tobreak

Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=254 time=70 ms

---10.0.3.3 ping statistics ---

1packet(s) transmitted

1packet(s) received

0.00% packet loss

round-trip min/avg/max = 70/70/70 ms

<R1>ping 10.0.30.3

PING 10.0.30.3: 56 data bytes,press CTRL_C to break

Request time out

---10.0.30.3 ping statistics ---

5packet(s) transmitted

0packet(s) received

100.00% packetloss

<R1>telnet10.0.3.3

Press CTRL_] to quit telnet mode

Trying 10.0.3.3 ...

Connected to 10.0.3.3 ...

Loginauthentication

Password:

<R3>

如测试结果，显示区域之间的过滤情况。除了特定放行的数据流外，其它数据流被过滤掉了。

本文转自 zhuxtqw 51CTO博客，原文链接：http://blog.51cto.com/1054054/1434997，如需转载请自行联系原作者

华为USG防火墙区域配置

热门文章

最新文章

相关电子书