实验一(接入网络设备)

实验目的

​ 掌握PC远程登录防火墙的技能

实验top图
实验一top图
步骤

1.选择一张虚拟网卡(一般用VM的),并在云上配置如下图

云的配置

2.登录防火墙,默认用户admin,默认密码Admin@123,登陆后必须改密码

3.进入到G0/0/0接口,这是管理口,连接时必须保证防火墙一端的接口是G0/0/0,修改IP地址与网卡在同一网段内,并放通HTTP服务。

1
2
3
int g0/0/0
ip address 192.168.16.254 24
service-manage all permit (习惯全部放通)
web防火墙

4.在浏览器输入G0/0/0接口的IP地址,点击‘高级’,点击‘继续访问’,输入账号和修改后的密码

网络

然后你就进来了

实验二(防火墙基础配置)

实验目的
  • 掌握设备命名的方法
  • 掌握配置设备时间的方法
  • 掌握配置文件备份和恢复
实验TOP图

image-20211212185448585

实验步骤
命名+时间设置
1
2
3
4
5
6
7
system-view #进入视图界面
sysname USG_A #更名为USG_A
interface G0/0/0 #进入G0/0/0接口
ip address 192.168.16.254 24 #配置地址
service-manage all permit #放通所有服务
<USG_A>clock datetime 0:0:0 2021-12-12 #设置日期
<USG_A>clock timezone BJ add 08:00:00 #设置时间,最多不能超过14:00:00
image-20211212185511961

登录到web界面,可以看到时间已经设置好了

文件备份
image-20211212185559746

选择系统,点击配置文件管理,再点击选择

image-20211212185710055

下载在本地相当于文件备份,上传会浏览本地文件,等于文件更新

要注意的是,上传的文件必须为zip或jpg格式

image-20211212185730639

看到配置配置下那个暗淡的灯泡没,点击后设置为下次启动配置文件,然后点击确定

image-20211212185752633

系统—>配置—>系统重启,重启系统后就完成了本次实验的所有要求

实验三(网络基础配置)

实现目的
  • 理解路由的意义
  • 掌握静态路由的配置方法
配置思路

  • 配置IP地址

  • 配置静态路由

  • 测试PC互通性

实验TOP图
image-20211212185811986
实验步骤

  1. 配置IP地址

    R1的配置:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    <Huawei>system-view 
    Enter system view, return user view with Ctrl+Z.
    [Huawei]interface g0/0/0
    [Huawei-GigabitEthernet0/0/0]ip address 192.168.1.254 24
    Dec 12 2021 15:40:23-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[0]:The line protocol
     IP on the interface GigabitEthernet0/0/0 has entered the UP state. 
    [Huawei-GigabitEthernet0/0/0]int g0/0/1
    [Huawei-GigabitEthernet0/0/1]ip address 1.1.1.1 24
    Dec 12 2021 15:41:05-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[1]:The line protocol
     IP on the interface GigabitEthernet0/0/1 has entered the UP state.

    R2的配置:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    <Huawei>system-view 
    Enter system view, return user view with Ctrl+Z.
    [Huawei]interface g0/0/0
    [Huawei-GigabitEthernet0/0/0]ip address 1.1.1.2 24
    Dec 12 2021 15:46:22-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[0]:The line protocol
     IP on the interface GigabitEthernet0/0/0 has entered the UP state. 
    [Huawei-GigabitEthernet0/0/0]int g0/0/1
    [Huawei-GigabitEthernet0/0/1]ip address 192.168.2.254 24
    Dec 12 2021 15:46:45-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[1]:The line protocol
     IP on the interface GigabitEthernet0/0/1 has entered the UP state.

2.配置静态路由

R1的配置:

1
[Huawei]ip route-static 192.168.2.0 24 1.1.1.2

R2的配置:

1
[Huawei]ip route-static 192.168.1.0 24 1.1.1.1

3.测试PC互通性

PC1:

image-20211212185831253

PC2:

image-20211212185844562

至此,实验三完成

实验四(防火墙安全策略实验)

实验目的
  • 理解安全策略原理
  • 理解不同安全域之间的关系
  • 掌握命令行和web方式配置安全策略
实验TOP图
image-20211212185901630
配置思路
  • 配置设备IP地址及其所属的安全域
  • 配置域间安全策略
配置步骤

命令行配置:

IP地址配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<USG6000V1>system-view 
Enter system view, return user view with Ctrl+Z.
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 40.1.1.1 24
Dec 12 2021 08:23:07 USG6000V1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
 on the interface GigabitEthernet1/0/0 has entered the UP state.
Dec 12 2021 08:23:07 USG6000V1 %%01RM/4/ROUTERID_CHANGE(l)[1]:The router ID is 4
0.1.1.1. (InstanceID=0)
[USG6000V1-GigabitEthernet1/0/0]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip address 10.1.1.1 24
Dec 12 2021 08:25:20 USG6000V1 %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP
 on the interface GigabitEthernet1/0/1 has entered the UP state.
[USG6000V1-GigabitEthernet1/0/1]int g0/0/0
[USG6000V1-GigabitEthernet0/0/0]ip address 192.168.16.254 24
Dec 12 2021 08:26:05 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 4, the c
hange loop count is 0, and the maximum number of records is 4095.

