防火墙基础配置SSH&ASPF&NAT

一.防火墙介绍

• Firewall：策略
• 路由：基于目的地址转发

防火墙特点：
1.逻辑上隔离区域(ZONE)
2.保证自身和内部安全
3.抵挡防御攻击

防火墙分类：
1.包过滤防火墙
2.代理防火墙
3.状态检测（主流）

防火墙组网形式:

1.二层（透明墙）
特点：不改变现有网络
2.三层（路由墙）
对现有网络改造动作幅度比较大！但特性功能多
3.旁挂----对现有网络影响最小

==========================================================================================================================================================================

区域：

区域：
Trunst--信任区域

untrust---非信任区域

dmz-----非junshi访问区域

local-----本地

local
 priority is 100 -----本地为优先级100

 #
trust
 priority is 85----信任区域
 interface of the zone is (1):
    GigabitEthernet0/0/0 ---------默认G0/0/0管理接口
#
untrust-----非信任区域
 priority is 5
 interface of the zone is (0):
#
dmz---非军事区域
 priority is 50
 interface of the zone is (0):
#

区域怎么来界定?
防火墙的接口划入某区域之后，连接防火墙接口的后面的区域都是该区域。

安全级别，不能决定什么，就是一个象征！----（必须配置）
自定义安全级别

<USG6000V1>display zone  
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (1):
    GigabitEthernet0/0/0
#
untrust
 priority is 5
 interface of the zone is (0):
#
dmz
 priority is 50
 interface of the zone is (0):
#
HCNA
 priority is 15
 interface of the zone is (0):
#
<USG6000V1>

定义方向：从高安全级别到低安全级别叫outbound,从低级别到高级别叫inbound

==========================================================================================================================================================================

二.连接防火墙（COM WEB TELNET SSH）

console线连接
缺省用户名 admin 密码 Admin@123

WEB方式
通过默认管理接口G0/0/0
https://X.X.X.X:8443(默认端口）

第一步：配置地址和开启HTTPS服务

interface GigabitEthernet0/0/0
 ip address 192.168.0.1 255.255.255.0
 service-manage https permit

第二步：把接口加入ZONE

firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0

第三步：AAA配置账号

manager-user admin
  password cipher Admin@123
  service-type web terminal
  level 15

==========================================================================================================================================================================
telnet方式

第一种：user-interface用密码

第二种：AAA认证（用户名+密码）
配置：

- 第一步：IP地址 开启TELNET服务 加ZONE

- 第二步：配置user-interface

user-interface vty 0 4
 authentication-mode aaa
 protocol inbound telnet(all)----默认是SSH

- 第三步：创建AAA

manager-user vtyadmin
  password cipher Huawei@123
  service-type telnet
  level 15

• 第四步：测试，先输入用户名+密码，然后再改密码，再输入新密码！

=========================================================================================================================================================================

2020/2/11hahahahahahaha

==========================================================================================================================================================================

一.防火墙状态检测

默认情况开启状态检测

firewall session link-state check

关闭检测

undo firewall session link-state check

检查：

<FW1>display firewall session table ---查看状态检测简要信息
 Current Total Sessions : 1
 icmp  VPN: public --> public  192.168.1.1:52651 --> 202.100.1.1:2048


<FW1>display firewall session table  verbose---详细信息
 Current Total Sessions : 1
 icmp  VPN: public --> public  ID: c487f2e8be9d590174d58d10fff
 Zone: trust --> untrust  TTL: 00:00:20  Left: 00:00:14
 Interface: GigabitEthernet1/0/1  NextHop: 202.100.1.1  MAC: 00e0-fce9-69ad
 <--packets: 4 bytes: 336 --> packets: 5 bytes: 420
 192.168.1.1:52651 --> 202.100.1.1:2048 PolicyName: A

清除命令：

<FW1>reset firewall  session  table 
Warning:Reseting session table will affect the system's normal service.
Continue? [Y/N]:Y

二.ASPF（FTP）

FTP
21——控制连接
20——数据连接

两个模式：
被动模式

主动模式：
配置：
系统模式配置

firewall detect ftp---默认开启

精确开启

firewall interzone trust untrust
 detect ftp

检查：

[FW1]display firewall  server-map  
 Current Total Server-map : 1
 Type: ASPF,  202.100.1.100 -> 192.168.1.100:2119,  Zone:---
 Protocol: tcp(Appro: ftp-data),  Left-Time:00:00:06
 Vpn: public -> public

<FW1>display firewall  session table  
 Current Total Sessions : 2
 ftp-data  VPN: public --> public  202.100.1.100:20 --> 192.168.1.100:2119
 ftp  VPN: public --> public  192.168.1.100:2118 +-> 202.100.1.100:21


