防火墙基础配置SSHASPFNAT
一.防火墙介绍
- Firewall:策略
- 路由:基于目的地址转发
防火墙特点:
1.逻辑上隔离区域(ZONE)
2.保证自身和内部安全
3.抵挡防御攻击
防火墙分类:
1.包过滤防火墙
2.代理防火墙
3.状态检测(主流)
防火墙组网形式:
1.二层(透明墙)
特点:不改变现有网络
2.三层(路由墙)
对现有网络改造动作幅度比较大!但特性功能多
3.旁挂----对现有网络影响最小
==========================================================================================================================================================================
区域:
区域:
Trunst--信任区域untrust---非信任区域dmz-----非junshi访问区域local-----本地localpriority is 100 -----本地为优先级100
#
trustpriority is 85----信任区域interface of the zone is (1):GigabitEthernet0/0/0 ---------默认G0/0/0管理接口
#
untrust-----非信任区域priority is 5interface of the zone is (0):
#
dmz---非军事区域priority is 50interface of the zone is (0):
#
区域怎么来界定?
防火墙的接口划入某区域之后,连接防火墙接口的后面的区域都是该区域。
安全级别,不能决定什么,就是一个象征!----(必须配置)
自定义安全级别
<USG6000V1>display zone
localpriority is 100interface of the zone is (0):
#
trustpriority is 85interface of the zone is (1):GigabitEthernet0/0/0
#
untrustpriority is 5interface of the zone is (0):
#
dmzpriority is 50interface of the zone is (0):
#
HCNApriority is 15interface of the zone is (0):
#
<USG6000V1>定义方向:从高安全级别到低安全级别叫outbound,从低级别到高级别叫inbound
==========================================================================================================================================================================
二.连接防火墙(COM WEB TELNET SSH)
console线连接
缺省用户名 admin 密码 Admin@123
WEB方式
通过默认管理接口G0/0/0
https://X.X.X.X:8443(默认端口)
第一步:配置地址和开启HTTPS服务
interface GigabitEthernet0/0/0ip address 192.168.0.1 255.255.255.0service-manage https permit
第二步:把接口加入ZONE
firewall zone trustset priority 85add interface GigabitEthernet0/0/0
第三步:AAA配置账号
manager-user adminpassword cipher Admin@123service-type web terminallevel 15
==========================================================================================================================================================================
telnet方式
第一种:user-interface用密码
第二种:AAA认证(用户名+密码)
配置:
- 第一步:IP地址 开启TELNET服务 加ZONE
- 第二步:配置user-interface
user-interface vty 0 4authentication-mode aaaprotocol inbound telnet(all)----默认是SSH
- 第三步:创建AAA
manager-user vtyadminpassword cipher Huawei@123service-type telnetlevel 15
- 第四步:测试,先输入用户名+密码,然后再改密码,再输入新密码!
=========================================================================================================================================================================
2020/2/11hahahahahahaha
==========================================================================================================================================================================
一.防火墙状态检测
默认情况开启状态检测
firewall session link-state check
关闭检测
undo firewall session link-state check
检查:
<FW1>display firewall session table ---查看状态检测简要信息Current Total Sessions : 1icmp VPN: public --> public 192.168.1.1:52651 --> 202.100.1.1:2048<FW1>display firewall session table verbose---详细信息Current Total Sessions : 1icmp VPN: public --> public ID: c487f2e8be9d590174d58d10fffZone: trust --> untrust TTL: 00:00:20 Left: 00:00:14Interface: GigabitEthernet1/0/1 NextHop: 202.100.1.1 MAC: 00e0-fce9-69ad<--packets: 4 bytes: 336 --> packets: 5 bytes: 420192.168.1.1:52651 --> 202.100.1.1:2048 PolicyName: A清除命令:
<FW1>reset firewall session table
Warning:Reseting session table will affect the system's normal service.
