Combined with the experiment, the relevant configuration of the USG6000V firewall is explained in detail (a must read for Xiaobai!!!)

Learning experience :

In the past two days, I followed the teacher to learn the configuration of the firewall for network security defense. During the process, I encountered many problems, such as accessing the https://ip:8443 address but not prompted to continue to enter the interface, or unable to ping the firewall test port, etc. Question, I hope the next sharing can help everyone!

In order to save everyone's time, I list the experiments and specific questions separately, and you can check them according to your personal needs! ( Here, it is recommended for beginners to follow the experiment! )

Table of contents

Learning experience:

experiment

Experimental topology:

Experimental requirements:

Experimental procedure

1. Configure cloud

2. Configure the ip address of the GE0/0/0 port of the firewall, and enable related https and ping services, and perform port ping tests.

3. Configure the ip address of the interface related to the trust area, the ip address of the interface related to the untrust area, and the ip address of the interface related to the dmz area

4. Log in to the firewall UI interface, configure the firewall interface ip address, security policy, and interface aggregation static route to meet the experimental requirements.

The configuration is complete and tested

Problems encountered in the experiment

1. When accessing https://ip:8443 port, it prompts that the establishment of a secure connection fails

2. Unable to ping the firewall test port in the local cmd window

The specific questions are as follows:

 Solution:

---

experiment

Experimental topology:

The firewall used in this experiment is USG600. I put the download link of the .vdi file that needs to be used below, and you can pick it up yourself.

Link: https://pan.baidu.com/s/16nq6skHAiLx9hp-o4SCKXg
Extraction code: pkth

Experimental requirements:

1. Divide trust, untrust, and dmz areas

2. Realize mutual access between two regions

Experimental procedure

1. Configure cloud

// Be careful not to tie it to the public network card, you can make a virtual loopback yourself or tie it to vm1\vm8

2. Configure the ip address of the GE0/0/0 port of the firewall, and enable related https and ping services, and perform port ping tests.

Configuration command:

int g0/0/0 //Enter the g0/0/0 interface

ip add 192.168.1.11 //Here, you can configure it reasonably according to the network segment bound to the virtual network card in the above steps

service-manage enable

service-manage all permit //Allow access to all services

3. Configure the ip address of the interface related to the trust area, the ip address of the interface related to the untrust area, and the ip address of the interface related to the dmz area

Because the ip address cannot be configured after the undo portswitch of the three-layer switch in ensp, it is necessary to configure vlanif to realize the virtual gateway function. As for the direct input on the PC, there is no need to say more. I will mainly tell you about the configuration process on the switch and firewall:

The configuration process follows the above topology diagram, and students who are not familiar with it can follow the above topology diagram.

LSW6:

vlan batch 2 3 //create vlan2, vlan3

[Huawei-GigabitEthernet0/0/2]port link-type access 

[Huawei-GigabitEthernet0/0/2]port default vlan 2 //Add G0/0/2 port to vlan2

 [Huawei]interface Vlanif 2 //Configure vlanif 2 as a virtual gateway

[Huawei-Vlanif2]ip address 10.1.1.1 24

//As for the pc configuration, I won't say much. After the configuration is complete, let's ping the vlanif 2ip address and test it.

The next step is to configure the G0/0/1 port on vlanif3, which is similar to the configuration of vlanif2, and you can just do it ( note that vlanif3 manages another network segment, so don’t make a mistake! )

 AR2：

Because it is a router, you can directly enter the interface to configure the ip address. It is not difficult, so I won’t explain it much. For the convenience of subsequent tests, you can hang a server behind the router or write a loopback to facilitate subsequent tests.

LSW4：

[Huawei]vlan  batch  100 200

[Huawei-GigabitEthernet0/0/2]port link-type access

[Huawei-GigabitEthernet0/0/2]port default  vlan  100

[Huawei-GigabitEthernet0/0/4]port link-type access

[Huawei-GigabitEthernet0/0/4]port default  vlan  200

[Huawei]interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1]port link-type trunk 

[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan  100

[Huawei]interface GigabitEthernet 0/0/3

[Huawei-GigabitEthernet0/0/3]port link-type trunk

[Huawei-GigabitEthernet0/0/3]port trunk allow-pass  vlan 200

[Huawei]interface Eth-Trunk 1  //The experiment requirement here is to perform aggregation. You can do it if you don’t want to, and it will not affect the follow-up experiment. If you do it, you will also need to perform interface aggregation on the firewall later.

[Huawei-Eth-Trunk1]trunkport GigabitEthernet 0/0/1

[Huawei-Eth-Trunk1]trunkport GigabitEthernet 0/0/3

//The ip address will be configured for the server later, so I won’t go into details here, you can configure it in the corresponding network segment according to the topology diagram

Note: Because we need to configure the gateway on the firewall, so there is no vlanif virtual gateway here, please pay attention

4. Log in to the firewall UI interface, configure the firewall interface ip address, security policy, and interface aggregation static route to meet the experimental requirements.

