1. The topological diagram is as follows:
2. Demand
1. Client 1 in the trust zone can access Server 1 in the dmz zone through port 80.
2. Client 1 in the trust zone can access Server 2
in the untrust zone. 3. CLInet 2 in the untrust zone can access Server 1 in the dmz zone. 1. Access through port 8080.
Note: In this experiment, the trust zone and dmz zone simulate the internal network, the untrust zone simulates the external network, and the firewall is used as a device for the internal network to connect to the external network.
3. Analysis
1. To achieve requirement one, you need to release the security policy from the trust zone to the dmz zone.
2. If client 1 can access Server 2, you need to release the security policy from the trust zone to the untrust zone, and configure nat in the firewall. , Use easy ip
3. If you want clinet 2 to be able to access Server 1 of dmz, you need to release the security policy from the untrust zone to the dmz zone, and act as a nat server on the firewall to map the port 8080 of the external network interface to the port 80 of server 1 Port
4. This experiment is mainly configured on the firewall, and the router AR1 can be configured with the corresponding ip
4. Configure
Firewall configuration:
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip add 192.168.0.1 24
[USG6000V1-GigabitEthernet1/0/0]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip add 192.168.1.1 24
[USG6000V1-GigabitEthernet1/0/1]int g1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip add 12.0.0.1 24
//将端口加入相应的安全区域
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add int g1/0/0
[USG6000V1-zone-trust]firewall zone dmz
[USG6000V1-zone-dmz]add int g1/0/1
[USG6000V1-zone-dmz]firewall zone untrust
[USG6000V1-zone-untrust]add int g1/0/2
[USG6000V1-zone-untrust]quit
//创建安全策略,放行相应的流量
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust2dmz //放行trust区域到dmz的数据
[USG6000V1-policy-security-rule-trust2dmz]source-zone trust
[USG6000V1-policy-security-rule-trust2dmz]destination-zone dmz
[USG6000V1-policy-security-rule-trust2dmz]action permit
[USG6000V1-policy-security-rule-trust2dmz]quit
[USG6000V1-policy-security]rule name trust2untrust //放行trust区域到untrust的数据
[USG6000V1-policy-security-rule-trust2untrust]source-zone trust
[USG6000V1-policy-security-rule-trust2untrust]destination-zone untrust
[USG6000V1-policy-security-rule-trust2untrust]action permit
[USG6000V1-policy-security-rule-trust2untrust]quit
[USG6000V1-policy-security]rule name untrust2dmz //放行untrust区域到dmz的数据
[USG6000V1-policy-security-rule-untrust2dmz]source-zone untrust
[USG6000V1-policy-security-rule-untrust2dmz]destination-zone dmz
[USG6000V1-policy-security-rule-untrust2dmz]action permit
[USG6000V1-policy-security-rule-untrust2dmz]quit
[USG6000V1-policy-security]quit
//配置NAT
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name waiwang
[USG6000V1-policy-nat-rule-waiwang]source-zone trust
[USG6000V1-policy-nat-rule-waiwang]destination-zone untrust
[USG6000V1-policy-nat-rule-waiwang]action source-nat easy-ip
[USG6000V1-policy-nat-rule-waiwang]quit
[USG6000V1-policy-nat]quit
//配置NAT server,进行端口映射
[USG6000V1]nat server nat_server protocol tcp global 12.0.0.1 8080 inside 192.168.1.2 80 no-reverse
//默认路由,下一跳指向公网路由器
[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 12.0.0.2
5. Verification
1. Client 1 accesses Server 1
2. Client 1 of the trust zone accesses Server 2 of the
external network 3. Client 2 of the external network accesses Server 1 of the dmz zone
6. Summary
This experiment is mainly to operate the firewall, and it can be regarded as the first time to configure the firewall. I feel that the difference from routers and switches is that the firewall has security zones and security policies. The ports of the firewall must be added to the security zone, and the corresponding security policies must be released to achieve access to different zones. At the same time, I feel that learning to configure routers and switches is helpful to configuring firewalls.