Shulou(Shulou.com)06/02 Report--

Basic firewall configuration

What is a firewall?

Firewall (Firewall), also known as protective wall, was invented by Gil Shwed, founder of Check Point, and introduced into the Internet (US5606668 (A) 1793-12-15) in 1793. It is an information security protection system that allows or restricts the transmission of data according to specific rules. In the network, the so-called "firewall" refers to a method of separating the intranet from the public access network (such as Internet). It is actually an isolation technology. A firewall is an access control measure that is implemented when two networks communicate. It allows people and data you "agree" to enter your network, while shutting out people and data you "disagree". To the maximum extent possible to prevent people in the network from accessing your network. In other words, without going through the firewall, people inside the company cannot access people on the Internet,Internet or communicate with people inside the company.

1. Scene description:

The new campus of a certain college has an office book building, training building and teaching building. assuming that the local area network in each building has been built, the local area network of each building should be interconnected to build a highly reliable campus network. The network topology of the campus network is shown below. Among them, WAN-AR1 simulates the external network router, FW1 is the intranet core firewall, LSW1 is the intranet core switch, LSW2 is the server farm access switch, PC1 simulates a computer in the office library building, PC2 simulates a computer in the training building, and PC3 simulates a client in the training building.

Second, configuration requirements:

1. The management of fire wall domain is realized, in which the internal network is connected to the trust domain, the external network is connected to the untrust domain, and the server is connected to the DMZ domain.

two。 OSPF protocol is used between internal network devices, and static route is used between FW1 firewall and external network router AR1. 3. The firewall uses NAT to complete the address translation of the intranet and realize the access of intranet users to Internet (AR1 Simulation).

4. External network users can access the server through the destination NAT technology.

5. Office building users PC1 can only access the public network on weekdays, and can access DMZ at any time.

6. PC2, a user of the training building, can only access the servers in the DMZ domain, not the external network.

7. The teaching building user client can only access the FTP service of the server.

3. Topology diagram of configuration

Topological graph

4. IP address planning:

Device name

Interface-VLAN

IP address

Request

FW1

(3 mouths)

202.100. 17). (2) / (28)

Connect to AR1

14 available addresses

Use the second address

(1 bite)

172.16.1 (1) / (29)

Connect to LSW1

6 available addresses

Use the first address

(2 mouths)

172.16.2 (1) / (30)

Connect to LSW2

2 available addresses

Use the first address

202.100. (17). (3-5) / (28)

NAT address pool, which is the same network segment as the interconnection address of AR1, using the 3rd-5th address

AR1

(0)

202.100. (17) (1) / (28)

Connect to FW1

14 available addresses

Use the first address

(0)

1.1.1. (17) / (32)

LOOPBACK address

LSW1

(24 mouths)

(vlan40)

172.16.1 (2) / (29)

Connect to FW1

6 available addresses

Use the second address

(1 bite)

(VLAN10)

192.168.15 (254) / (22)

Connect to PC1

800 available addresses

Use the last address

(2 mouths)

(VLAN20)

192.168.17. (254) / (23)

Connect to PC2

400 available addresses

Use the last address

(3 mouths)

(VLAN30)

192.168.18 (254) / (24)

Connect to the client

200 available addresses

Use the last address

LSW2

(24 ports) vlan 10

172.16.2 (2) / (30)

Connect to FW1

2 available addresses

Use the second address

(1 bite)

(VLAN99)

192.168.200 (30) / (27)

Connect to the server

30 available addresses

Use the last address

Server

192.168.200 (2) / (27)

Use the second address

202.100. 17). (6) / (28)

Destination NAT mapped address, using the 6th address

PC1

192.168.12 (17) / (22)

PC2

192.168.16 (17) / (23)

Client

192.168.18 (17) / (24)

