防火墙NAT+DHCP+ACL+ACAP

image


任务要求:

SwitchA作为有线终端网关与DHCP Server,为无线终端与有线终端分配IP地址,并配置ACL访问控制列表控制不同用户的访问权限,客户机只能跟DMZ区域服务器互访,无线访客禁止访问业务服务器和员工有线网络。

防火墙配置出口NAT功能,用于公网和私网地址转换:配置安全策略,控制Internet的访问,客户机区域无需访问外网可以与DMZ区域的服务器互访,配置NATServer让DMZ区域的WEB服务器开放至公网访问。

该实验是参考华为官网的文章(作者的理论知识储备量不高,如果有些地方注释的不到位请见谅)


IP地址表:

设备 接口 所属VLAN IP地址
防火墙 G1/0/0 10.107.1.2/24
防火墙 G1/0/1 109.1.1.1/24
防火墙 G1/0/2 10.106.1.1/24
SwitchA G0/0/1 101、102、103、105 vlanif101:10.101.1.1/24
vlanif102:10.102.1.1/24
SwitchA G0/0/3 104 vlanif104:10.104.1.1/24
SwitchA G0/0/5 101、102、103、105 vlanif103:10.103.1.1/24
vlanif105:10.105.1.1/24
SwitchA G0/0/8 100 vlanif100:10.100.1.1/24
SwitchA G0/0/11 108 vlanif108:10.108.1.1/24
SwitchA G0/0/13 107 vlanif107:10.107.1.1/24
SwitchB E0/0/3 104
SwitchB E0/0/5 104
SwitchC E0/0/3 101、102、105
SwitchC E0/0/5 101、102、103、105
SwitchC E0/0/13 103
SwitchD E0/0/3 101、102、105
SwitchD E0/0/5 101、102、103、105
SwitchD E0/0/13 103
WEB Server E0/0/0 10.106.1.2/24
Business Server E0/0/0 10.108.1.2/24
PC1 E0/0/1 103 DHCP获取
PC2 E0/0/1 103 DHCP获取
AC G0/0/3 100 10.100.1.2/24
AP1 G0/0/0 105 DHCP获取
AP2 G0/0/0 105 DHCP获取

设备接口表:

本端设备 本端接口 对端设备 对端接口
防火墙FW GE1/0/0 SwitchA GE0/0/13
防火墙FW GE1/0/1 Internet GE0/0/0
SwitchA GE0/0/1 SwitchC E0/0/5
SwitchA GE0/0/3 SwitchB E0/0/5
SwitchA GE0/0/5 SwitchD E0/0/5
SwitchA GE0/0/8 AC控制器 GE0/0/3
SwitchA GE0/0/13 防火墙FW GE1/0/0
SwitchB E0/0/5 SwitchA GE0/0/3
SwitchC E0/0/5 SwitchA GE0/0/1
SwitchC E0/0/3 AP1 GE0/0/0
SwitchD E0/0/5 SwitchA GE0/0/5
SwitchD E0/0/3 AP2 GE0/0/0
AC控制器 GE0/0/03 SwitchA GE0/0/8

VLAN规划表:

VLAN规划 描述
VLAN100 无线管理VLAN
VLAN101 访客无线业务VLAN
VLAN102 员工无线业务VLAN
VLAN103 员工有线VLAN
VLAN104 客户区域的VLAN
VLAN105 AP所属VLAN
VLAN107 对应VLANIF接口上行防火墙
VLAN108 业务区接入VLAN

配置思路:

  1. 完成防火墙上的IP配置、默认路由配置和区域配置;完成交换机的vlan配置和vlan划分
  2. 配置SwitchA的DHCP服务
  3. 配置AC让AP上线并让无线终端获取IP
  4. 配置防火墙NAT功能,做公网和私网地址的转换
  5. 在SwitchA配置ACL访问控制列表并引用

防火墙基本配置:

<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sysname FW
[FW]inter g1/0/0
[FW-GigabitEthernet1/0/0]ip add 10.107.1.2 24
[FW-GigabitEthernet1/0/0]inter g1/0/1
[FW-GigabitEthernet1/0/1]ip add 109.1.1.1 24
[FW-GigabitEthernet1/0/1]inter g1/0/2
[FW-GigabitEthernet1/0/2]ip add 10.106.1.1 24
[FW-GigabitEthernet1/0/2]firewall zone trust    #进入防火墙信任区区域配置
[FW-zone-trust]add inter g1/0/0   #将G1/0/0接口加入信任区
[FW-zone-trust]firewall zone untrust    #进入防火墙非信任区区域配置
[FW-zone-untrust]add inter g1/0/1   #将G1/0/1接口加入非信任区
[FW-zone-untrust]firewall zone dmz    #进入防火墙隔离区区域配置
[FW-zone-dmz]add inter g1/0/2   #将G1/0/2接口加入隔离区
[FW-zone-dmz]quit
[FW]ip route-static 10.0.0.0 8 10.107.1.1   #防火墙回访路由10.0.0.0下一跳地址为10.107.1.1
[FW]ip route-static 0.0.0.0 0 109.1.1.2   #默认出口路由
[FW]bfd   #开启bfd全局配置
[FW-bfd]quit
[FW]bfd 1 bind peer-ip 10.107.1.1 source-ip 10.107.1.2 auto   #配置与SwitchA的双向转发故障检测
[FW-bfd-session-1]commit    #提交当前bfd配置

AC基本配置与VLAN划分:

<AC6005>system-view
Enter system view, return user view with Ctrl+Z.
[AC6005]vlan batch 100
Info: This operation may take a few seconds. Please wait for a moment...done.
[AC6005]inter vlan 100
[AC6005-Vlanif100]ip add 10.100.1.2 24
[AC6005-Vlanif100]inter g0/0/3
[AC6005-GigabitEthernet0/0/3]port link-type acc
[AC6005-GigabitEthernet0/0/3]port default vlan 100
[AC6005-GigabitEthernet0/0/3]quit
[AC6005]ip route-static 0.0.0.0 0.0.0.0 10.100.1.1    #AC的默认路由

SwitchA基本配置与VLAN划分:

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname SWA
[SWA]vlan batch 100 to 105 107 108
Info: This operation may take a few seconds. Please wait for a moment...done.
[SWA]inter vlan 100
[SWA-Vlanif100]ip add 10.100.1.1 24
[SWA-Vlanif100]inter vlan 101
[SWA-Vlanif101]ip add 10.101.1.1 24
[SWA-Vlanif101]inter vlan 102
[SWA-Vlanif102]ip add 10.102.1.1 24
[SWA-Vlanif102]inter vlan 103
[SWA-Vlanif103]ip add 10.103.1.1 24
[SWA-Vlanif103]inter vlan 104
[SWA-Vlanif104]ip add 10.104.1.1 24
[SWA-Vlanif104]inter vlan 105
[SWA-Vlanif105]ip add 10.105.1.1 24
[SWA-Vlanif105]inter vlan 107
[SWA-Vlanif107]ip add 10.107.1.1 24
[SWA-Vlanif107]inter vlan 108
[SWA-Vlanif108]ip add 10.108.1.1 24
[SWA-Vlanif108]inter g0/0/1
[SWA-GigabitEthernet0/0/1]port link-type trunk
[SWA-GigabitEthernet0/0/1]port trunk allow vlan 101 to 103 105
[SWA-GigabitEthernet0/0/1]inter g0/0/3
[SWA-GigabitEthernet0/0/3]port link-type acc
[SWA-GigabitEthernet0/0/3]port default vlan 104
[SWA-GigabitEthernet0/0/3]inter g0/0/5
[SWA-GigabitEthernet0/0/5]port link-type trunk
[SWA-GigabitEthernet0/0/5]port trunk allow vlan 101 to 103 105
[SWA-GigabitEthernet0/0/5]inter g0/0/8
[SWA-GigabitEthernet0/0/8]port link-type acc
[SWA-GigabitEthernet0/0/8]port default vlan 100
[SWA-GigabitEthernet0/0/8]inter g0/0/11
[SWA-GigabitEthernet0/0/11]port link-type acc
[SWA-GigabitEthernet0/0/11]port default vlan 108
[SWA-GigabitEthernet0/0/11]inter g0/0/13
[SWA-GigabitEthernet0/0/13]port link-type acc
[SWA-GigabitEthernet0/0/13]port default vlan 107
[SWA-GigabitEthernet0/0/13]quit
[SWA]ip route-static 0.0.0.0 0 10.107.1.2   #默认路由
[SWA]bfd    #开启bfd全局配置
[SWA-bfd]quit
[SWA]bfd 1 bind peer-ip 10.107.1.2 source-ip 10.107.1.1 auto    #配置与防火墙的双向转发故障检测
[SWA-bfd-session-1]commit   #提交当前bfd的配置