After the above configuration is completed, the real test of this experiment comes, that is, the firewall configuration. Without further ado, let's look at the configuration process directly!

• After logging in to https://ip:8443 port, first configure each port ip of the firewall

 //Pull to the right, there is an edit box, open it, and configure the area and ip address according to the topology map

• Configure policies to implement mutual access between areas.

//In the configuration process, you can configure according to the trust area network segment, dmz area network segment, and untrust area network segment. If you want to perform a ping test for the subsequent services, remember to allow icmp and record the number of hits (here you can see that the number of hits is 0, when we go to ping test later, the number of hits will increase, which also shows that the policy configured by our firewall has taken effect )

• The policy configuration is complete, but we still need to configure routing on switches, routers, and firewalls ( you dare not forget this step! )
• Here we will mainly show you how to configure static routing for firewalls. I won’t explain more about switches and routers. I believe that the configuration of the small partners here should not be a problem.

• Next, click Add and add the route we need.//Here, everyone imagines it as a router. How to configure the router with ip is the same as here

 //Here for demonstration, I wrote two routes to realize the access of trust->untrust area

• After we have completed the trust area routing configuration, untrust area routing configuration, and firewall routing configuration, we can simply test it, as shown in the following figure:

pc is the terminal in the trust area, and 100.1.1.1 is the loopback ip in the untrust area.

Let's check whether the firewall is hit, as shown in the following figure:

• Because we did interface aggregation on SW4 earlier, we also need to do it on the firewall

1. Configure interface aggregation

Steps: New -> Interface Type Select Aggregation, and then add the interface that needs to be aggregated to the binding interface.

 2. Configure vlanif100 and vlanif200 virtual gateways.

• Here, you'd better type once on each interface of the firewall: service-manage all permit to ensure that the service permission is enabled

The configuration is complete and tested

• trust->untrust

• dmz->trust

 

• untrust->dmz

Problems encountered in the experiment

1. When accessing https://ip:8443 port, it prompts that the establishment of a secure connection fails

• The specific error information is shown in the figure below:

•  The key point here is that there is no link to continue to visit, but when watching the teacher's operation, there is an interface to accept the security prompt and continue to visit, so I changed Google and Microsoft browsers and tried one by one, but it didn't work. There are many opinions on the Internet , Turn off the firewall, the version of VirtualBox does not match, or the https access permission is not enabled, etc., and I did it again, but it still didn’t work. So I decided to grab the packet to see what went wrong.
• The packet capture is shown in the figure below:

•  At this time, we visit myssl.com to check the tls version supported by the current browser:

 Click Tools, click International Client Detection, and you can view the tls version supported by the current browser, and the Firefox browser I use is shown in the figure below:

 Solution: I believe friends here will know that it is because the Firefox browser does not support the tls1.1 version, so we cannot successfully establish a tls connection, so I replaced the IE browser (as long as the browser supports the tls1.1 version Both are available), at this time, I will visit the address https://ip:8443 again, and the background interface of the firewall will appear successfully, as shown in the following figure:

Next, you can use the default username: admin password: Admin@123 to log in.

2. Unable to ping the firewall test port in the local cmd window

The specific questions are as follows:

When we have completed the cloud configuration and successfully configured the firewall test port ip address, but still can not ping through, as shown in the figure below

 

At this time, we should perform a ping test in advance, because the premise for us to log in to the background control page through this ip address is that we can ping it, and at the same time avoid rework later. However, it is still unable to ping, as shown in the following figure:

 Solution:

Enter the G0/0/0 port of the firewall and enable the ping test permission

Use the command:

service-manage enable 

service-manage all permit //allow access to all services of this interface

At this time, we will test again, and we can see that the ping is successful and the background interface is logged in.

 

 Tips: The author encountered the cloud configuration here, ip address, https, ping service, and the firewall allows all the traffic about ensp, but the result is still unable to ping (if you can ping, but you can't log in, you can take a look The solution to the first problem above! ). Here I changed the configuration of the cloud network card, and then changed the port type to GE (if it is originally GE, it can be replaced with Ethernet), but it can pass through the test again, which is very confusing; another situation is that I changed G0/0 / The 0 port is connected to other places but not connected to the cloud , so the local traffic cannot be sent to this interface, and the ping cannot be done. Reconnect the G0/0/0 port to the cloud to ping it. Due to limited personal ability, I can't explain the reason in detail for the time being. If you encounter a friend who is in a similar situation as the author, you can try it, and maybe it will solve your problem.

The above is the content I want to share with my friends. I don’t know if it will help you. If there is something inaccurate, you are welcome to communicate and correct me!

                                                                                                                                Writer: Darkfive