配置trust与untrust区域的转发策略

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust_untrust
Dec 12 2021 08:30:25 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 5, the c
hange loop count is 0, and the maximum number of records is 4095.
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust 
Dec 12 2021 08:30:35 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 6, the c
hange loop count is 0, and the maximum number of records is 4095.	
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust 
[USG6000V1-policy-security-rule-trust_untrust]action permit 
Dec 12 2021 08:30:55 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 8, the c
hange loop count is 0, and the maximum number of records is 4095.
[USG6000V1-policy-security-rule-trust_untrust]quit

绑定接口区域,并配置一条默认路由,这里是交换机不同加默认路由

1
2
3
4
5
6
7
8
9
10
11
[USG6000V1]firewall zone trust 
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/0
Dec 12 2021 08:33:55 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 9, the c
hange loop count is 0, and the maximum number of records is 4095.
[USG6000V1-zone-trust]quit
[USG6000V1]firewall zone untrust 
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/1
Dec 12 2021 08:34:25 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 10, the 
change loop count is 0, and the maximum number of records is 4095.

结果

image-20211212185921641

web配置:

接口IP地址及安全区域配置,点击接口名称即可配置,这里不做过多演示,网络>>接口

image-20211212185936172

安全策略,策略>>安全策略>>新建安全策略;可以配置名字源目安全区域

image-20211212185949345

至此,实验四完成

实验五(NAT server&源NAT实验)

实验目的
  • 理解源NAT应用场景及原理
  • 理解NAT server 应用场景及原理
  • 掌握通过命令行和web方式配置防火墙NAT server&源NAT命令
实验TOP图

配置思路(源NAT)

1.红区模拟外网,绿区蓝区为内网,通过源NAT转换实现内外网互通

2.配置基本的IP地址和所属安全域,并且放行对应的安全策略

3.创建NAT地址池

4.配置NAT策略

配置步骤-CLI

防火墙IP地址、默认路由配置

1
2
3
4
5
6
7
8
9
10
<USG6000V1>system-view 
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip ad 192.168.1.254 24
[USG6000V1-GigabitEthernet0/0/0]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip ad 2.2.2.1 24
[USG6000V1-GigabitEthernet1/0/1]int g0/0/0
[USG6000V1-GigabitEthernet0/0/0]ip ad 192.168.16.254 24
[USG6000V1-GigabitEthernet0/0/0]service-manage https permit
[USG6000V1-GigabitEthernet0/0/0]q
[USG6000V1]ip route-static 0.0.0.0 0 2.2.2.2

路由器IP地址、默认路由配置

1
2
3
4
5
6
7
8
<Huawei>system-view 
Enter system view, return user view with Ctrl+Z.
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip ad 192.168.3.254 24
[Huawei-GigabitEthernet0/0/1]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip ad 2.2.2.2 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ip route-static 0.0.0.0 0 2.2.2.1

区域和安全策略(防火墙一定要给接口加区域,不然无法转发路由)

1
2
3
4
5
6
7
8
9
10
11
12
13
[USG6000V1]firewall zone trust 	
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/0
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/1
[USG6000V1-zone-untrust]q
[USG6000V1]security-policy	
[USG6000V1-policy-security]rule name trust_untrust
[USG6000V1-policy-security-rule-trust_untrust]source-zone
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust 	
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust 
[USG6000V1-policy-security-rule-trust_untrust]action permit 
[USG6000V1-policy-security-rule-trust_untrust]quit

地址池和NAT策略

1
2
3
4
5
6
7
[USG6000V1]nat address-group natpool
[USG6000V1-address-group-natpool]section 2.2.2.3 2.2.2.6
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name source_nat
[USG6000V1-policy-nat-rule-source_nat]source-zone trust 
[USG6000V1-policy-nat-rule-source_nat]destination-zone untrust                 
[USG6000V1-policy-nat-rule-source_nat]action source-nat address-group natpool

