eNSP防火牆安全區域實驗

==============================================================================================
2020/2/18 三葉草

實驗拓撲：

實驗需求：
1. 防火牆能連通trust區域
2. trust區域能連通防火牆
3. trust區域所有地址均能連通untrust區域
4. untrust區域只能訪問DMZ區域環回接口

實驗：

1. 按照圖示配置ip

2. 創建vlan

[sw1]vlan batch 10 20 30

3. 將接口屬性改爲access並加入vlan

[sw1]int g0/0/1
[sw1-GigabitEthernet0/0/1]port link-type access 
[sw1-GigabitEthernet0/0/1]port default vlan 10
[sw1-GigabitEthernet0/0/1]int g0/0/11
[sw1-GigabitEthernet0/0/11]port link-type access 
[sw1-GigabitEthernet0/0/11]port default vlan 10
[sw1-GigabitEthernet0/0/11]int g0/0/2
[sw1-GigabitEthernet0/0/2]port link-type access 
[sw1-GigabitEthernet0/0/2]port default vlan 20
[sw1-GigabitEthernet0/0/2]int g0/0/12
[sw1-GigabitEthernet0/0/12]port link-type access
[sw1-GigabitEthernet0/0/12]port default vlan 20
[sw1-GigabitEthernet0/0/12]int g0/0/3
[sw1-GigabitEthernet0/0/3]port link-type access 
[sw1-GigabitEthernet0/0/3]port default vlan 30
[sw1-GigabitEthernet0/0/3]int g0/0/13
[sw1-GigabitEthernet0/0/13]port link-type access
[sw1-GigabitEthernet0/0/13]port default vlan 30

4. 配置靜態路由

[r1]ip route-static 0.0.0.0 0 10.1.1.254
[r2]ip route-static 0.0.0.0 0 10.1.2.254
[r3]ip route-static 0.0.0.0 0 10.1.3.254
[USG6000V1]ip route-static 100.1.1.0 255.255.255.0 10.1.1.1
[USG6000V1]ip route-static 100.2.2.0 255.255.255.0 10.1.2.1
[USG6000V1]ip route-static 100.3.3.0 255.255.255.0 10.1.3.1

5. 將接口劃分至各區域

[USG6000V1]firewall zone trust
[USG6000V1-zone-trust] add interface GigabitEthernet1/0/2
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface GigabitEthernet1/0/1
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface GigabitEthernet1/0/3

6. 防火牆能連通trust區域

[USG6000V1-policy-security]rule name 1
[USG6000V1-policy-security-rule-1]source-zone local
[USG6000V1-policy-security-rule-1]destination-zone trust
[USG6000V1-policy-security-rule-1]source-address 10.1.2.0 24
[USG6000V1-policy-security-rule-1]action permit
[USG6000V1]ping 10.1.2.1
PING 10.1.2.1: 56  data bytes, press CTRL_C to break
Reply from 10.1.2.1: bytes=56 Sequence=1 ttl=255 time=42 ms
Reply from 10.1.2.1: bytes=56 Sequence=2 ttl=255 time=38 ms
Reply from 10.1.2.1: bytes=56 Sequence=3 ttl=255 time=28 ms
Reply from 10.1.2.1: bytes=56 Sequence=4 ttl=255 time=26 ms
Reply from 10.1.2.1: bytes=56 Sequence=5 ttl=255 time=34 ms

7. trust區域能連通防火牆

[USG6000V1-GigabitEthernet1/0/2]service-manage ping permit
<r2>ping 10.1.2.254
PING 10.1.2.254: 56  data bytes, press CTRL_C to break
Reply from 10.1.2.254: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 10.1.2.254: bytes=56 Sequence=2 ttl=255 time=30 ms
Reply from 10.1.2.254: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 10.1.2.254: bytes=56 Sequence=4 ttl=255 time=40 ms
Reply from 10.1.2.254: bytes=56 Sequence=5 ttl=255 time=30 ms

8. trust區域所有地址均能連通untrust區域

[USG6000V1-policy-security]rule name 2
[USG6000V1-policy-security-rule-2]source-zone trust
[USG6000V1-policy-security-rule-2]destination-zone untrust
[USG6000V1-policy-security-rule-2]source-address 10.1.2.0 24
[USG6000V1-policy-security-rule-2]source-address 100.2.2.0 24
[USG6000V1-policy-security-rule-2]action permit
<r2>ping -a 10.1.2.1 10.1.1.1
PING 10.1.1.1: 56  data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=254 time=90 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=254 time=80 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=254 time=90 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=254 time=80 ms
<r2>ping -a 100.2.2.2 10.1.1.1
PING 10.1.1.1: 56  data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=254 time=80 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=254 time=90 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=254 time=90 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=254 time=80 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=254 time=80 ms

9. untrust區域只能訪問DMZ區域環回接口

[USG6000V1-policy-security]rule name 3
[USG6000V1-policy-security-rule-3]source-zone untrust
[USG6000V1-policy-security-rule-3]destination-zone dmz
[USG6000V1-policy-security-rule-3]destination-address 100.3.3.0 24
[USG6000V1-policy-security-rule-3]service icmp
[USG6000V1-policy-security-rule-3]action permit
<r1>ping -a 100.1.1.1 100.3.3.3
PING 100.3.3.3: 56  data bytes, press CTRL_C to break
Request time out
Reply from 100.3.3.3: bytes=56 Sequence=2 ttl=254 time=270 ms
Reply from 100.3.3.3: bytes=56 Sequence=3 ttl=254 time=60 ms
Reply from 100.3.3.3: bytes=56 Sequence=4 ttl=254 time=60 ms
Reply from 100.3.3.3: bytes=56 Sequence=5 ttl=254 time=80 ms
<r1>ping -a 100.1.1.1 10.1.3.3
PING 10.1.3.3: 56  data bytes, press CTRL_C to break
Request time out
Request time out
Request time out