In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/02 Report--
Basic firewall configuration
What is a firewall?
Firewall (Firewall), also known as protective wall, was invented by Gil Shwed, founder of Check Point, and introduced into the Internet (US5606668 (A) 1793-12-15) in 1793. It is an information security protection system that allows or restricts the transmission of data according to specific rules. In the network, the so-called "firewall" refers to a method of separating the intranet from the public access network (such as Internet). It is actually an isolation technology. A firewall is an access control measure that is implemented when two networks communicate. It allows people and data you "agree" to enter your network, while shutting out people and data you "disagree". To the maximum extent possible to prevent people in the network from accessing your network. In other words, without going through the firewall, people inside the company cannot access people on the Internet,Internet or communicate with people inside the company.
1. Scene description:
The new campus of a certain college has an office book building, training building and teaching building. assuming that the local area network in each building has been built, the local area network of each building should be interconnected to build a highly reliable campus network. The network topology of the campus network is shown below. Among them, WAN-AR1 simulates the external network router, FW1 is the intranet core firewall, LSW1 is the intranet core switch, LSW2 is the server farm access switch, PC1 simulates a computer in the office library building, PC2 simulates a computer in the training building, and PC3 simulates a client in the training building.
Second, configuration requirements:
1. The management of fire wall domain is realized, in which the internal network is connected to the trust domain, the external network is connected to the untrust domain, and the server is connected to the DMZ domain.
two。 OSPF protocol is used between internal network devices, and static route is used between FW1 firewall and external network router AR1. 3. The firewall uses NAT to complete the address translation of the intranet and realize the access of intranet users to Internet (AR1 Simulation).
4. External network users can access the server through the destination NAT technology.
5. Office building users PC1 can only access the public network on weekdays, and can access DMZ at any time.
6. PC2, a user of the training building, can only access the servers in the DMZ domain, not the external network.
7. The teaching building user client can only access the FTP service of the server.
3. Topology diagram of configuration
Topological graph
4. IP address planning:
Device name
Interface-VLAN
IP address
Request
FW1
(3 mouths)
202.100. 17). (2) / (28)
Connect to AR1
14 available addresses
Use the second address
(1 bite)
172.16.1 (1) / (29)
Connect to LSW1
6 available addresses
Use the first address
(2 mouths)
172.16.2 (1) / (30)
Connect to LSW2
2 available addresses
Use the first address
202.100. (17). (3-5) / (28)
NAT address pool, which is the same network segment as the interconnection address of AR1, using the 3rd-5th address
AR1
(0)
202.100. (17) (1) / (28)
Connect to FW1
14 available addresses
Use the first address
(0)
1.1.1. (17) / (32)
LOOPBACK address
LSW1
(24 mouths)
(vlan40)
172.16.1 (2) / (29)
Connect to FW1
6 available addresses
Use the second address
(1 bite)
(VLAN10)
192.168.15 (254) / (22)
Connect to PC1
800 available addresses
Use the last address
(2 mouths)
(VLAN20)
192.168.17. (254) / (23)
Connect to PC2
400 available addresses
Use the last address
(3 mouths)
(VLAN30)
192.168.18 (254) / (24)
Connect to the client
200 available addresses
Use the last address
LSW2
(24 ports) vlan 10
172.16.2 (2) / (30)
Connect to FW1