SwitchB VLAN划分:

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname SWB
[SWB]vlan batch 104
Info: This operation may take a few seconds. Please wait for a moment...done.
[SWB]inter e0/0/5
[SWB-Ethernet0/0/5]port link-type acc
[SWB-Ethernet0/0/5]port default vlan 104
[SWB-Ethernet0/0/5]inter e0/0/3
[SWB-Ethernet0/0/3]port link-type acc
[SWB-Ethernet0/0/3]port default vlan 104
[SWB-Ethernet0/0/3]quit

SwitchC VLAN划分:

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname SWC
[SWC]vlan batch 101 to 103 105
Info: This operation may take a few seconds. Please wait for a moment...done.
[SWC]inter e0/0/3
[SWC-Ethernet0/0/3]port link-type trunk
[SWC-Ethernet0/0/3]port trunk allow vlan 101 102 105
[SWC-Ethernet0/0/3]port trunk pvid vlan 105
[SWC-Ethernet0/0/3]inter e0/0/5
[SWC-Ethernet0/0/5]port link-type trunk
[SWC-Ethernet0/0/5]port trunk allow vlan 101 to 103 105
[SWC-Ethernet0/0/5]inter e0/0/13
[SWC-Ethernet0/0/13]port link-type acc
[SWC-Ethernet0/0/13]port default vlan 103
[SWC-Ethernet0/0/13]quit

SwitchD VLAN划分:

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname SWD
[SWD]vlan batch 101 to 103 105
Info: This operation may take a few seconds. Please wait for a moment...done.
[SWD]inter e0/0/3
[SWD-Ethernet0/0/3]port link-type trunk
[SWD-Ethernet0/0/3]port trunk allow vlan 101 102 105
[SWD-Ethernet0/0/3]port trunk pvid vlan 105
[SWD-Ethernet0/0/3]inter e0/0/5
[SWD-Ethernet0/0/5]port link-type trunk
[SWD-Ethernet0/0/5]port trunk allow vlan 101 to 103 105
[SWD-Ethernet0/0/5]inter e0/0/13
[SWD-Ethernet0/0/13]port link-type acc
[SWD-Ethernet0/0/13]port default vlan 103
[SWD-Ethernet0/0/13]quit

SwitchA配置DHCP Server:

[SWA]dhcp enable    #开启DHCP服务
[SWA]inter vlan 103
[SWA-Vlanif103]dhcp select interface    #配置VLAN开启dhcp下发
[SWA]inter vlan 101
[SWA-Vlanif101]dhcp select interface
[SWA]inter vlan 102
[SWA-Vlanif102]dhcp select interface
[SWA]inter vlan 105
[SWA-Vlanif105]dhcp select interface
[SWA-Vlanif105]dhcp server option 43 sub-option 1 ip-address 10.100.1.2   #当AP获取到IP地址后这条命令告知AP AC控制器的IP地址