Continue? [Y/N]:Y二.ASPF(FTP)
FTP
21——控制连接
20——数据连接
两个模式:
被动模式
主动模式:
配置:
系统模式配置
firewall detect ftp---默认开启
精确开启
firewall interzone trust untrustdetect ftp
检查:
[FW1]display firewall server-map Current Total Server-map : 1Type: ASPF, 202.100.1.100 -> 192.168.1.100:2119, Zone:---Protocol: tcp(Appro: ftp-data), Left-Time:00:00:06Vpn: public -> public<FW1>display firewall session table Current Total Sessions : 2ftp-data VPN: public --> public 202.100.1.100:20 --> 192.168.1.100:2119ftp VPN: public --> public 192.168.1.100:2118 +-> 202.100.1.100:21<FW1>display firewall session table verbose Current Total Sessions : 3ftp-data VPN: public --> public ID: c487f2e8be9b4b08cf658d11e7cZone: untrust --> trust TTL: 00:00:10 Left: 00:00:06Interface: GigabitEthernet1/0/0 NextHop: 192.168.1.100 MAC: 5489-984d-4ece<--packets: 3 bytes: 124 --> packets: 5 bytes: 398202.100.1.100:20 --> 192.168.1.100:2121 PolicyName: Aftp VPN: public --> public ID: c487f2e8be9b3d0eecf58d11e7cZone: trust --> untrust TTL: 00:20:00 Left: 00:19:59Interface: GigabitEthernet1/0/1 NextHop: 202.100.1.100 MAC: 5489-98dc-6fd0<--packets: 9 bytes: 659 --> packets: 10 bytes: 465192.168.1.100:2120 +-> 202.100.1.100:21 PolicyName: Aftp VPN: public --> public ID: c487f2e8be9b210f69158d11e64Zone: trust --> untrust TTL: 00:20:00 Left: 00:19:55Interface: GigabitEthernet1/0/1 NextHop: 202.100.1.100 MAC: 5489-98dc-6fd0<--packets: 11 bytes: 753 --> packets: 12 bytes: 551192.168.1.100:2118 +-> 202.100.1.100:21 PolicyName: AFTP服务器改变默认的端口(21)
防火墙配置端口映射
第一步:匹配服务器地址
acl number 2000rule 5 permit source 202.100.1.100 0
第二步:做端口映射
port-mapping FTP port 2121 acl 2000协议 映射端口 针对FTP服务器
检查;
[FW1]display port-mapping Port-mapping total numbers: 1APPLICATION ID PORT ACL -----------------------------------------------------FTP 5 2121 2000
三.源NAT
NAPT----既转换IP也转换端口
配置套路:三部曲
第一步:配置地址池
nat address-group address1 名字mode pat ------默认的section 1.1.1.1 1.1.1.10地址池第二步:写NAT-Policy调用地址池
nat-policyrule name trust_untrust---取个名字source-zone trustdestination-zone untrustsource-address 192.168.1.0 24action nat address-group address1调用地址池
第三步:写路由黑洞
ip route-static 1.1.1.1 255.255.255.255 NULL0
ip route-static 1.1.1.2 255.255.255.255 NULL0
ip route-static 1.1.1.3 255.255.255.255 NULL0
ip route-static 1.1.1.4 255.255.255.255 NULL0
ip route-static 1.1.1.5 255.255.255.255 NULL0
检查:
[FW1]display firewall session table Current Total Sessions : 1icmp VPN: public --> public 192.168.1.1:54187[1.1.1.5:2049] --> 202.100.1.1:2048
[FW1]display firewall session table v
[FW1]display firewall session table verbose Current Total Sessions : 1icmp VPN: public --> public ID: c487f2e8be93140d77b58d129efZone: trust --> untrust TTL: 00:00:20 Left: 00:00:12Interface: GigabitEthernet1/0/1 NextHop: 202.100.1.1 MAC: 00e0-fce9-69ad<--packets: 5 bytes: 420 --> packets: 5 bytes: 420192.168.1.1:54187[1.1.1.5:2049] --> 202.100.1.1:2048 PolicyName: A
==========================================================================================================================================================================
源NAT:
1.NAPT NO-PAT------实际一对一转换
2.NAPT----既转换IP,又转换端口
3.Easy-IP
一. NAT-Server
目的为了转换目标地址:
语法:
nat server nat_ftp protocol tcp global 202.100.1.200 ftp inside 192.168.1.1 ftp 名称 协议 转换后地址 协议 内部地址 协议配置套路:
基础配置:IP地址,ZONE 策略
第一步:写NAT-Server
nat server nat_ftp 0 protocol tcp global 202.100.1.200 ftp inside 192.168.1.1 ftp
第二步:写黑洞路由
ip route-static 202.100.1.200 255.255.255.255 NULL0第三步:检查
<FW1>display nat server
Server in private network information:Total 1 NAT server(s)server name : nat_ftp id : 0 zone : --- global-start-addr : 202.100.1.200 global-end-addr : 202.100.1.200 inside-start-addr : 192.168.1.1 inside-end-addr : 192.168.1.1 global-start-port : 21(ftp) global-end-port : 21 inside-start-port : 21(ftp) inside-end-port : 21 globalvpn : public insidevpn : public vsys : public protocol : tcp vrrp : --- no-revers : 0 interface : --- vrrp-bind-interface: --- description : ---