<FW1>display firewall  session table   verbose 
 Current Total Sessions : 3
 ftp-data  VPN: public --> public  ID: c487f2e8be9b4b08cf658d11e7c
 Zone: untrust --> trust  TTL: 00:00:10  Left: 00:00:06
 Interface: GigabitEthernet1/0/0  NextHop: 192.168.1.100  MAC: 5489-984d-4ece
 <--packets: 3 bytes: 124 --> packets: 5 bytes: 398
 202.100.1.100:20 --> 192.168.1.100:2121 PolicyName: A

 ftp  VPN: public --> public  ID: c487f2e8be9b3d0eecf58d11e7c
 Zone: trust --> untrust  TTL: 00:20:00  Left: 00:19:59
 Interface: GigabitEthernet1/0/1  NextHop: 202.100.1.100  MAC: 5489-98dc-6fd0
 <--packets: 9 bytes: 659 --> packets: 10 bytes: 465
 192.168.1.100:2120 +-> 202.100.1.100:21 PolicyName: A

 ftp  VPN: public --> public  ID: c487f2e8be9b210f69158d11e64
 Zone: trust --> untrust  TTL: 00:20:00  Left: 00:19:55
 Interface: GigabitEthernet1/0/1  NextHop: 202.100.1.100  MAC: 5489-98dc-6fd0
 <--packets: 11 bytes: 753 --> packets: 12 bytes: 551
 192.168.1.100:2118 +-> 202.100.1.100:21 PolicyName: A

FTP服务器改变默认的端口（21）

防火墙配置端口映射

第一步：匹配服务器地址

acl number 2000
 rule 5 permit source 202.100.1.100 0

第二步：做端口映射

port-mapping FTP port 2121 acl 2000
            协议   映射端口  针对FTP服务器

检查；

[FW1]display  port-mapping  
 Port-mapping total numbers: 1
  APPLICATION                      ID    PORT  ACL  
 -----------------------------------------------------
  FTP                              5     2121  2000 

三.源NAT

NAPT----既转换IP也转换端口
配置套路：三部曲

第一步：配置地址池

nat address-group address1 
                   名字
 mode pat ------默认的
 section  1.1.1.1 1.1.1.10
             地址池

第二步：写NAT-Policy调用地址池

nat-policy
 rule name trust_untrust---取个名字
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 24
  action nat address-group address1
              调用地址池

第三步：写路由黑洞

ip route-static 1.1.1.1 255.255.255.255 NULL0
ip route-static 1.1.1.2 255.255.255.255 NULL0
ip route-static 1.1.1.3 255.255.255.255 NULL0
ip route-static 1.1.1.4 255.255.255.255 NULL0
ip route-static 1.1.1.5 255.255.255.255 NULL0

检查：

[FW1]display firewall session table  
 Current Total Sessions : 1
 icmp  VPN: public --> public  192.168.1.1:54187[1.1.1.5:2049] --> 202.100.1.1:2048
[FW1]display firewall session table   v
[FW1]display firewall session table   verbose 
 Current Total Sessions : 1
 icmp  VPN: public --> public  ID: c487f2e8be93140d77b58d129ef
 Zone: trust --> untrust  TTL: 00:00:20  Left: 00:00:12
 Interface: GigabitEthernet1/0/1  NextHop: 202.100.1.1  MAC: 00e0-fce9-69ad
 <--packets: 5 bytes: 420 --> packets: 5 bytes: 420
 192.168.1.1:54187[1.1.1.5:2049] --> 202.100.1.1:2048 PolicyName: A

==========================================================================================================================================================================

源NAT:

1.NAPT NO-PAT------实际一对一转换

2.NAPT----既转换IP,又转换端口

3.Easy-IP

一. NAT-Server
目的为了转换目标地址：
语法：

nat server nat_ftp   protocol tcp global 202.100.1.200 ftp inside 192.168.1.1 ftp 
             名称      协议        转换后地址            协议 内部地址          协议

配置套路：
基础配置：IP地址，ZONE 策略

第一步：写NAT-Server

nat server nat_ftp 0 protocol tcp global 202.100.1.200 ftp inside 192.168.1.1 ftp

第二步：写黑洞路由

ip route-static 202.100.1.200 255.255.255.255 NULL0

第三步：检查

<FW1>display nat server  
Server in private network information:
  Total   1 NAT server(s)
 server name   : nat_ftp                
 id            : 0                      zone          : ---                    
 global-start-addr : 202.100.1.200      global-end-addr   : 202.100.1.200      
 inside-start-addr : 192.168.1.1        inside-end-addr   : 192.168.1.1        
 global-start-port : 21(ftp)            global-end-port   : 21                 
 inside-start-port : 21(ftp)            inside-end-port   : 21                 
 globalvpn     : public                 insidevpn     : public                 
 vsys          : public                 protocol      : tcp                    
 vrrp          : ---                    no-revers     : 0                      
 interface     : ---                    vrrp-bind-interface: ---                    
 description   : ---                    