2 available addresses
Use the second address
(1 bite)
(VLAN99)
192.168.200 (30) / (27)
Connect to the server
30 available addresses
Use the last address
Server
192.168.200 (2) / (27)
Use the second address
202.100. 17). (6) / (28)
Destination NAT mapped address, using the 6th address
PC1
192.168.12 (17) / (22)
PC2
192.168.16 (17) / (23)
Client
192.168.18 (17) / (24)
5. Main configuration commands:
I. configuration of S1 (switch 1):
SysnameS1
#
Vlanbatch 10 20 30 40
#
InterfaceVlanif1
#
InterfaceVlanif10
Ip address 172.168.12.255 255.255.252.0
#
InterfaceVlanif20
Ip address 172.168.16.255 255.255.254.0
#
InterfaceVlanif30
Ip address 172.168.18.254 255.255.255.0
#
InterfaceVlanif40
Ip address 172.16.1.2 255.255.255.248
#
InterfaceMEth0/0/1
#
InterfaceGigabitEthernet0/0/1
Port link-type access
Port default vlan 10
#
InterfaceGigabitEthernet0/0/2
Port link-type access
Port default vlan 20
#
InterfaceGigabitEthernet0/0/3
Port link-type access
Port default vlan 30
#
InterfaceGigabitEthernet0/0/4
#
InterfaceGigabitEthernet0/0/24
Port link-type access
Port default vlan 40
#
InterfaceNULL0
#
Ospf1
Area 0.0.0.0
Network 172.16.1.2 0.0.0.0
Network 172.168.16.255 0.0.0.0
Network 172.168.12.255 0.0.0.0
Network 172.168.18.254 0.0.0.0
#
Iproute-static 0.0.0.0 0.0.0.0 172.16.1.1
Second, the configuration of S2 (switch 2):
Sysnames2
#
Vlanbatch 10 20
#
InterfaceVlanif10
Ip address 172.16.2.2 255.255.255.252
#
InterfaceVlanif20
Ip address 172.168.200.30 255.255.255.224
#
InterfaceMEth0/0/1
#
InterfaceGigabitEthernet0/0/1
Port link-type access
Port default vlan 20
#
InterfaceGigabitEthernet0/0/2
#
InterfaceGigabitEthernet0/0/24
Port link-type access
Port default vlan 10
#
InterfaceNULL0
#
Ospf10
Area 0.0.0.0
Network 172.168.200.30 0.0.0.0
Network 172.16.2.2 0.0.0.0
#
Iproute-static 0.0.0.0 0.0.0.0 172.16.2.1
3. R1 (router) configuration:
InterfaceEthernet0/0/0
Ip address 202.100.17.1 255.255.255.240
#
InterfaceLoopBack0
Ip address 1.1.1.17 255.255.255.255
#
Iproute-static 172.168.200.0 255.255.255.0 202.100.17.2
Fourth, the configuration of FW (firewall):
1. Interface configuration.
InterfaceGigabitEthernet0/0/1
Ip address 172.16.1.1 255.255.255.248
#
InterfaceGigabitEthernet0/0/2
Ip address 172.16.2.1 255.255.255.252
#
InterfaceGigabitEthernet0/0/3
Ip address 202.100.17.2 255.255.255.240
two。 Join the interface to the appropriate domain
Firewallzone trust
Set priority 85
Add interface GigabitEthernet0/0/0
Add interface GigabitEthernet0/0/1
#
Firewallzone untrust
Set priority 5
Add interface GigabitEthernet0/0/3
#
Firewallzone dmz
Set priority 50
Add interface GigabitEthernet0/0/2
#
3. Configure routin
Ospf10
Area 0.0.0.0
Network 172.16.1.1 0.0.0.0
Network 172.16.2.1 0.0.0.0
#
Iproute-static 0.0.0.0 0.0.0.0 202.100.17.1
#
4. Enable inter-domain policy
Firewall packet-filter default permit all
#
5. Configure nat address pool and nat server
Nat address-group 1 202.100.17.3 202.100.17.3
Nat server 0 global 202.100.17.4 inside 172.168.200.2
#
Time-range 1 08:00 to 17:00 working-day (time Policy)
6. Configure custom policies to achieve different functions.
Policyinterzone trust untrust outbound
Policy 2
Action deny
Policy source 172.168.16.8 0
#
Policyinterzone trust dmz outbound
Policy 1
Action permit
Policy service service-set ftp
Policy source 172.168.18.9 0
Policy destination 172.168.200.2 0
Policy2
Actiondeny
Policysource 172.168.18.9 0
#
Nat-policyinterzone trust untrust outbound
Policy 1
Action source-nat
Policy time-range 1
Address-group 1
6. Screenshot of connectivity test
1. PC1 accesses the public network on weekdays
2. PC1 accesses the public network outside the working day.
3. PC1 access server
4. PC2 accesses the public network
5. PC2 access server
6. The client accesses via FTP
7. The client uses PING to test
8. External network users access the server
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.