Shulou(Shulou.com)06/03 Report--

Today, we bring a case of building a small and medium-sized network. In a medium-sized enterprise network, an indispensable device is a firewall. In yesterday's article, I briefly introduced to you the overview and function of the firewall. If you still have any questions, you can ask questions at the bottom of the article. The editor will certainly use my best efforts to solve the problem for you. I won't say much nonsense. Then you will understand everything when you start to operate!

Project name:

A case of small Network Construction-- the Application of Firewall

Project Topology:

Project requirements:

1. Vlan interworking

two。 Configure VRRP to realize redundant backup of Virtual Gateway

3. Private network PAT accesses public network

4. Publish WEB server to provide access to public network

Address Planning:

Port link model planning:

Technology involved:

& Vlan:

Refers to the virtual local area network, is a two-layer technology. Broadcast domain isolation can be achieved on the switch. Thus, the impact of data broadcast storm on the switching network can be reduced, the difficulty of network management can be reduced, and the flexible expansion of network scale can be realized.

& Trunk and Access:

Trunk links can support data forwarding of multiple VLAN at the same time, and data carry VLAN tags (except native vlan)

Access links can only transmit data from one VLAN at a time, and the data sent and received are untagged.

& Vrrp:

Refers to the virtual gateway redundancy protocol, the function is to form virtual gateway IP addresses between different gateway devices, so as to achieve backup redundancy between gateway devices and enhance the stability of the gateway.

& Nat:

It refers to the network address translation; the function is to realize the translation between the private IP address of the internal network and the public IP address of the external network, so as to realize the interworking between the internal network and the external network, at the same time, it can hide the structure of the internal network and enhance the security of the network.

& default route:

Is a special static route that means that a router can make a choice when there is no entry in the routing table that matches the destination address of the packet. If there is no default route, packets whose destination address does not match the table entry in the routing table will be discarded.

Experimental ideas and steps: first, plan and configure the link mode according to the link mode mentioned above

Specific operations: create vlan, configure link mode, and add ports to vlan

1. The configuration commands for switch 1 are as follows:

SysEnter system view Return user view with Ctrl+ Z.[Huawei] sys sw1[sw1] vlan ba 10 20 100 12 22 [sw1] int gi0/0/1 [sw1-GigabitEthernet0/0/1] port link-type trunk [sw1-GigabitEthernet0/0/1] port trunk allow-pass vlan all [sw1-GigabitEthernet0/0/1] int gi0/0/ 2 [sw1-GigabitEthernet0/0/2] port link-type access [sw1-GigabitEthernet0/0/2] port default vlan 12 [sw1-GigabitEthernet0/0/2] int gi0/0 / 3 [sw1-GigabitEthernet0/0/3] port link-type trunk [sw1-GigabitEthernet0/0/3] port trunk allow-pass vlan all [sw1-GigabitEthernet0/0/3] int gi 0/0/4 [sw1-GigabitEthernet0/0/4] port link-type access [sw1-GigabitEthernet0/0/4] port default vlan 100

Verify:

two。 The configuration commands for switch 2 are as follows:

SysEnter system view Return user view with Ctrl+ Z.[Huawei] sys sw2[sw2] vlan ba 10 20 100 12 22 [sw2] int gi 0/0/1 [sw2-GigabitEthernet0/0/1] port link-type trunk [sw2-GigabitEthernet0/0/1] port trunk allow-pass vlan all [sw2-GigabitEthernet0/0/1] int gi 0/0/2 [sw2-GigabitEthernet0/0/2] port link-type access [sw2-GigabitEthernet0/0/2] port default vlan 20 [sw2-GigabitEthernet0/0/2] int gi 0/0/4 [sw2-GigabitEthernet0/0/4] port link-type trunk [sw2-GigabitEthernet0/0/4] port trunk allow-pass vlan all [sw2-GigabitEthernet0/0/4] int gi 0/0/3 [sw2-GigabitEthernet0/0/3] port link-type access [sw2-GigabitEthernet0/0/3] port default vlan 22

Verify:

3. The configuration commands for switch 3 are as follows:

SysEnter system view Return user view with Ctrl+ Z.[Huawei] sys sw3[sw3] vlan batch 10 20 100 12 22 [sw3] int e0/0/1 [sw3-Ethernet0/0/1] port link-type access [sw3-Ethernet0/0/1] port default vlan 10 [sw3-Ethernet0/0/1] int e0/0/2 [sw3-Ethernet0/0/2] port link-type trunk [sw3-Ethernet0/0/2] port trunk allow-pass vlan all [sw3-Ethernet0/0/2] int e0/0/3 [sw3-Ethernet0/0/3] port link-type trunk [sw3-Ethernet0/0/3] port trunk allow-pass vlan all

