一、拓扑结构
xx为学号后两位
防火墙型号:USG6000V
路由器型号:AR2220
拓扑文件下载:
https://wwk.lanzouq.com/iKAl51yzn10f
二、配置过程
1、配置接口IP地址、区域、安全策略
(1)配置PC1、PC2、PC3的IP地址、网关、掩码等
(2)在路由器接口上配置IP地址
<Huawei>system-view
[Huawei]interface GigabitEthernet 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 1.1.3.2 24
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1]ip address 1.1.5.2 24
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]interface GigabitEthernet 0/0/2
[Huawei-GigabitEthernet0/0/2]ip address 1.1.7.2 24
[Huawei-GigabitEthernet0/0/2]quit(3)FW1上的基础配置
初次登录,会要求修改密码
Username:admin
Password:Admin@123
统一要求:以后实操训练时,将密码统一修改为:Huawei@123
按照以上步骤修改FW1、FW2、FW3的密码。
<USG6000V1>system-view
[USG6000V1]sysname FW1
[FW1]user-interface console 0
[FW1-ui-console0]idle-timeout 0
[FW1-ui-console0]quit
[FW1]interface GigabitEthernet 1/0/1
# 此处xx为学号后两位
[FW1-GigabitEthernet1/0/1]ip address 1.1.3.1xx 24
[FW1-GigabitEthernet1/0/1]quit
[FW1]interface GigabitEthernet 1/0/3
[FW1-GigabitEthernet1/0/3]ip address 10.1.1.1 24
[FW1-GigabitEthernet1/0/3]quit
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/3
[FW1-zone-trust]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/1
[FW1-zone-untrust]quit
[FW1]security-policy
[FW1-policy-security]default action permit (回车后输入Y)
[FW1]ip route-static 0.0.0.0 0 1.1.3.2(4)FW2上的基础配置
<USG6000V1>system-view
[USG6000V1]sysname FW2
[FW2]user-interface console 0
[FW2-ui-console0]idle-timeout 0
[FW2-ui-console0]quit
[FW2]interface GigabitEthernet 1/0/1
# 此处xx为学号后两位
[FW2-GigabitEthernet1/0/1]ip address 1.1.5.1xx 24
[FW2-GigabitEthernet1/0/1]quit
[FW2]interface GigabitEthernet 1/0/3
[FW2-GigabitEthernet1/0/3]ip address 10.1.2.1 24
[FW2-GigabitEthernet1/0/3]quit
[FW2]firewall zone trust
[FW2-zone-trust]add interface GigabitEthernet 1/0/3
[FW2-zone-trust]quit
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1
[FW2-zone-untrust]quit
[FW2]security-policy
[FW2-policy-security]default action permit(回车后输入Y)
[FW2-policy-security]quit
[FW2]ip route-static 0.0.0.0 0 1.1.5.2(5)FW3上的基础配置
<USG6000V1>system-view
[USG6000V1]sysname FW3
[FW3]user-interface console 0
[FW3-ui-console0]idle-timeout 0
[FW3-ui-console0]quit
[FW3]interface GigabitEthernet 1/0/1
# 此处xx为学号后两位
[FW3-GigabitEthernet1/0/1]ip address 1.1.7.1xx 24
[FW3-GigabitEthernet1/0/1]quit
[FW3]interface GigabitEthernet 1/0/3
[FW3-GigabitEthernet1/0/3]ip address 10.1.3.1 24
[FW3-GigabitEthernet1/0/3]quit
[FW3]firewall zone trust
[FW3-zone-trust]add interface GigabitEthernet 1/0/3
[FW3-zone-trust]quit
[FW3]firewall zone untrust
[FW3-zone-untrust]add interface GigabitEthernet 1/0/1
[FW3-zone-untrust]quit
[FW3]security-policy
[FW3-policy-security]default action permit(回车后输入Y)
[FW3-policy-security]quit
[FW3]ip route-static 0.0.0.0 0 1.1.7.22、FW1上的IPSec相关配置
(1)通过配置高级ACL规则组来定义需要保护的数据流。
[FW1] acl 3000
