任务十八：防火墙用户管理

[R1]isis 1
[R1-isis-1]network-entity 10.0001.0000.0000.0001.00
[R1-isis-1]is-level level-1	
[R1-isis-1]quit 
[R1]int g0/0/0	
[R1-GigabitEthernet0/0/0]isis enable 1	
[R1-GigabitEthernet0/0/0]quit 
[R1]int g0/0/1	
[R1-GigabitEthernet0/0/1]isis enable 1
[R1-GigabitEthernet0/0/1]quit 
[R1]int lo 0
[R1-LoopBack0]isis enable 1
[R1-LoopBack0]quit 
[R1]bgp 500
[R1-bgp]peer 10.0.2.2 as-number 500
[R1-bgp]peer 10.0.2.2 connect-interface LoopBack 0


[R2]isis 1
[R2-isis-1]network-entity 10.0001.0000.0010.00
[R2-isis-1]is-level level-1
[R2-isis-1]quit 
[R2]int g0/0/0	
[R2-GigabitEthernet0/0/0]isis enable 1
[R2-GigabitEthernet0/0/0]quit 
[R2]int g0/0/1	
[R2-GigabitEthernet0/0/1]isis enable 1	
[R2-GigabitEthernet0/0/1]quit 
[R2]int lo 0
[R2-LoopBack0]isis enable 1	
[R2-LoopBack0]quit 
[R2]bgp 500
[R2-bgp]peer 10.0.1.1 as-number 500
[R2-bgp]peer 10.0.1.1 connect-interface LoopBack 0
[R2-bgp]peer 117.32.32.2 as-number 300
[R2-bgp]import-route isis 1
[R2-bgp]quit


[R3]ospf 1
[R3-ospf-1]are 0
[R3-ospf-1-area-0.0.0.0]network 117.32.32.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 118.16.16.0 0.0.0.255
[R3-ospf-1-area-0.0.0.0]network 10.0.3.0 0.0.0.255	
[R3-ospf-1-area-0.0.0.0]quit 	
[R3-ospf-1]quit 
[R3]bgp 300	
[R3-bgp]peer 10.0.4.4 as-number 300
[R3-bgp]peer 10.0.4.4 connect-interface LoopBack 0
[R3-bgp]peer 117.32.32.1 as-number 500
[R3-bgp]import-route ospf 1
[R3-bgp]quit


[R4]ospf 1
[R4-ospf-1]are 0	
[R4-ospf-1-area-0.0.0.0]network 118.16.16.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]network  202.202.202.0 0.0.0.255   ?????
[R4-ospf-1-area-0.0.0.0]network 204.204.204.0 0.0.0.255
[R4-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255	
[R4-ospf-1-area-0.0.0.0]quit 
[R4-ospf-1]quit 
[R4]bgp 300
[R4-bgp]peer 10.0.3.3 as-number 300
[R4-bgp]peer 10.0.3.3 connect-interface LoopBack  0
[R4-bgp]quit


[R5]ip route-static 0.0.0.0 0 204.204.204.1  //配置默认路由，实现R5和Internet互联

2、防火墙FW1接口IP配置与区域划分

防火墙默认用户名：admin
默认密码：Admin@123
需要进行修改密码：admin@123
配置如下：
<USG6000V1>sy
[USG6000V1]sy FW1

[FW1]
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip ad 192.168.10.1 24
[FW1-GigabitEthernet1/0/2]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip ad 192.168.20.1 24
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip ad 201.201.201.254 24	
[FW1-GigabitEthernet1/0/2]quit 
	
[FW1]firewall zone trust 
[FW1-zone-trust]add interface g1/0/0	
[FW1-zone-trust]quit 	
[FW1]firewall zone untrust 	
[FW1-zone-untrust]add interface g1/0/2	
[FW1-zone-untrust]quit 	
[FW1]firewall zone name zone_student  //新建zone_student区域	
[FW1-zone-zone_student]set priority 60  //安全级别设置在DMZ（50）与Trust（85）之间
[FW1-zone-zone_student]add interface g1/0/1	
[FW1-zone-zone_student]quit

3、创建免认证用户组group_teacher和密码认证用户组group_student并新增账户

[FW1]user-manage group /default/group_teacher    //default是存放用户组的根目录
[FW1-usergroup-/default/group_teacher]quit 
[FW1]user-manage group /default/group_student   	
[FW1-usergroup-/default/group_student]quit 

[FW1]user-manage user 20210001   //创建账户20210001（学号）。可一次创建多个学生账户
[FW1-localuser-20210001]password gdcp@123  //自定义密码，需满足复杂度要求。学生登录后可自行修改密码	
[FW1-localuser-20210001]parent-group /default/group_student   //20210001账户隶属于：/default/group_student组
[FW1-localuser-20210001]quit

4、配置用户认证策略

[FW1]auth-policy  //配置用户认证策略
[FW1-policy-auth]rule name auth-policy_teacher
[FW1-policy-auth-rule-auth-policy_teacher]source-address 192.168.10.0 24   //未指定destinaton，目的IP地址为any
[FW1-policy-auth-rule-auth-policy_teacher]action none   //无须进行认证
[FW1-policy-auth-rule-auth-policy_teacher]quit 

