web page login configuration
Topology
Cloud1 related configuration, configure the access number, I choose the WLAN network card for configuration
<USG6000V1>sys #进入系统视图
[USG6000V1]sys NGFW #配置设备名称
[NGFW]dis ip int brief #显示虚拟接口对应的IP地址与使用状态
[NGFW]int g0/0/0 #进入端口GE0/0/0
[NGFW-GigabitEthernet0/0/0]ip add 172.89.209.137 24 #端口出配置IP地址
[NGFW-GigabitEthernet0/0/0]service-manage all permit #开启服务器管理员权限
[NGFW-GigabitEthernet0/0/0]dis ip int brief
Use the PING command on the host (ping 172.89.209.137)
Log in to the website and the requirements are successfully implemented.
IP address-based forwarding strategy
Expansion diagram:
Step 1: Configure the IP addresses of each interface of the firewall
[USG6000V1-GigabitEthernet1/0/1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 192.168.5.1 24
[USG6000V1-GigabitEthernet1/0/0]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip address 1.1.1.1 24
[USG6000V1-GigabitEthernet1/0/1]q
Step 2: Add the GE 1/0/0 interface of the firewall to the Trust zone
[USG6000V1]firewall zone trust #进入trust区域
[USG6000V1-zone-trust]add int g1/0/0
[USG6000V1-zone-trust]q
Step 3: Add the GE 1/0/1 interface of the firewall to the Untrust zone
[USG6000V1]firewall zone untrust #进入untrust区域
[USG6000V1-zone-untrust]add int g1/0/1
[USG6000V1-zone-untrust]q
Configure the address set of ip_deny
[USG6000V1]ip address-set ip_deny type object
Add IP addresses that are not allowed to pass through the firewall to the ip_deny address set
[USG6000V1-object-address-set-ip_deny]address 192.168.5.2 0
[USG6000V1-object-address-set-ip_deny]address 192.168.5.3 0
[USG6000V1-object-address-set-ip_deny]address 192.168.5.3 0
[USG6000V1-object-address-set-ip_deny]address 192.168.5.6 0
[USG6000V1-object-address-set-ip_deny]q
Create a policy that does not allow IP forwarding through the firewall
[USG6000V1]security-policy //安全策略
[USG6000V1-policy-security]rule name policy_deny
[USG6000V1-policy-security-rule-policy_deny]source-address address-set ip_deny
[USG6000V1-policy-security-rule-policy_deny]action deny
[USG6000V1-policy-security-rule-policy_deny]q
Create a forwarding policy that allows IP addresses belonging to the network segment 1 92.168.5.0/24 to pass through the firewall
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name polity_permit
[USG6000V1-policy-security-rule-polity_permit]source-address 192.168.5.0 24
[USG6000V1-policy-security-rule-polity_permit]action permit
[USG6000V1-policy-security-rule-polity_permit]q
Dual-machine hot standby technology experiment
Firewall 1
Configuration steps -CLI
① Complete the configuration of the uplink and downlink service interfaces of USG6330-1 . Configure the IP address of each interface and add it to the corresponding security zone.
<USG6000V1>sys
[USG6000V1]int G1/0/1
[USG6000V1-GigabitEthernet1/0/1] ip add 10.1.2.1 255.255.255.0
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]int G1/0/4
[USG6000V1-GigabitEthernet1/0/4] ip add 40.1.1.1 255.255.255.0
[USG6000V1-GigabitEthernet1/0/4]q
[USG6000V1] firewall zone trust
[USG6000V1-zone-trust]add interface G1/0/1
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface G1/0/4
[USG6000V1-zone-untrust]q
② Configure backup group 1 of interface G1/0/4 and add it to the VGMP management group with active status
[USG6000V1]int G1/0/4
[USG6000V1-GigabitEthernet1/0/4]vrrp vrid 1 virtual-ip 2.2.2.1 255.255.255.0 a
ctive
[USG6000V1-GigabitEthernet1/0/4]q
③Configure VRRP backup group 2 for interface GigabitEthernet 1/0/1 and join it in VGMP with Active status
Management group.
[USG6000V1]int G1/0/1
[USG6000V1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.1.2.3 24 active
[USG6000V1-GigabitEthernet1/0/1]q
④ Complete the heartbeat line configuration of USG6330-1 and configure the IP address of GigabitEthernet1/0/3 .
[USG6000V1]int G1/0/3
[USG6000V1-GigabitEthernet1/0/3]ip address 30.1.1.1 255.255.255.0
[USG6000V1-GigabitEthernet1/0/3]q
⑤Configure GigabitEthernet1/0/3 to join the DMZ zone.
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface G1/0/3
[USG6000V1-zone-dmz]q
Specify G1/0/3 as the heartbeat port
[USG6000V1]hrp interface G1/0/3 remote 30.1.1.2
⑥Configure the inter-zone forwarding policy for the Trust zone and the Untrust zone
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy_sec
[USG6000V1-policy-security-rule-policy_sec]source-zone trust
[USG6000V1-policy-security-rule-policy_sec]action permit
[USG6000V1-policy-security-rule-policy_sec]q
[USG6000V1-policy-security]q
⑦Enable HRP backup function
[USG6000V1]hrp enable
Firewall 2 can modify the corresponding port
Firewall Layer 2 and Layer 3 Communication
Experimental requirements:
1. 6 PCs communicate with each other
- The firewall utilizes the three-layer vlanif communication function
- PC5 and PC6 realize intercommunication through single-arm routing technology
- The firewall divides 6 new zones and applies them
Experimental configuration:
On the firewall:
Step 1: Implement Layer 2 communication (interface communication from 1/0/0 to 1/0/4)
Firewall configuration
1. Create vlan
vlan batch 10 20 30 40
2. The interface allows VLAN communication
interface GigabitEthernet1/0/1
portswitch
undo shutdown
port link-type access
port default vlan 40
#
interface GigabitEthernet1/0/2
portswitch
undo shutdown
port link-type access
port default vlan 30
#
interface GigabitEthernet1/0/3
portswitch
undo shutdown
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/4
portswitch
undo shutdown
port link-type access
port default vlan 20
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.40.1 255.255.255.0
#
Step 2. Implement three-layer communication (single-arm routing)
1. Create sub-interface
interface GigabitEthernet1/0/0.1
vlan-type dot1q 60
ip address 192.168.60.1 255.255.255.0
#
interface GigabitEthernet1/0/0.2
vlan-type dot1q 55
ip address 192.168.55.1 255.255.255.0
#
Step 3. Add a zone to the interface (note that the zone added is a Layer 3 interface)
firewall zone trust
add interface Vlanif10
add interface Vlanif20
add interface Vlanif30
add interface Vlanif40
add interface GigabitEthernet1/0/0.1
add interface GigabitEthernet1/0/0.2
#
Switch configuration
1. Create vlan
vlan batch 55 60
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 55 60
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 55
#vp
interface GigabitEthernet0/0/3
port link-type access
port default vlan 60
Test Results