Shulou(Shulou.com)06/01 Report--

Scenario: when client accesses webserver, the traffic to webserver goes directly to webserver through the router, and the returned traffic reaches the router first, then redirects the traffic echoed by webserver to the client to the firewall through policy routing, and then goes from the firewall to the router and finally to client. At the same time, configure the routing information of the firewall to the client.

The address of all interfaces on the router is 254.

Router policy routing configuration:

Acl number 3000

Rule 5 permit icmp destination 192.168.0.0 0.0.0.255

Rule 10 permit tcp destination 192.168.0.0 0.0.0.255

Rule 15 permit ip destination 192.168.0.0 0.0.0.255

Policy-based-route aa permit node 10

If-match acl 3000

Apply ip-address next-hop 172.16.1.1

Interface GigabitEthernet0/0/1

Ip address 172.16.0.254 255.255.255.0

Ip policy-based-route aa

Firewall configuration:

Interface GigabitEthernet0/0/1

Ip address 172.16.1.1 255.255.255.0

Interface GigabitEthernet0/0/3

Ip address 172.16.2.1 255.255.255.0

Firewall zone trust

Add interface GigabitEthernet0/0/3

Firewall zone untrust

Add interface GigabitEthernet0/0/1

Configure the release policy for untrust to reach trust

Policy interzone trust untrust inbound

Policy 1

Action permit

Policy service service-set tcp

Policy destination 192.168.0.0 mask 255.255.255.0

Configure the route to client

Ip route-static 192.168.0.0 255.255.255.0 172.16.2.254

Test: when link-state detection is enabled and webserver is accessed with client, the traffic cannot be returned.

Turn off firewall link state detection

Undo firewall session link-state check

Test again

[SRG] display firewall session table verbose

15:40:16 2017-11-15

Current Total Sessions: 2

Tcp × ×: public-- > public

Zone: untrust-- > trust TTL: 00:00:10 Left: 00:00:02

Interface: GigabitEthernet0/0/3 NextHop: 172.16.2.254 MAC: 54-89-98-fe-41-5f

Packets:4 bytes:465

172.16.0.1VOULING 80rel-> 192.168.0.1VOLING 2071

Tcp × ×: public-- > public

Zone: untrust-- > trust TTL: 00:10:00 Left: 00:09:52

Interface: GigabitEthernet0/0/3 NextHop: 172.16.2.254 MAC: 54-89-98-fe-41-5f

Packets:3 bytes:425

172.16.0.1vex 80rel-> 192.168.0.1purl 2072

Summary:

Protocol on state detection function turns off state detection function

TCP SYN message create session, forward message create session, forward message

SYN+ACK,ACK messages do not create sessions, discard messages do not create sessions, discard messages

UDP creates session, forwards message, creates session, forwards message

Ping echo request message to create session, forward message to create session, forward message

ICMP ping echo reply message does not create a session, discards the message to create a session, and forwards the message

Other ICMP messages do not create sessions, discard messages, do not create sessions, and discard messages

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.