使用策略路由将流量引入到防火墙进行过滤,且防火墙宕机时不会影响网络通讯;
1.在SW1上划分vlan10,20,30,40,交换机互联口配置为trunk口
2.vlan10作为内网的业务vlan,vlan20与路由器R1互联,vlan30作为untrust区域,vlan40作为trust区域;
3.在sw1上为所有vlan配置IP,确保直连路由互通;
4.在R1上配置默认路由,指向R2;配置回程路由确保内部互通;
5.在SW1上配置策略路由,分别将内网的流量与外部进来的流量引入到防火墙;
6.在防火墙配置静态路由;
7.R1上配置NAT地址转换确保内网的设备能够访问外部网络;
8.配置NAPT将内网的FTP服务器映射到外网,使客户端能够通过100.1.1.1访问FTP服务器
在SW1上划分vlan,配置IP地址
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 1.1.1.1 255.255.255.252
#
interface Vlanif40
ip address 1.1.1.5 255.255.255.252
将接口加入指定vlan
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/2
port link-type dot1q-tunnel
port default vlan 10
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 2 to 4094
在sw2上将ftp服务器与PC1加入vlan 10
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
在sw1上配置默认路由,确保路由可达
ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
在SW1上配置策略路由,将流量引到防火墙上
acl number 3000
rule 5 permit ip source 10.1.1.0 0.0.0.255
#
acl number 3001
rule 5 permit ip destination 10.1.1.2 0
#配置流分类,分别调用acl 3000和3001
traffic classifier 1 operator and
if-match acl 3000
#
traffic classifier 2 operator and
if-match acl 3001
#配置流行为,将符合规则的流量下一跳重定向至防火墙
traffic behavior 1
redirect ip-nexthop 1.1.1.6
permit
#
traffic behavior 2
redirect ip-nexthop 1.1.1.2
permit
#配置策略,将对应的流分类和流行为进行绑定
traffic policy 1
classifier 1 behavior 1
traffic policy 2
classifier 2 behavior 2
#
分别将策略在SW1的g0/0/1和g0/0/24接口上调用
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
traffic-policy 2 inbound
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 2 to 4094
traffic-policy 1 inbound
在防火墙上配置IP,并将接口加入不同安全域内
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.2 255.255.255.252
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.6 255.255.255.252
service-manage ping permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
配置安全策略,放行trust区域的用户能访问untrust,UNTRUST区域只能访问内部的FTP服务器
security-policy
rule name local=>any
source-zone local
action permit
rule name T=>U
source-zone trust
destination-zone untrust
action permit
rule name U=>T
source-zone untrust
destination-zone trust
destination-address 10.1.1.2 mask 255.255.255.255
service ftp
action permit
防火墙上配置静态路由,确保数据能正常转发
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
ip route-static 10.1.1.0 255.255.255.0 1.1.1.5
R1上配置nat地址转换以及NAPT
acl number 2000
rule 5 permit any
#
interface GigabitEthernet0/0/1
ip address 100.1.1.1 255.255.255.252
nat server protocol tcp global current-interface ftp inside 10.1.1.2 ftp
nat outbound 2000
R1上配置静态路由
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
ip route-static 10.1.1.0 255.255.255.0 20.1.1.1
R2配置
interface Ethernet0/0/0
ip address 100.1.1.2 255.255.255.252
#
interface Ethernet0/0/1
ip address 192.168.1.1 255.255.255.0
在防火墙的g1/0/2接口抓包,通过PC1 pingR2时能够获取到ICMP报文信息。
在防火墙将配置的trust=>untrust策略关闭,再次ping测试。此时无法连通,证明此数据是经过防火墙进行转发,受防火墙规则限制
使用外网客户端访问内部的FTP服务器,访问成功
关闭防火墙策略再次测试,此时外部无法访问内网的ftp服务器
防火墙为旁路部署,即使宕机也不会影响业务通讯。手动关闭SW1与防火墙互联接口测试
此时PC1访问外网不受影响
外网客户端访问内部FTP服务器