第四步：测试和现象

<FW1>display firewall server-map  
 Current Total Server-map : 2
 Type: Nat Server,  ANY -> 202.100.1.200:21[192.168.1.1:21],  Zone:---,  protocol:tcp
 Vpn: public -> public

 Type: Nat Server Reverse,  192.168.1.1[202.100.1.200] -> ANY,  Zone:---,  protocol:tcp
 Vpn: public -> public,  counter: 1


<FW1>display firewall session table  
 Current Total Sessions : 3
 ftp  VPN: public --> public  202.100.1.1:49854 +-> 202.100.1.200:21[192.168.1.1:21]


<FW1>display firewall session table  verbose 
 Current Total Sessions : 3
 ftp  VPN: public --> public  ID: c487f8328ffa14015b458d3bacb
 Zone: untrust --> trust  TTL: 00:20:00  Left: 00:19:52
 Interface: GigabitEthernet1/0/0  NextHop: 192.168.1.1  MAC: 00e0-fce1-5d51
 <--packets: 6 bytes: 358 --> packets: 9 bytes: 397
 202.100.1.1:49854 +-> 202.100.1.200:21[192.168.1.1:21] PolicyName: B

二.双向NAT

配置套路

第一步：NAT-Server
1.NAT
nat server policy_ftp 0 protocol tcp global 202.100.1.100 ftp inside 192.168.1.1 ftp---解决目的地址被转换，去服务器的问题

2.黑洞路由
ip route-static 202.100.1.100 255.255.255.255 NULL0


第二步：配置源NAT-----解决源地址被转换，从服务器回包的问题
1.地址池
nat address-group address1 0
 mode pat
 section 0 202.100.1.200 202.100.1.200---跟服务器不在同一段


2.配置NAT策略
nat-policy
 rule name policy_nat
  source-zone dmz
  destination-zone dmz
  destination-address 192.168.1.1 32
  service ftp
  action nat address-group address1


第三步：测试
[FW1]display firewall server-map  
 Current Total Server-map : 3
 Type: ASPF,  192.168.1.1[202.100.1.100] -> 202.100.1.200:2050[192.168.1.100:2064],  Zone:---
 Protocol: tcp(Appro: ftp-data),  Left-Time:00:00:03
 Vpn: public -> public

 Type: Nat Server,  ANY -> 202.100.1.100:21[192.168.1.1:21],  Zone:---,  protocol:tcp
 Vpn: public -> public

 Type: Nat Server Reverse,  192.168.1.1[202.100.1.100] -> ANY,  Zone:---,  protocol:tcp
 Vpn: public -> public,  counter: 1


[FW1]display firewall session table  
 Current Total Sessions : 3
 ftp  VPN: public --> public  192.168.1.100:2061[202.100.1.200:2051] +-> 202.100.1.100:21[192.168.1.1:21]
 ftp-data  VPN: public --> public  192.168.1.1:20[202.100.1.100:20] --> 202.100.1.200:2050[192.168.1.100:2064]
 ftp  VPN: public --> public  192.168.1.100:2063[202.100.1.200:2052] +-> 202.100.1.100:21[192.168.1.1:21]

[FW1]display firewall session table   verbose 
 Current Total Sessions : 3
 ftp  VPN: public --> public  ID: c487fdf0534b450425458d3c1eb
 Zone: dmz --> dmz  TTL: 00:00:10  Left: 00:00:00
 Interface: GigabitEthernet1/0/0  NextHop: 192.168.1.1  MAC: 00e0-fc6d-7760
 <--packets: 39 bytes: 1,835 --> packets: 39 bytes: 1,666
 192.168.1.100:2061[202.100.1.200:2051] +-> 202.100.1.100:21[192.168.1.1:21] PolicyName: ---

 ftp-data  VPN: public --> public  ID: c487fdf0534b750738358d3c2d9
 Zone: dmz --> dmz  TTL: 00:00:10  Left: 00:00:03
 Interface: GigabitEthernet1/0/0  NextHop: 192.168.1.100  MAC: 5489-986e-1520
 <--packets: 3 bytes: 124 --> packets: 5 bytes: 598
 192.168.1.1:20[202.100.1.100:20] --> 202.100.1.200:2050[192.168.1.100:2064] PolicyName: ---

 ftp  VPN: public --> public  ID: c487fdf0534b650e06758d3c2d8
 Zone: dmz --> dmz  TTL: 00:20:00  Left: 00:19:56
 Interface: GigabitEthernet1/0/0  NextHop: 192.168.1.1  MAC: 00e0-fc6d-7760
 <--packets: 9 bytes: 590 --> packets: 10 bytes: 475
 192.168.1.100:2063[202.100.1.200:2052] +-> 202.100.1.100:21[192.168.1.1:21] PolicyName: ---