AC配置AP上线(需要AP先获取到vlan105的ip地址):

[AC6005]capwap source interface vlanif100   #配置vlan100接口为AP控制点(AC源接口)
[AC6005]wlan    #进入无线配置面板
[AC6005-wlan-view]regulatory-domain-profile name office   #创建名为office的域档案
[AC6005-wlan-regulate-domain-office]country-code CN   #配置office域档案的国家代码为CN(默认为CN谨慎起见打一遍)
[AC6005-wlan-regulate-domain-office]quit
[AC6005-wlan-view]ap-group name office    #为办公区创建名为office的ap组
[AC6005-wlan-ap-group-office]regulatory-domain-profile office   #引用office域档案
[AC6005-wlan-ap-group-office]quit
[AC6005-wlan-view]ap auth-mode mac-auth   #配置ap的认证模式为mac认证
[AC6005-wlan-view]ap-id 0 ap-mac 00E0-FC4A-5F10
[AC6005-wlan-ap-0]ap-name office    #ap名称为office
[AC6005-wlan-ap-0]ap-group office   #归属于名为office的ap组(加入office ap组)
[AC6005-wlan-ap-0]quit
[AC6005-wlan-view]regulatory-domain-profile name manage
[AC6005-wlan-regulate-domain-manage]country-code CN
[AC6005-wlan-regulate-domain-manage]quit
[AC6005-wlan-view]ap-group name manage
[AC6005-wlan-ap-group-manage]regulatory-domain-profile manage
[AC6005-wlan-ap-group-manage]quit
[AC6005-wlan-view]ap-id 1 ap-mac 00E0-FC6C-6200
[AC6005-wlan-ap-1]ap-name manage
[AC6005-wlan-ap-1]ap-group manage
[AC6005-wlan-ap-1]quit
[AC6005-wlan-view]quit
[AC6605]display ap all    #查看ap上线情况

AC配置AP无线下发:

[AC6005]wlan 
[AC6005-wlan-view]security-profile name office    #创建安全模板office
[AC6005-wlan-sec-prof-office]security wpa2 psk pass-phrase 12345678 aes   #配置安全级别为WPA2预共享密钥,添加密码12345678使用aes加密
[AC6005-wlan-sec-prof-office]quit
[AC6005-wlan-view]ssid-profile name office    #创建ssid模板
[AC6005-wlan-ssid-prof-office]ssid office   #配置WIFI名为office
[AC6005-wlan-ssid-prof-office]quit
[AC6005-wlan-view]vap-profile name office   #创建vap模板office
[AC6005-wlan-vap-prof-office]forward-mode direct-forward    #配置vap转发模式为直接转发(默认是直接转发)
[AC6005-wlan-vap-prof-office]service-vlan vlan-id 101   #添加服务vlan101
[AC6005-wlan-vap-prof-office]ssid-profile office    #引入ssid模板office
[AC6005-wlan-vap-prof-office]security-profile office    #引入安全模板office
[AC6005-wlan-vap-prof-office]quit
[AC6005-wlan-view]ap-group name office    #进入office ap组
[AC6005-wlan-ap-group-office]vap-profile office wlan 1 radio 0    #引用vap模板射频在2.4Ghz频段
[AC6005-wlan-ap-group-office]vap-profile office wlan 1 radio 1    #引用vap模板射频在5Ghz频段
[AC6005-wlan-ap-group-office]quit