结果图

image-20211215195817259 image-20211215200054850

可以看到流量的源IP地址已经换成地址池中的地址了

配置步骤-web

看什么看,没有

配置思路(NATserver)
  • 配置NATserver(安全策略)
  • 配置NAT地址池
  • 配置NAT策略
配置步骤-CLI

安全策略

1
2
3
4
5
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name ser_nat	
[USG6000V1-policy-security-rule-ser_nat]source-zone untrust 
[USG6000V1-policy-security-rule-ser_nat]destination-zone trust 	
[USG6000V1-policy-security-rule-ser_nat]action permit

配置NAT地址池

1
2
3
4
5
6
7
[USG6000V1]nat address-group serpool
[USG6000V1-address-group-serpool]s	
[USG6000V1-address-group-serpool]section 
Dec 15 2021 12:22:17 USG6000V1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 22, the 
change loop count is 0, and the maximum number of records is 4095.
[USG6000V1-address-group-serpool]section 192.168.1.20 192.168.1.25

配置NAT策略

1
2
3
4
5
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name ser_nat	
[USG6000V1-policy-nat-rule-ser_nat]source-zone untrust 
[USG6000V1-policy-nat-rule-ser_nat]destination-zone trust 
[USG6000V1-policy-nat-rule-ser_nat]action source-nat address-group serpool

结果图,

image-20211215203038893 image-20211215204132968

实验六(双机热备)

实现介绍
关于实验
  • 本实验是为了测试在防火墙宕机的情况下备份防火墙能够快速接替,保持网络的连通性。
实验目的
  • 理解双机热备基本原理
  • 理解VGMP和HRP协议
  • 掌握命令行和web方式配置防火墙双机热备
实验TOP图

image-20211219160457866

配置思路

1.配置基础的IP地址

2.接口加区域,放通安全策略并配置路由

3.配置VRRP和HRP,自动备份

配置步骤
基本IP地址配置

FW1的IP配置

1
2
3
4
5
6
7
<USG6000V1>system view
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip addr 100.1.1.1 24
[USG6000V1-GigabitEthernet1/0/1]int g1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip addr 192.168.2.2 24
[USG6000V1-GigabitEthernet1/0/2]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip addr 10.1.1.1 24

FW2的IP配置

1
2
3
4
5
6
7
<USG6000V1>system view
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip addr 100.1.1.2 24
[USG6000V1-GigabitEthernet1/0/1]int g1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip addr 192.168.2.3 24
[USG6000V1-GigabitEthernet1/0/2]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip addr 10.1.1.2 24

路由器R1配置 #这里使用路由时是因为路由的下一跳不能为PC机,而路由器即可当下一跳又能模拟PC访问

1
2
3
4
5
<Huawei>system-view 
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 192.168.2.1 24 
[Huawei-GigabitEthernet0/0/0]int loo0
[Huawei-LoopBack0]ip addr 114.114.114.114 32
区域、安全策略和路由

FW1区域、策略、路由

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[USG6000V1]firewall zone trust 	
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone  untrust 	
[USG6000V1-zone-untrust]add interface  GigabitEthernet 1/0/2
[USG6000V1-zone-untrust]q
[USG6000V1]firewall zone dmz 
[USG6000V1-zone-dmz]add interface  GigabitEthernet 1/0/0

[USG6000V1]security-policy	#trust访问untrust
[USG6000V1-policy-security]rule name trust_untrust
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust 
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust 
[USG6000V1-policy-security-rule-trust_untrust]action permit 
[USG6000V1]security-policy  #HRP协议心跳规则
[USG6000V1-policy-security]rule name heart
[USG6000V1-policy-security-rule-heart]source-zone
[USG6000V1-policy-security-rule-heart]source-zone local 	
[USG6000V1-policy-security-rule-heart]destination-zone dmz 
[USG6000V1-policy-security-rule-heart]action permit 

[USG6000V1]ip route-static 0.0.0.0 0 192.168.2.1

FW2区域、策略、路由

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[USG6000V1]firewall zone trust 	
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust 
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/2
[USG6000V1-zone-untrust]q
[USG6000V1]firewall zone dmz 
[USG6000V1-zone-dmz]add interface GigabitEthernet 1/0/0

[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust_untrust
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust 	
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust 	
[USG6000V1-policy-security-rule-trust_untrust]action permit 
[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name heart
[USG6000V1-policy-security-rule-heart]source-zone local 
[USG6000V1-policy-security-rule-heart]destination-zone dmz 
[USG6000V1-policy-security-rule-heart]action permit 