Verify:

Configure the IP address and service of the equipment

1. Configure clent and server

Server1:

Server2:

Client1:

Client2:

Client3:

two。 Configure switch ip address and vrrp

The configuration commands for switch 1 are as follows:

[sw1] int vl 10 [sw1-Vlanif10] undo shutdown [sw1-Vlanif10] ip address 192.168.10.253 255.255.255.0 [sw1-Vlanif10] vrrp vrid 10 virtual-ip 192.168.10.254 [sw1-Vlanif10] vrrp vrid 10 priority 150 [sw1-Vlanif10] vrrp vrid 10 track interface GigabitEthernet 0/0/2 reduced 100 [sw1-Vlanif10] int vlan 20 [sw1-Vlanif20] undo shutdown [sw1-Vlanif20] ip address 192.168.20.253 255.255.255.0 [ Sw1-Vlanif20] vrrp vrid 20 virtual-ip 192.168.20.254 [sw1] ip route-static 0.0.0.0 0.0.0.0 192.168.12.2 [sw1-Vlanif20] vrrp vrid 20 priority 150 [sw1-Vlanif20] vrrp vrid 20 track interface GigabitEthernet 0/0/2 reduced 100 [sw1-Vlanif20] int vlan 100 [sw1-Vlanif100] undo shutdown [sw1-Vlanif100] ip address 192.168.100.253 255.255.255.0 [sw1-Vlanif100] vrrp vrid 100 virtual- Ip 192.168.100.254 [sw1-Vlanif100] vrrp vrid 100 priority 150 [sw1-Vlanif100] vrrp vrid 100 track interface GigabitEthernet 0/0/2 reduced 100 [sw1-Vlanif100] int vla 12 [sw1-Vlanif12] undo shutdown [sw1-Vlanif12] ip address 192.168.12.1 255.255.255.0 [sw1-Vlanif12] q

The configuration commands for switch 2 are as follows:

Sys[sw2] int vl 10 [sw2-Vlanif10] undo shutdown [sw2-Vlanif10] ip address 192.168.10.252 255.255.255.0 [sw2-Vlanif10] vrrp vrid 10 virtual-ip 192.168.10.254 [sw2-Vlanif10] vrrp vrid 10 track interface gi 0/0/3 [sw2-Vlanif10] int vl 20 [sw2-Vlanif20] undo shutdown [sw2-Vlanif20] ip address 192.168.20.252 255.255.255.0[sw2] ip route-static 0.0.0. 0 0.0.0.0 192.168.22.2 [sw2-Vlanif20] vrrp vrid 20 virtual-ip 192.168.20.254 [sw2-Vlanif20] vrrp vrid 20 track interface Gi 0/0/3 [sw2-Vlanif20] int vl 100 [sw2-Vlanif100] undo shutdown [sw2-Vlanif100] ip address 192.168.100.252 255.255.255.0 [sw2-Vlanif100] vrrp vrid 100 virtual-ip 192.168.100.254 [sw2-Vlanif100] vrrp vrid 100 track interface Gi 0/0/ 3 [sw2-Vlanif100] int vl 22 [sw2-Vlanif22] undo shutdown [sw2-Vlanif22] ip address 192.168.22.1 255.255.255.0 [sw2-Vlanif22] q

3. Configure ASA Firewall

The configuration commands are as follows:

Ciscoasa (config) # clear configure allciscoasa (config) # hostname ASAASA (config) # int g0ASA (config-if) # nameif inside1ASA (config-if) # security-level 100ASA (config-if) # ip address 192.168.12.2 255.255.255.0ASA (config-if) # no shutdwnASA (config-if) # int g1ASA (config-if) # nameif inside2ASA (config-if) # security-level 100ASA (config-if) # ip address 192.168.22.2 255.255.255.0ASA (config-if ) # int g2ASA (config-if) # nameif outside ASA (config-if) # security-level 0ASA (config-if) # ip address 200.8.8.1 255.255.255.252ASA (config-if) # no shutdown

ASA (config-if) # Q

4. Configure the router

The configuration commands are as follows:

SysEnter system view Return user view with Ctrl+ Z.[Huawei] sysname Router[Router] int gi 0/0/0 [Router-GigabitEthernet0/0/0] undo shutdown Info: Interface GigabitEthernet0/0/0 is not shutdown. [Router-GigabitEthernet0/0/0] ip address 200.8.8.2 255.255.255.252 [Router-GigabitEthernet0/0/0] int gi 0/0/1 [Router-GigabitEthernet0/0/1] undo shutdown Info: Interface GigabitEthernet0/0/1 is not shutdown. [Router-GigabitEthernet0/0/1] ip Address 200.9.9.254 255.255.255.0 [Router-GigabitEthernet0/0/1] Q-3, Configure routing entry Since there are few addresses for this lab, a static route is fine here.