[AC6005-wlan-view]security-profile name manage
[AC6005-wlan-sec-prof-manage]security wpa2 psk pass-phrase 12345678 aes   
[AC6005-wlan-sec-prof-manage]quit
[AC6005-wlan-view]ssid-profile name manage
[AC6005-wlan-ssid-prof-manage]ssid manage
[AC6005-wlan-ssid-prof-manage]quit
[AC6005-wlan-view]vap-profile name manage
[AC6005-wlan-vap-prof-manage]forward-mode direct-forward
[AC6005-wlan-vap-prof-manage]service-vlan vlan-id 102
[AC6005-wlan-vap-prof-manage]ssid-profile manage
[AC6005-wlan-vap-prof-manage]security-profile manage
[AC6005-wlan-vap-prof-manage]quit
[AC6005-wlan-view]ap-group name manage
[AC6005-wlan-ap-group-manage]vap-profile office wlan 1 radio 0
[AC6005-wlan-ap-group-manage]vap-profile office wlan 1 radio 1
[AC6005-wlan-ap-group-managee]quit

防火墙区域访问配置:

[FW]security-policy   #进入安全策略面板
[FW-policy-security]rule name trust_untrust   #添加规则用于trust区域访问untrust区域
[FW-policy-security-rule-trust_untrust]source-zone trust    #添加源区域trust
[FW-policy-security-rule-trust_untrust]destination-zone untrust   #目的区域untrust
[FW-policy-security-rule-trust_untrust]source-address 10.101.1.0 0.0.0.255
[FW-policy-security-rule-trust_untrust]source-address 10.102.1.0 0.0.0.255
[FW-policy-security-rule-trust_untrust]source-address 10.103.1.0 0.0.0.255
[FW-policy-security-rule-trust_untrust]action permit    #规则动作允许
[FW-policy-security-rule-trust_untrust]quit

[FW-policy-security]rule name camera_dmz    #添加规则用于客户机与dmz互相访问
[FW-policy-security-rule-camera_dmz]source-zone dmz
[FW-policy-security-rule-camera_dmz]source-zone trust
[FW-policy-security-rule-camera_dmz]destination-zone dmz
[FW-policy-security-rule-camera_dmz]destination-zone trust
[FW-policy-security-rule-camera_dmz]source-address 10.104.1.0 0.0.0.255   #添加客户机所在网段
[FW-policy-security-rule-camera_dmz]source-address 10.106.1.0 0.0.0.255   #添加web server所在网段
[FW-policy-security-rule-camera_dmz]destination-address 10.104.1.0 0.0.0.255    #目标客户机网段
[FW-policy-security-rule-camera_dmz]destination-address 10.106.1.0 0.0.0.255    #目标web server网段
[FW-policy-security-rule-camera_dmz]action permit
[FW-policy-security-rule-camera_dmz]quit

[FW-policy-security]rule name untrust_dmz   #添加规则用于untrust区域访问dmz区域的web server
[FW-policy-security-rule-untrust_dmz]source-zone untrust
[FW-policy-security-rule-untrust_dmz]destination-zone dmz
[FW-policy-security-rule-untrust_dmz]action permit
[FW-policy-security-rule-untrust_dmz]quit

[FW-policy-security]rule name trust_dmz   #添加规则用于trust区域访问dmz区域
[FW-policy-security-rule-trust_dmz]source-zone trust
[FW-policy-security-rule-trust_dmz]destination-zone dmz
[FW-policy-security-rule-trust_dmz]action permit
[FW-policy-security-rule-trust_dmz]quit

防火墙NAT配置:

[FW]nat address-group 1   #创建nat组1
[FW-address-group-1]mode pat    #配置nat模式为路径模式(允许端口转换)
[FW-address-group-1]route enable    #开启nat路由(防环作用)
[FW-address-group-1]section 1 109.1.1.10 109.1.1.15   #配置nat地址段
[FW-address-group-1]quit
[FW]nat-policy    #进入nat策略配置
[FW-policy-nat]rule name trust_untrust    #添加规则trust_untrust用于实现私网指定网段访问公网时自动进行源地址转换
[FW-policy-nat-rule-trust_untrust]source-zone trust   #源区域为trust
[FW-policy-nat-rule-trust_untrust]destination-zone untrust    #目的区域为untrust
[FW-policy-nat-rule-trust_untrust]source-address 10.101.1.0 0.0.0.255   #添加访客无线vlan101的源地址段10.101.1.0
[FW-policy-nat-rule-trust_untrust]source-address 10.102.1.0 0.0.0.255   #添加员工无线vlan102的源地址段10.102.1.0
[FW-policy-nat-rule-trust_untrust]source-address 10.103.1.0 0.0.0.255   #添加员工有线vlan103的源地址段10.103.1.0
[FW-policy-nat-rule-trust_untrust]action source-nat address-group 1   #调用nat组1
[FW-policy-nat-rule-trust_untrust]quit
[FW-policy-nat]quit
[FW]ip route-static 109.1.1.10 255.255.255.255 NULL0    #添加黑洞路由防止环路
[FW]ip route-static 109.1.1.11 255.255.255.255 NULL0
[FW]ip route-static 109.1.1.12 255.255.255.255 NULL0
[FW]ip route-static 109.1.1.13 255.255.255.255 NULL0
[FW]ip route-static 109.1.1.14 255.255.255.255 NULL0
[FW]ip route-static 109.1.1.15 255.255.255.255 NULL0

[FW]nat server protocol tcp global interface GigabitEthernet 1/0/1 www inside 10.106.1.2 www no-reverse
#添加nat映射要求web sever的ip地址映射在防火墙g1/0/1接口上,公网通过访问防火墙g1/0/1接口访问web server

SwitchA配置acl访问控制列表:

[SWA]acl 3000   #添加规则3000控制客户机访问
[SWA-acl-adv-3000]description client    #注释
[SWA-acl-adv-3000]rule 0 permit ip source 10.104.1.2 0 destination 10.106.1.2 0  #允许客户机访问web server
[SWA-acl-adv-3000]rule 5 deny ip source 10.104.1.2 0    #拒绝客户机访问其它网段
[SWA-acl-adv-3000]quit
[SWA]inter g0/0/3
[SWA-GigabitEthernet0/0/3]traffic-filter inbound acl 3000   #在G0/0/3接口使用流量过滤引入规则3000

[SWA]acl 3001   #添加规则3001控制无线用户不能访问vlan103网段
[SWA-acl-adv-3001]rule 0 deny ip source 10.101.1.0 0.0.0.255 destination 10.103.1.0 0.0.0.255
[SWA-acl-adv-3001]rule 1 deny ip source 10.101.1.0 0.0.0.255 destination 10.108.1.0 0.0.0.255
[SWA-acl-adv-3001]rule 2 deny ip source 10.102.1.0 0.0.0.255 destination 10.103.1.0 0.0.0.255
[SWA-acl-adv-3001]rule 3 deny ip source 10.102.1.0 0.0.0.255 destination 10.108.1.0 0.0.0.255
[SWA-acl-adv-3001]quit

[SWA]inter g0/0/1
[SWA-GigabitEthernet0/0/1]traffic-filter inbound acl 3001   #在G0/0/1接口使用流量过滤引入规则3001
[SWA-GigabitEthernet0/0/1]quit
[SWA]inter g0/0/5
[SWA-GigabitEthernet0/0/5]traffic-filter inbound acl 3001   #在G0/0/5接口使用流量过滤引入规则3001
[SWA-GigabitEthernet0/0/5]quit

有线ip获取:

image

image


AP上线情况和无线ip获取:

image


image

image


image

image


客户机访问:


访问web server:

image



访问员工有线网:

image



访问无线网:

image



image


无线用户访问:

image


image


NAT转换测试:


有线网络:

image

image

image


无线网络:

image

image

image


NAT地址映射:

image

image

image


image

image

posted @ 2022-04-19 20:31  一头大笨向  阅读(440)  评论(1编辑  收藏  举报