[FW1-policy-auth]rule name auth-policy_student
[FW1-policy-auth-rule-auth-policy_student]source-address 192.168.20.0 24	
[FW1-policy-auth-rule-auth-policy_student]action auth  //需进行portal认证
[FW1-policy-auth-rule-auth-policy_student]quit

5、配置portal认证推送页面，认证后跳转到最近访问的Web页面

[FW1]user-manage web-authentication security port 8887  //security参数表示认证页面需通过HTTPS登录，没有security参数表示认证页面通过http登录。portal端口默认8887
[FW1]user-manage redirect

6、创建安全策略

//创建教师网段访问Internet安全策略
[FW1]security-policy 
[FW1-policy-security]rule  name security-policy_teacher	
[FW1-policy-security-rule-security-policy_teacher]source-zone trust 	
[FW1-policy-security-rule-security-policy_teacher]destination-zone untrust 	
[FW1-policy-security-rule-security-policy_teacher]user user-group /default/group
_teacher   //定义允许访问的用户组
[FW1-policy-security-rule-security-policy_teacher]action permit 	
[FW1-policy-security-rule-security-policy_teacher]quit 

//创建学生网段访问Internet安全策略
[FW1-policy-security]rule name security-policy_student
[FW1-policy-security-rule-security-policy_student]source-zone zone_student
[FW1-policy-security-rule-security-policy_student]destination-zone untrust 
[FW1-policy-security-rule-security-policy_student]user user-group /default/group
_student	
[FW1-policy-security-rule-security-policy_student]action permit 


//学生通过portal认证的端口为8887，需允许zone_student区域和防火墙Local区域之间8887端口流量，以推送学生网段认证信息
[FW1]ip service-set portal_8887 type object  //创建自定义服务类型。服务名称为portal_8887。object对象可以人为指定服务id<16-271>,id不能与其他id冲突。如不能判断id是否冲突，可不指定具体id值，由系统自动分配id（从小到大分配）值
[FW1-object-service-set-portal_8887]service protocol tcp destination-port 8887  //服务协议：TCP；源端端口：如不指定，默认0-65535；目的端端口：8887
[FW1-object-service-set-portal_8887]quit

[FW1]security-policy 
[FW1-policy-security]rule  name student_local_8887	
[FW1-policy-security-rule-student_local_8887]source-zone local 
[FW1-policy-security-rule-student_local_8887]source-zone zone_student
[FW1-policy-security-rule-student_local_8887]destination-zone local 
[FW1-policy-security-rule-student_local_8887]destination-zone zone_student	
[FW1-policy-security-rule-student_local_8887]service portal_8887 
[FW1-policy-security-rule-student_local_8887]action permit

7、配置easy-ip和默认路由

[FW1]nat-policy 
[FW1-policy-nat]rule name to_internet
[FW1-policy-nat-rule-to_internet]source-zone trust 
[FW1-policy-nat-rule-to_internet]source-zone zone_student	
[FW1-policy-nat-rule-to_internet]destination-zone untrust 
[FW1-policy-nat-rule-to_internet]source-address any 
[FW1-policy-nat-rule-to_internet]action source-nat easy-ip 	
[FW1-policy-nat-rule-to_internet]quit 
[FW1-policy-nat]quit 
	
[FW1]ip route-static 0.0.0.0 0 201.201.201.1

8、在路由器R5配置easy-ip和NAT Server，发布Baidu Web和FTP站点

[R5]acl  2000	
[R5-acl-basic-2000]rule permit source any 
[R5-acl-basic-2000]quit 
[R5]int g0/0/0
[R5-GigabitEthernet0/0/0]nat outbound 2000
[R5-GigabitEthernet0/0/0]nat server protocol tcp global current-interface 80 ins
ide 192.168.1.10 80
Warning:The port 80 is well-known port. If you continue it may cause function fa
ilure.
Are you sure to continue?[Y/N]:y
[R5-GigabitEthernet0/0/0]nat server protocol tcp global current-interface 21 ins
ide 192.168.1.20 21

验证【省略】

主机1教师端无须经过认证，可以直接连通Internet IP地址204.204.204.2

主机1教师端无须经过认证，直接通过地址http：//204.204.204.2访问主机3百度Web站点

总结

1）如在路由器上只配置NAT Server，而不配置Easy-IP或者NAPT，仍不能发布内网站点，因为服务器不能访问Internet，无法返回应答报文。

2）在认证时，为避免内网用户盗号，建议采用HTTPS协议登录portal认证页面，即user-namage web-authentication security port 8887需加security参数。

原文地址:https://blog.csdn.net/2301_76274559/article/details/135100445 本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：https://www.suanlizi.com/kf/1737768385900580864.html 如若内容造成侵权/违法违规/事实不符，请联系《酸梨子》网邮箱：1419361763@qq.com进行投诉反馈，一经查实，立即删除！

阅读全部