Sw1:

[sw1] ip route-static 0.0.0.0 0.0.0.0 192.168.12.2

View the routing table:

Sw2:

[sw2] ip route-static 0.0.0.0 0.0.0.0 192.168.22.2

View the routing table:

ASA Firewall:

ASA (config) # route inside1 192.168.10.0 255.255.255.0 192.168.12.1ASA (config) # route inside1 192.168.20.0 255.255.255.0 192.168.12.1ASA (config) # route inside1 192.168.100.0 255.255.255.0 192.168.12.1ASA (config) # route outside 0.0.0.0.0 200.8.8.2

Here we use show route to view the routing table:

Router:

[Router] ip route-static 119.1.1.0 255.255.255.0 200.8.8.1

View the routing table:

At this point, the experimental environment has been set up.

4. Next, configure the private network NAT to access the public network

1. First, open the http service of server2. The main operations are: select the http service, select the web file, and open the http service, as shown in the figure:

two。 Secondly, configure NAT to simulate the environment: the company has purchased a public address of 119.1.1.0 to 29, one for each vlan10,vlan20,vlan100. Here I use dynamic NAT, because in practice, each vlan cannot have only one host, so let's configure it:

ASA (config) # object network vlan10

ASA (config-network-object) # subnet 192.168.10.0 255.255.255.0ASA (config-network-object) # nat (inside1,outside) dynamic 119.1.1.1ASA (config-network-object) # qASA (config) # object network vlan20ASA (config-network-object) # subnet 192.168.20.0 255.255.255.0ASA (config-network-object) # nat (inside1 Outside) dynamic 119.1.1.2ASA (config-network-object) # qASA (config) # object network vlan100 ASA (config-network-object) # subnet 192.168.100.0 255.255.255.0ASA (config-network-object) # nat (inside1,outside) dynamic 119.1.1.3ASA (config-network-object) # Q

Use show xlat to view the xlat table here:

Then check whether the conversion is successful by grabbing the package (please see the verification of the experimental results)

Release the web server to provide access to the public network

Because the public network belongs to the outside area, and the security level is lower than the inside1 security level, if the public network wants to access the private network web, you must set an ACL to access it through the firewall. We have previously done NAT translation. NAT can not only translate private addresses into public network addresses, but also provide WEB services for public networks.

Main actions:

1. First of all, start the HTTP service of server1

two。 Configure NAT

Main operation: configure NAT, here you configure static NAT.

The command is as follows:

ASA (config) # object network gongwang ASA (config-network-object) # host 119.1.1.3ASA (config-network-object) # exitASA (config) # object network webASA (config-network-object) # host 192.168.100.1 ASA (config-network-object) # nat (inside1,outside) static gongwang service tcp 80 80ASA (config-network-object) # exit

3. Configure ACL to allow external network traffic to access the intranet WEB server through the firewall

The command is as follows:

ASA (config) # object network isp

ASA (config-network-object) # host 200.9.9.1

ASA (config-network-object) # exit

ASA (config) # access-list fangwen permit tcp object isp object web eq http

ASA (config) # access-group fangwen in interface outside

For the access result, please see the result verification.

The result verifies:

1. Private network NAT accesses public network:

two。 Grab packet analysis address translation:

3. The internal network provides WEB services for external network access.

4. Grab packet analysis address translation

Even if the experiment is over here, in the process of configuration, the editor is not particularly clear about a problem, so I specially consulted the information, and I will share it with you below. Of course, if you have any better understanding, you can tell the editor. The editor must be grateful!

Fuzzy point: the choice of Nat conversion mode is not very clear.

After checking the information, we can see that:

Dynamic NAT/PAT

Scenario 1:

All private network traffic is converted to the public network address of the interface when accessing the public network. This environment is suitable for small offices with only one public network address.

Scene two

All internal network traffic is converted to a specific public network address when accessing the external network, and this environment is suitable for small offices or branch offices.

Scene 3

For users with a large number of public network addresses, they are often used in operators or corporate intranets.

Scene 4

For users with a large number of public network addresses, they are often used in operators or corporate intranets. A PAT and interface can be configured to prevent addresses from being used up (recommended)

Static NAT/PAT

Scene 5

The intranet has mail and Web servers to provide access for telecommuting users, and this environment is suitable for HQ and branch offices.

Scenario 6

The needs of users in this environment are complex. Customers have many minicomputers that provide business services in low security areas. They need to hide the server address being accessed and require the access of the external network server to be mapped one-to-one in Static mode.

Scene 7

For the business traffic passing through the firewall, the source address is not changed, that is, the source address is NAT itself, which we call identity NAT.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.