HCIA_Sec實驗(雙機熱備+使用者管理)
阿新 • • 發佈:2022-02-23
一,拓撲圖
二,規劃
2.1 SW1的VLAN規劃
VLAN10 | GE0/0/1,G0/0/5,G0/0/9 |
VLAN20 | G0/0/2,G0/0/6,G0/0/10 |
VLAN30 | G0/0/3,G0/0/7,G0/0/11 |
VLAN40 | G0/0/4,G0/0/8,G0/0/12 |
2.2 IP地址規劃
#FW1
G0/0/0 | 192.168.0.10/24 | |
G1/0/0 | 10.1.1.10/24 | |
G1/0/1 | 202.100.1.10/24 | |
G1/0/2 | 192.168.1.10/24 | |
G1/0/3 | 172.16.0.10/24 |
#FW2
G0/0/0 | 192.168.0.20/24 | |
G1/0/0 | 10.1.1.20/24 | |
G1/0/1 | 202.100.1.20/24 | |
G1/0/2 | 192.168.1.20/24 | |
G1/0/3 | 172.16.0.20/24 |
#PC1
10.1.1.1/24
#ISP
G0/0/0 | 202.100.1.253/24 |
G0/0/1 |
#SERVER1
192.168.1.1/24
三,基礎配置
①配置IP地址(略)
②配置對應vlan(略)
③配置防火牆的安全區域
#FW1
[FW1]firewall zone trust [FW1-zone-trust]add interface GigabitEthernet 1/0/0 [FW1-zone-trust]firewall zone untrust [FW1-zone-untrust]add interface GigabitEthernet1/0/1 [FW1-zone-untrust]firewall zone dmz [FW1-zone-dmz]add interface GigabitEthernet 1/0/2
#FW2
[FW2]firewall zone trust [FW2-zone-trust]add interface GigabitEthernet 1/0/0 [FW2-zone-trust]firewall zone untrust [FW2-zone-untrust]add interface GigabitEthernet 1/0/1 [FW2-zone-untrust]firewall zone dmz [FW2-zone-dmz]add interfaceGigabitEthernet 1/0/2
④PC1的配置
⑤ Server1的配置
四,配置雙機熱備
4.1命令
#FW1
[FW1]interface GigabitEthernet 1/0/0 [FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.1.254 active [FW1-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1 [FW1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 202.100.1.254 active #配置心跳線 [FW1]hrp interface GigabitEthernet 1/0/3 remote 172.16.0.20
#FW2
[FW2]interface GigabitEthernet 1/0/0 [FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.1.254 standby [FW2-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1 [FW2-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 202.100.1.254 standby #定義備裝置 [FW2]hrp standby-device #配置心跳線 [FW2]hrp interface GigabitEthernet 1/0/3 remote 172.16.0.10
#同步安全策略
HRP_M[FW1]security-policy (+B) HRP_M[FW1-policy-security]rule name internet (+B) HRP_M[FW1-policy-security-rule-internet]source-zone trust (+B) HRP_M[FW1-policy-security-rule-internet]destination-zone untrust (+B) HRP_M[FW1-policy-security-rule-internet]action permit (+B)
4.2效果測試
①PC1可以訪問
五,使用者管理
5.1 使10.1.1.0/24網段使用者訪問untrust需要驗證
①配置密碼
②配置認證策略
③配置認證選項
④新建服務
⑤ 配置安全策略