三. 。。。。。。

GRE 。。。。。。 配置套路：

第一步：基本配置（IP地址 路由 ZONE）

第二步：配置Tunnel(隧道)

interface Tunnel1
 ip address 10.1.1.1 255.255.255.0---虚拟IP地址任意
 tunnel-protocol gre ---模式为GRE
 source 202.100.1.10 ------源和目标地址要通
 destination 203.100.1.10

第三步：将TUNNEL接口划入ZONE（千万记住）

第四步：引流（到TUNNEL1）

ip route-static 172.16.1.0 255.255.255.0 Tunnel1

第五步：测试并精确放流量

FW1:
security-policy
 rule name trust_untrust
  source-zone trust
  destination-zone untrust
  service icmp
  action permit
 rule name untrust_local
  source-zone untrust
  destination-zone local
  action permit
 rule name untrust_trust
  source-zone untrust
  destination-zone trust
  action permit

FW2:
security-policy
 rule name untrust_trust
  source-zone untrust
  destination-zone trust
  action permit
 rule name untrust_local
  source-zone untrust
  destination-zone local
  action permit
 rule name trust_untrust
  source-zone trust
  destination-zone untrust
  action permit

第六步：检查

[FW1]display firewall session table  
 Current Total Sessions : 3
 icmp  VPN: public --> public  172.16.1.1:53419 --> 192.168.1.1:2048
 icmp  VPN: public --> public  192.168.1.1:54187 --> 172.16.1.1:2048
 gre  VPN: public --> public  203.100.1.10:0 --> 202.100.1.10:0

==========================================================================================================================================================================

SSH登陆

==========================================================================================================================================================================

配置套路：
第一步：
基本配置
1.地址连通性
2.加ZONE
3.开启接口SSH服务

interface GigabitEthernet0/0/0
 service-manage ssh permit----默认管理接口是开启
 

第二步：

开启SSH Server功能
stelnet server enable

第三步：

设置VTY
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh

第四步：创建AAA

 manager-user sshadmin
  password cipher Huawei@123
  service-type ssh
  level 3

第五步：测试

SCRT PUTTY

二.基本配置

第一步：基本配置（IP地址）
第二步：接口要加ZONE

firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0

检查：

[FW1]display zone 
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (2):
    GigabitEthernet0/0/0
    GigabitEthernet1/0/0
#
untrust
 priority is 5
 interface of the zone is (1):
    GigabitEthernet1/0/1
#
dmz
 priority is 50
 interface of the zone is (0):
#

第三步：如果需要PING通防火墙直连的接口地址
接口开启PING服务（同一个ZONE可以的）

interface GigabitEthernet1/0/0
 undo shutdown
 ip address 192.168.1.10 255.255.255.0
 service-manage ping permit

如果要从防火墙PING直连路由器接口地址（不同的ZONE，肯定LOCAL到任何ZONE）
需要安全策略放行：

default action permit ----全部放行

第四步：测试（考虑路由问题）

三.安全策略

安全策略执行从1开始到N，如果都不匹配，执行默认是0策略（全部拒绝）
配置：
举例：

security-policy
 rule name local_any ----一定要有规则的名称，粗矿的策略
  source-zone local 
  service icmp
  action permit
 rule name trust_untrust-----明细的策略
  source-zone trust
  destination-zone untrust
  source-address address-set trust_ip
  destination-address address-set untrust_ip
  service icmp
  action permit
 rule name untrust_trust----3
  source-zone untrust
  destination-zone trust
  action permit

检查：

<FW1>display security-policy  all   
Total:4 
RULE ID RULE NAME                      STATE      ACTION       HITTED          
-------------------------------------------------------------------------------
             
3       local_any                      enable     permit       8                
4       trust_untrust                  enable     permit       2                
5       untrust_trust                  enable     permit       1  

...........




0       default                        enable     deny         67               
-------------------------------------------------------------------------------
<FW1>

规则ID能调整

rule move trust_untrust before local_any 

==========================================================================================================================================================================最后一天加点东西。。。。。。。。。。。。希望快点开学
2020/2/29四年一遇的日子

==========================================================================================================================================================================

zone-pair security source Local destination Trust
packet-filter 3100
#
zone-pair security source Local destination Untrust
packet-filter 3100
#
zone-pair security source Trust destination Local
packet-filter 3100
#
zone-pair security source Trust destination Untrust
packet-filter 3100
#
zone-pair security source Untrust destination Local
packet-filter 3100
#
zone-pair security source Untrust destination Trust
packet-filter 3100

acl advanced 3100
rule 0 permit ip

防火墙默认DENY所有数据流 此系列命令可以打通防火墙。谨慎使用！！！