华为eNSP配置USG防火墙网络联通实验

本次实验主要模拟总部与分布的防火墙通信实验，实验网络互通，以及防火墙上的配置，主要配置包过滤和路由，确保网络通畅

工具/原料

win7-64

eNSP

方法/步骤

1、搭建拓扑结构防火墙三台路由器两台

2、配置所有设备的接口信息[R1]intg0/0/0[R1-GigabitEtherne隋茚粟胫t0/0/0]ipadd10.0.10.2婷钠痢灵24[R1-GigabitEthernet0/0/0]ints3/0/0[R1-Serial3/0/0]ipadd10.0.12.124[R1-Serial3/0/0]intloop0[R1-LoopBack0]ipadd10.0.1.124R2]intg0/0/0[R2-GigabitEthernet0/0/0]ipadd10.0.20.124[R2-GigabitEthernet0/0/0]ints3/0/0[R2-Serial3/0/0]ipadd10.0.12.224[R2-Serial3/0/0]ints4/0/0[R2-Serial4/0/0]ipadd10.0.23.224[R2-Serial4/0/0]intloop0[R2-LoopBack0]ipadd10.0.2.224[R3]ints4/0/0[R3-Serial4/0/0]ipadd10.0.23.324[R3-Serial4/0/0]Aug14201715:00:53-08:00R3%%01IFNET/4/LINK_STATE(l)[0]:ThelineprotocolPPPIPCPontheinterfaceSerial4/0/0hasenteredtheUPstate.[R3-Serial4/0/0]intloop0[R3-LoopBack0]ipadd10.0.3.324

3、查看当前网络的连通性[FW1-policy-security-rule-policy_sec_2]ping10.0.20.2PING10.0.20.2:56databytes,pressCTRL_CtobreakRequesttimeoutRequesttimeoutRequesttimeoutRequesttimeoutRequesttimeout[FW1]ping10.0.12.1PING10.0.12.1:56databytes,pressCTRL_CtobreakRequesttimeoutRequesttimeoutRequesttimeoutRequesttimeoutRequesttimeout

4、配置防火墙的包策略过滤行为security-policyrulenamepolicy_sec_1source-zonetrustdestination-zoneuntrustactionpermitrulenamepolicy_sec_2source-zonelocalsource-zoneuntrustdestination-zonelocaldestination-zoneuntrustactionpermit

5、配置O讵症慧鹱SPF协议保证网络的连通性先从R1到R3再配置FWFW2[R1]ospf1[R1-ospf-1]area0.0.0.0[R1-ospf-1-are锾攒揉敫a-0.0.0.0]network10.0.10.00.0.0.255[R1-ospf-1-area-0.0.0.0]network10.0.12.00.0.0.255[R2]ospf1[R2-ospf-1]area0.0.0.0[R2-ospf-1-area-0.0.0.0]network10.0.23.00.0.0.255[R2-ospf-1-area-0.0.0.0]network10.0.12.00.0.0.255[R2-ospf-1-area-0.0.0.0]network10.0.20.00.0.0.255[R3]ospf1[R3-ospf-1]area0.0.0.0[R3-ospf-1-area-0.0.0.0]network10.0.23.00.0.0.255[FW1]ospf1[FW1-ospf-1]area0.0.0.0[FW1-ospf-1-area-0.0.0.0]network10.0.10.00.0.0.255[FW2]ospf1[FW2-ospf-1]area0.0.0.0[FW2-ospf-1-area-0.0.0.0]network10.0.20.00.0.0.255

6、查看当前各个设备的路由表水貔藻疽，并开启防火墙端口的ping功能[FW1]disiprouRouteFlags:R-惺绅寨瞀relay,D-downloadtofib------------------------------------------------------------------------------RoutingTables:PublicDestinations:7Routes:7Destination/MaskProtoPreCostFlagsNextHopInterface10.0.10.0/24Direct00D10.0.10.1GigabitEthernet1/0/010.0.10.1/32Direct00D127.0.0.1GigabitEthernet1/0/010.0.12.0/24OSPF1049D10.0.10.2GigabitEthernet1/0/010.0.20.0/24OSPF1050D10.0.10.2GigabitEthernet1/0/010.0.23.0/24OSPF1097D10.0.10.2GigabitEthernet1/0/0127.0.0.0/8Direct00D127.0.0.1InLoopBack0127.0.0.1/32Direct00D127.0.0.1InLoopBack0开启ping功能service-managerpingenable

7、测试网络的连通性[FW1]ping10.0.20.2PING10.0.20.2:56databytes,pressCTRL_CtobreakReplyfrom10.0.20.2:bytes=56Sequence=1ttl=253time=23msReplyfrom10.0.20.2:bytes=56Sequence=2ttl=253time=21msReplyfrom10.0.20.2:bytes=56Sequence=3ttl=253time=15msReplyfrom10.0.20.2:bytes=56Sequence=4ttl=253time=21msReplyfrom10.0.20.2:bytes=56Sequence=5ttl=253time=20ms---10.0.20.2pingstatistics---5packet(s)transmitted5packet(s)received0.00%packetlossround-tripmin/avg/max=15/20/23ms