第四步:测试和现象
<FW1>display firewall server-map Current Total Server-map : 2Type: Nat Server, ANY -> 202.100.1.200:21[192.168.1.1:21], Zone:---, protocol:tcpVpn: public -> publicType: Nat Server Reverse, 192.168.1.1[202.100.1.200] -> ANY, Zone:---, protocol:tcpVpn: public -> public, counter: 1<FW1>display firewall session table Current Total Sessions : 3ftp VPN: public --> public 202.100.1.1:49854 +-> 202.100.1.200:21[192.168.1.1:21]<FW1>display firewall session table verbose Current Total Sessions : 3ftp VPN: public --> public ID: c487f8328ffa14015b458d3bacbZone: untrust --> trust TTL: 00:20:00 Left: 00:19:52Interface: GigabitEthernet1/0/0 NextHop: 192.168.1.1 MAC: 00e0-fce1-5d51<--packets: 6 bytes: 358 --> packets: 9 bytes: 397202.100.1.1:49854 +-> 202.100.1.200:21[192.168.1.1:21] PolicyName: B
二.双向NAT
配置套路
第一步:NAT-Server
1.NAT
nat server policy_ftp 0 protocol tcp global 202.100.1.100 ftp inside 192.168.1.1 ftp---解决目的地址被转换,去服务器的问题2.黑洞路由
ip route-static 202.100.1.100 255.255.255.255 NULL0第二步:配置源NAT-----解决源地址被转换,从服务器回包的问题
1.地址池
nat address-group address1 0mode patsection 0 202.100.1.200 202.100.1.200---跟服务器不在同一段2.配置NAT策略
nat-policyrule name policy_natsource-zone dmzdestination-zone dmzdestination-address 192.168.1.1 32service ftpaction nat address-group address1第三步:测试
[FW1]display firewall server-map Current Total Server-map : 3Type: ASPF, 192.168.1.1[202.100.1.100] -> 202.100.1.200:2050[192.168.1.100:2064], Zone:---Protocol: tcp(Appro: ftp-data), Left-Time:00:00:03Vpn: public -> publicType: Nat Server, ANY -> 202.100.1.100:21[192.168.1.1:21], Zone:---, protocol:tcpVpn: public -> publicType: Nat Server Reverse, 192.168.1.1[202.100.1.100] -> ANY, Zone:---, protocol:tcpVpn: public -> public, counter: 1[FW1]display firewall session table Current Total Sessions : 3ftp VPN: public --> public 192.168.1.100:2061[202.100.1.200:2051] +-> 202.100.1.100:21[192.168.1.1:21]ftp-data VPN: public --> public 192.168.1.1:20[202.100.1.100:20] --> 202.100.1.200:2050[192.168.1.100:2064]ftp VPN: public --> public 192.168.1.100:2063[202.100.1.200:2052] +-> 202.100.1.100:21[192.168.1.1:21][FW1]display firewall session table verbose Current Total Sessions : 3ftp VPN: public --> public ID: c487fdf0534b450425458d3c1ebZone: dmz --> dmz TTL: 00:00:10 Left: 00:00:00Interface: GigabitEthernet1/0/0 NextHop: 192.168.1.1 MAC: 00e0-fc6d-7760<--packets: 39 bytes: 1,835 --> packets: 39 bytes: 1,666192.168.1.100:2061[202.100.1.200:2051] +-> 202.100.1.100:21[192.168.1.1:21] PolicyName: ---ftp-data VPN: public --> public ID: c487fdf0534b750738358d3c2d9Zone: dmz --> dmz TTL: 00:00:10 Left: 00:00:03Interface: GigabitEthernet1/0/0 NextHop: 192.168.1.100 MAC: 5489-986e-1520<--packets: 3 bytes: 124 --> packets: 5 bytes: 598192.168.1.1:20[202.100.1.100:20] --> 202.100.1.200:2050[192.168.1.100:2064] PolicyName: ---ftp VPN: public --> public ID: c487fdf0534b650e06758d3c2d8Zone: dmz --> dmz TTL: 00:20:00 Left: 00:19:56Interface: GigabitEthernet1/0/0 NextHop: 192.168.1.1 MAC: 00e0-fc6d-7760<--packets: 9 bytes: 590 --> packets: 10 bytes: 475192.168.1.100:2063[202.100.1.200:2052] +-> 202.100.1.100:21[192.168.1.1:21] PolicyName: ---三. 。。。。。。
GRE 。。。。。。 配置套路:
第一步:基本配置(IP地址 路由 ZONE)
第二步:配置Tunnel(隧道)
interface Tunnel1ip address 10.1.1.1 255.255.255.0---虚拟IP地址任意tunnel-protocol gre ---模式为GREsource 202.100.1.10 ------源和目标地址要通destination 203.100.1.10第三步:将TUNNEL接口划入ZONE(千万记住)
第四步:引流(到TUNNEL1)
ip route-static 172.16.1.0 255.255.255.0 Tunnel1
第五步:测试并精确放流量
FW1:
security-policyrule name trust_untrustsource-zone trustdestination-zone untrustservice icmpaction permitrule name untrust_localsource-zone untrustdestination-zone localaction permitrule name untrust_trustsource-zone untrustdestination-zone trustaction permitFW2:
security-policyrule name untrust_trustsource-zone untrustdestination-zone trustaction permitrule name untrust_localsource-zone untrustdestination-zone localaction permitrule name trust_untrustsource-zone trustdestination-zone untrustaction permit
第六步:检查
[FW1]display firewall session table Current Total Sessions : 3icmp VPN: public --> public 172.16.1.1:53419 --> 192.168.1.1:2048icmp VPN: public --> public 192.168.1.1:54187 --> 172.16.1.1:2048gre VPN: public --> public 203.100.1.10:0 --> 202.100.1.10:0
==========================================================================================================================================================================
SSH登陆
==========================================================================================================================================================================
配置套路:
第一步:
基本配置
1.地址连通性
2.加ZONE
3.开启接口SSH服务
interface GigabitEthernet0/0/0service-manage ssh permit----默认管理接口是开启第二步:
开启SSH Server功能
stelnet server enable
第三步:
设置VTY
user-interface vty 0 4authentication-mode aaaprotocol inbound ssh
第四步:创建AAA
manager-user sshadminpassword cipher Huawei@123service-type sshlevel 3
第五步:测试
SCRT PUTTY
二.基本配置
第一步:基本配置(IP地址)
第二步:接口要加ZONE
firewall zone trustset priority 85add interface GigabitEthernet0/0/0add interface GigabitEthernet1/0/0
检查:
[FW1]display zone
localpriority is 100interface of the zone is (0):
#
trustpriority is 85interface of the zone is (2):GigabitEthernet0/0/0GigabitEthernet1/0/0
#
untrustpriority is 5interface of the zone is (1):GigabitEthernet1/0/1
#
dmzpriority is 50interface of the zone is (0):
#
第三步:如果需要PING通防火墙直连的接口地址
接口开启PING服务(同一个ZONE可以的)
interface GigabitEthernet1/0/0undo shutdownip address 192.168.1.10 255.255.255.0service-manage ping permit
如果要从防火墙PING直连路由器接口地址(不同的ZONE,肯定LOCAL到任何ZONE)
需要安全策略放行:
default action permit ----全部放行
第四步:测试(考虑路由问题)
三.安全策略
安全策略执行从1开始到N,如果都不匹配,执行默认是0策略(全部拒绝)
配置:
举例:
security-policyrule name local_any ----一定要有规则的名称,粗矿的策略source-zone local service icmpaction permitrule name trust_untrust-----明细的策略source-zone trustdestination-zone untrustsource-address address-set trust_ipdestination-address address-set untrust_ipservice icmpaction permitrule name untrust_trust----3source-zone untrustdestination-zone trustaction permit检查:
<FW1>display security-policy all
Total:4
RULE ID RULE NAME STATE ACTION HITTED
-------------------------------------------------------------------------------3 local_any enable permit 8
4 trust_untrust enable permit 2
5 untrust_trust enable permit 1 ...........0 default enable deny 67
-------------------------------------------------------------------------------
<FW1>
规则ID能调整
rule move trust_untrust before local_any
==========================================================================================================================================================================最后一天加点东西。。。。。。。。。。。。希望快点开学
2020/2/29四年一遇的日子
==========================================================================================================================================================================
zone-pair security source Local destination Trust
packet-filter 3100
#
zone-pair security source Local destination Untrust
packet-filter 3100
#
zone-pair security source Trust destination Local
packet-filter 3100
#
zone-pair security source Trust destination Untrust
packet-filter 3100
#
zone-pair security source Untrust destination Local
packet-filter 3100
#
zone-pair security source Untrust destination Trust
packet-filter 3100acl advanced 3100
rule 0 permit ip防火墙默认DENY所有数据流 此系列命令可以打通防火墙。谨慎使用!!!
本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场,不承担相关法律责任。如若转载,请注明出处。 如若内容造成侵权/违法违规/事实不符,请点击【内容举报】进行投诉反馈!