[USG6000V1]ip route-static 0.0.0.0 0 192.168.2.1
VRRP、HRP、自动备份

FW1 VRRP、HRP、备份

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 100.1.1.99 active 
#vrid: 每一组VRRP的ID virtual-ip: 虚拟IP 用于备份互通 active: 主
[USG6000V1]int g1/0/2	
[USG6000V1-GigabitEthernet1/0/2]vrrp vrid 2 virtual-ip 192.168.2.99 active

[USG6000V1]sysname FW1
[FW1]hrp enable #开启HRP心跳功能
HRP_S[FW1]hrp auto-sync #开启自动备份
HRP_S[FW1]dis hrp state #查看HRP状态
2021-12-19 09:35:44.220 
 Role: standby, peer: unknown
 Running priority: 45000, peer: unknown
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2021-12-19 9:35:18 HRP core state changed, old_s
tate = initial, new_state = abnormal(standby), local_priority = 45000, peer_prio
rity = unknown.
HRP_S[FW1]dis hrp int
2021-12-19 09:39:36.630 
 Info: There is no HRP interface.
 
 HRP_S[FW1]hrp interface g1/0/1 remote 10.1.1.2 #映射心跳接口,IP为对端IP地址
 Info: It is suggested to configure encryption key for HRP backup channels.

FW2 VRRP、HRP、自动备份

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[FW2]int g1/0/1	
[FW2-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 100.1.1.99 standby 
#standby: 备
[FW2-GigabitEthernet1/0/1]int g1/0/2
[FW2-GigabitEthernet1/0/2]vrrp vrid 2 virtual-ip 192.168.2.99 standby

[USG6000V1]sysname FW2
[FW2]hrp enable
HRP_S[FW2]hrp auto-sync


HRP_S[FW2]hrp int g1/0/0 remote 10.1.1.1
HRP_S[FW2]dis hrp state
2021-12-19 10:15:06.950 
 Role: standby, peer: active
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 0 minutes
 Last state change information: 2021-12-19 10:14:34 HRP link changes to up.
HRP_S[FW2]dis hrp int
2021-12-19 10:15:40.550 
             GigabitEthernet1/0/0 : running

我发现路由并不能通,上网查询后才知道ensp有bug

于是,我改了下top图,并使用ospf路由

TOP图修改
image-20211219202130725

OSPF路由配置,配置vrrp后只需配置一遍即可

FW1的配置

1
2
NETWORK 100.1.1.0 0.0.0.255
NETWORK 192.168.2.0 0.0.0.255

R1的配置

1
2
network 192.168.2.0 0.0.0.255
network 192.168.1.0 0.0.0.255
结果图如下:
image-20211219203305290

可以看到在关闭上面防火墙的情况下网络依靠FW2继续运行

image-20211219205307344

本次实验完成

实验七(防火墙用户管理)

实验介绍
关于实验
  • 本实验在网络出口位置设置防火墙,对上网用户进行身份认证
实验目的
  • 理解用户管理的基本原理
  • 掌握免用户认证的配置方式
  • 掌握密码认证用户的配置方式
实验TOP图

image-20211220162519134

配置思路
  • 配置对应的IP地址及安全区域
  • 创建用户组和对应的用户组策略

设置web地址

1
2
3
4
<USG6000V1>system view
[USG6000V1]int g0/0/0
[USG6000V1-GigabitEthernet0/0/0]ip addr 192.168.16.254 24
[USG6000V1-GigabitEthernet0/0/0]service-manage https permit

设置防火墙IP和安全区域

image-20211220173437995

对象—default—新建—新建用户组—Test

image-20211220173534807

对象—用户—认证策略—新建—Guest

image-20211220174903374

对象—default—新建—新建用户组—normal

image-20211220173717237

认证策略—新建—Normal

image-20211220173747137

策略—安全策略—新建—Test

image-20211220181434343

策略—安全策略—新建—Normal

image-20211220181536808

策略—安全策略—名称:anquan—源目区域:trust+local —服务—新建—名称:TCP 目的端口:8887

image-20211220182225506

实验八(L2TP)

实验TOP图

image-20220923152430598

实验目的

  • 理解 L2TP VPN 拨号的基本原理。

  • 掌握 Client-Initialized 方式 L2TP 应用场景

image-20211220190457797
实验步骤

配置IP地址用于登录web管理界面

1
2
3
4
5
6
[USG6000V1]system-view 
[FW1]sysname FW1

[FW1]int g0/0/0
[FW1-GigabitEthernet0/0/0]ip address 192.168.153.254 24
[FW1-GigabitEthernet0/0/0]service-manage http permit	#实验的话可以all permit

登录web管理界面配置接口IP如下,并将接口加入对应的zone

image-20220923152539011