5. Main configuration commands:

I. configuration of S1 (switch 1):

SysnameS1

#

Vlanbatch 10 20 30 40

#

InterfaceVlanif1

#

InterfaceVlanif10

Ip address 172.168.12.255 255.255.252.0

#

InterfaceVlanif20

Ip address 172.168.16.255 255.255.254.0

#

InterfaceVlanif30

Ip address 172.168.18.254 255.255.255.0

#

InterfaceVlanif40

Ip address 172.16.1.2 255.255.255.248

#

InterfaceMEth0/0/1

#

InterfaceGigabitEthernet0/0/1

Port link-type access

Port default vlan 10

#

InterfaceGigabitEthernet0/0/2

Port link-type access

Port default vlan 20

#

InterfaceGigabitEthernet0/0/3

Port link-type access

Port default vlan 30

#

InterfaceGigabitEthernet0/0/4

#

InterfaceGigabitEthernet0/0/24

Port link-type access

Port default vlan 40

#

InterfaceNULL0

#

Ospf1

Area 0.0.0.0

Network 172.16.1.2 0.0.0.0

Network 172.168.16.255 0.0.0.0

Network 172.168.12.255 0.0.0.0

Network 172.168.18.254 0.0.0.0

#

Iproute-static 0.0.0.0 0.0.0.0 172.16.1.1

Second, the configuration of S2 (switch 2):

Sysnames2

#

Vlanbatch 10 20

#

InterfaceVlanif10

Ip address 172.16.2.2 255.255.255.252

#

InterfaceVlanif20

Ip address 172.168.200.30 255.255.255.224

#

InterfaceMEth0/0/1

#

InterfaceGigabitEthernet0/0/1

Port link-type access

Port default vlan 20

#

InterfaceGigabitEthernet0/0/2

#

InterfaceGigabitEthernet0/0/24

Port link-type access

Port default vlan 10

#

InterfaceNULL0

#

Ospf10

Area 0.0.0.0

Network 172.168.200.30 0.0.0.0

Network 172.16.2.2 0.0.0.0

#

Iproute-static 0.0.0.0 0.0.0.0 172.16.2.1

3. R1 (router) configuration:

InterfaceEthernet0/0/0

Ip address 202.100.17.1 255.255.255.240

#

InterfaceLoopBack0

Ip address 1.1.1.17 255.255.255.255

#

Iproute-static 172.168.200.0 255.255.255.0 202.100.17.2

Fourth, the configuration of FW (firewall):

1. Interface configuration.

InterfaceGigabitEthernet0/0/1

Ip address 172.16.1.1 255.255.255.248

#

InterfaceGigabitEthernet0/0/2

Ip address 172.16.2.1 255.255.255.252

#

InterfaceGigabitEthernet0/0/3

Ip address 202.100.17.2 255.255.255.240

two。 Join the interface to the appropriate domain

Firewallzone trust

Set priority 85

Add interface GigabitEthernet0/0/0

Add interface GigabitEthernet0/0/1

#

Firewallzone untrust

Set priority 5

Add interface GigabitEthernet0/0/3

#

Firewallzone dmz

Set priority 50

Add interface GigabitEthernet0/0/2

#

3. Configure routin

Ospf10

Area 0.0.0.0

Network 172.16.1.1 0.0.0.0

Network 172.16.2.1 0.0.0.0

#

Iproute-static 0.0.0.0 0.0.0.0 202.100.17.1

#

4. Enable inter-domain policy

Firewall packet-filter default permit all

#

5. Configure nat address pool and nat server

Nat address-group 1 202.100.17.3 202.100.17.3

Nat server 0 global 202.100.17.4 inside 172.168.200.2

#

Time-range 1 08:00 to 17:00 working-day (time Policy)

6. Configure custom policies to achieve different functions.

Policyinterzone trust untrust outbound

Policy 2

Action deny

Policy source 172.168.16.8 0

#

Policyinterzone trust dmz outbound

Policy 1

Action permit

Policy service service-set ftp

Policy source 172.168.18.9 0

Policy destination 172.168.200.2 0

Policy2

Actiondeny

Policysource 172.168.18.9 0

#

Nat-policyinterzone trust untrust outbound

Policy 1

Action source-nat

Policy time-range 1

Address-group 1

6. Screenshot of connectivity test

1. PC1 accesses the public network on weekdays

2. PC1 accesses the public network outside the working day.

3. PC1 access server

4. PC2 accesses the public network

5. PC2 access server

6. The client accesses via FTP

7. The client uses PING to test

8. External network users access the server

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.