[FW1-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[FW1-acl-adv-3000] rule 10 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[FW1-acl-adv-3000] rule 15 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.3.0 0.0.0.255
[FW1-acl-adv-3000] rule 20 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.3.0 0.0.0.255(2)配置IKE安全提议。
[FW1] ike proposal 10(3)配置IPSec安全提议
[FW1] ipsec proposal tran1(4)配置IKE peer
[FW1] ike peer b+c
[FW1-ike-peer-b+c] undo version 2
[FW1-ike-peer-b+c] ike-proposal 10
[FW1-ike-peer-b+c] pre-shared-key Test!1234(5)配置IPSec策略模板
[FW1] ipsec policy-template map_temp 1
[FW1-ipsec-policy-templet-map_temp-1] security acl 3000
[FW1-ipsec-policy-templet-map_temp-1] proposal tran1
[FW1-ipsec-policy-templet-map_temp-1] ike-peer b+c(6)应用IPSec策略模板
[FW1] ipsec policy map1 20 isakmp template map_temp(7)应用IPSec策略
[FW1] interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1] ipsec policy map1(8)配置引路路由
[FW1] ip route-static 10.1.2.0 24 GigabitEthernet 1/0/1
[FW1] ip route-static 10.1.3.0 24 GigabitEthernet 1/0/13、FW2上的IPSec相关配置
(1)通过配置高级ACL规则组来定义需要保护的数据流。
[FW2]acl 3000
[FW2-acl-adv-3000] rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW2-acl-adv-3000] rule 10 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.3.0 0.0.0.255(2)配置IKE安全提议。
[FW2] ike proposal 10(3)配置IPSec安全提议
[FW2] ipsec proposal tran1(4)配置IKE peer
[FW2] ike peer a
[FW2-ike-peer-a] undo version 2
[FW2-ike-peer-a] ike-proposal 10
# 此处xx为学号后两位
[FW2-ike-peer-a] remote-address 1.1.3.1xx
[FW2-ike-peer-a] pre-shared-key Test!1234(5)配置IPSec策略
[FW2] ipsec policy map1 10 isakmp
[FW2-ipsec-policy-isakmp-map1-10] security acl 3000
[FW2-ipsec-policy-isakmp-map1-10] proposal tran1
[FW2-ipsec-policy-isakmp-map1-10] ike-peer a(6)应用IPSec策略
[FW2] interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1] ipsec policy map1(7)配置引路路由
[FW2] ip route-static 10.1.1.0 24 GigabitEthernet 1/0/1
[FW2] ip route-static 10.1.3.0 24 GigabitEthernet 1/0/14、FW3上的IPSec相关配置
(1)通过配置高级ACL规则组来定义需要保护的数据流。
[FW3] acl 3000
[FW3-acl-adv-3000] rule 5 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[FW3-acl-adv-3000] rule 10 permit ip source 10.1.3.0 0.0.0.255 destination 10.1.2.0 0.0.0.255(2)配置IKE安全提议。
[FW3] ike proposal 10(3)配置IPSec安全提议
[FW3] ipsec proposal tran1(4)配置IKE peer
[FW3] ike peer a
[FW3-ike-peer-a] undo version 2
[FW3-ike-peer-a] ike-proposal 10
# 此处xx为学号后两位
[FW3-ike-peer-a] remote-address 1.1.3.1xx
[FW3-ike-peer-a] pre-shared-key Test!1234(5)配置IPSec策略
[FW3] ipsec policy map1 10 isakmp
[FW3-ipsec-policy-isakmp-map1-10] security acl 3000
[FW3-ipsec-policy-isakmp-map1-10] proposal tran1
[FW3-ipsec-policy-isakmp-map1-10] ike-peer a(6)应用IPSec策略
[FW3] interface GigabitEthernet 1/0/1
[FW3-GigabitEthernet1/0/1] ipsec policy map1(7)配置引路路由
[FW3] ip route-static 10.1.1.0 24 GigabitEthernet 1/0/1
[FW3] ip route-static 10.1.2.0 24 GigabitEthernet 1/0/1三、结果验证
PC2、PC3能够主动访问PC1,只有PC2的FW2和 PC3的FW3能够触发IPSec SA,之后PC1能够访问到PC2、PC3 ,在PC2、PC3能够访问PC1之后,PC2与PC3能够实现互访。
近期评论