热门标签
热门文章
- 1梯度提升树GBDT模型原理及spark ML实现_pyspark gbdt subsamplingrate
- 2C++:继承与派生_c++继承与派生
- 3Springboot 中使用 Redisson+AOP+自定义注解 实现访问限流与黑名单拦截_spring redis 黑名单
- 4如何下载Idea专业版_idea专业版下载
- 5AWS S3 协议对接 minio/oss 等_minio s3协议
- 6Android字体大小多屏幕适配_android字体大小适配屏幕
- 7深入理解package.json中dependencies和devDependencies 的区别_dependencies packge.json会影响其他项目吗
- 8Hive collect_set与collect_list_hive的collect的底层数据结构
- 9基于STM32的ADC采样及各式滤波实现(HAL库,含VOFA+教程)_数据采集滤波算法stm32(2)_vofa+.tabviews
- 10基于51单片机的搬运机器人系统protues仿真_proteus机械臂仿真
当前位置: article > 正文
ENSP实验四:搭建VPN(GRE,配置安全策略)_ensp gre nat
作者:weixin_40725706 | 2024-05-14 06:02:01
赞
踩
ensp gre nat
首先分析一下数据的流向:
PC1->PC2
1、FW1:trust->dmz 【192.168.1.1->192.168.2.1 ICMP】
2、AR1->AR2:【202.1.1.1->202.1.3.1|GRE|192.168.1.1->192.168.2.1 icmp】
3、FW2:
①untrust->local 202.1.1.1->202.1.3.1 GRE
②dmz->trust 【192.168.1.1->192.168.2.1 ICMP】
PC2->PC1
4、FW2: trust->dmz 【192.168.1.1<-192.168.2.1 ICMP】
5、AR2->AR1: 【202.1.1.1<-202.1.3.1|GRE|192.168.1.1<-192.168.2.1 icmp】
6、FW1:
① untrust->local 202.1.1.1<-202.1.3.1|GRE
②dmz->trust 【192.168.1.1<-192.168.2.1 ICMP】
一、基础配置+建立VPN通道+引流(参考ENSP实验三带内容)
**将Tunnel1逻辑接口配到dmz区域中
ping流量【192.168.1.1->192.168.2.1 icmp】从PC1流至FW1
二、FW1配置安全策略(单向:PC1->PC2):
- [FW1]security-policy
-
- [FW1-policy-security]rule name test1
-
- [FW1-policy-security-rule-test1]source-zone trust
-
- [FW1-policy-security-rule-test1]destination-zone dmz
-
- [FW1-policy-security-rule-test1]source-address 192.168.1.1 mask 255.255.255.255
-
- [FW1-policy-security-rule-test1]destination-address 192.168.2.1 mask 255.255.255
-
- .255
-
- [FW1-policy-security-rule-test1]service icmp
-
- [FW1-policy-security-rule-test1]action permit
将流量送至FW1后,根据外层头二次查表,送至下一个路由AR1【202.1.1.1->202.1.3.1|GRE|192.168.1.1->192.168.2.1 icmp】
AR1查表,将流量送至AR2
三、配置FW2收流量带安全策略(单向:PC1->PC2)
收到AR2传来的流量【202.1.1.1->202.1.3.1|GRE|192.168.1.1->192.168.2.1 icmp】
1、策略1:决定收不收流量
- [FW2]security-policy
- [FW2-policy-security]rule name test1
- [FW2-policy-security-rule-test1]source-zone untrust
- [FW2-policy-security-rule-test1]destination-zone local
- [FW2-policy-security-rule-test1]source-address 202.1.1.1 mask 255.255.255.255
- [FW2-policy-security-rule-test1]destination-address 202.1.3.1 mask 255.255.255.2
- 55
- [FW2-policy-security-rule-test1]service gre 或者service protocol 47
- [FW2-policy-security-rule-test1]action permit
2、策略2:将流量送至trust区
- [FW2]security-policy
- [FW2-policy-security]rule name test2
- [FW2-policy-security-rule-test2]display this
- #
- rule name test2
- source-zone dmz
- destination-zone trust
- source-address 192.168.1.1 32
- destination-address 192.168.2.1 32
- service icmp
- action permit
- #
*Icmp对应ping命令
四、反向配安全策略(PC2->PC1)
配置好后的策略:
*取消放行所有的安全策略:
- [FW1]security-policy
- [FW1-policy-security]default action deny
- [FW2-policy-security]display this
- #
- security-policy
- rule name test1
- source-zone untrust
- destination-zone local
- source-address 202.1.1.1 32
- destination-address 202.1.3.1 32
- service protocol 47
- action permit
- rule name test2
- source-zone trust
- source-zone dmz
- destination-zone trust
- destination-zone dmz
- source-address 192.168.1.1 32
- source-address 192.168.2.1 32
- destination-address 192.168.1.1 32
- destination-address 192.168.2.1 32
- service icmp
- action permit
- #
-
- [FW1-policy-security] display this
- #
- security-policy
- rule name test1
- source-zone trust
- source-zone dmz
- destination-zone trust
- destination-zone dmz
- source-address 192.168.1.1 32
- source-address 192.168.2.1 32
- destination-address 192.168.1.1 32
- destination-address 192.168.2.1 32
- service icmp
- action permit
- rule name test2
- source-zone untrust
- destination-zone local
- source-address 202.1.3.1 32
- destination-address 202.1.1.1 32
- service protocol 47
- action permit
- #
配置好后可实现PC1与PC2之间的ping
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/weixin_40725706/article/detail/567632
推荐阅读
相关标签
