HCIP-Security1.1多出口選路4(DNS透明代理)
阿新 • • 發佈:2022-04-16
一,網路拓撲
二,規劃說明
2.1IP地址規劃
裝置 | 介面 | 安全區域 | IP地址 |
FW1 | GE0/0/0 | Local | 192.168.0.10/24 |
GE1/0/0 | Local | 202.100.2.10/24 | |
GE1/0/1 | Local | 202.100.1.10/24 | |
GE1/0/2 | Local | 10.1.1.10/24 | |
GE1/0/3 | Local | 10.1.2.10/24 | |
GE1/0/4 | Local | 10.1.3.10/24 | |
GE1/0/5 | Local | 192.168.34.10/24 | |
ISP1 | GE0/0/0 | untrust | 11.1.1.20/24 |
GE0/0/1 | untrust | 202.100.1.20/24 | |
Loopback0 | untrust | 1.1.1.1/32 | |
Loopback1 | untrust | 2.2.2.2/32 | |
GE0/0/2 | untrust | 223.5.5.20/24 | |
ISP2 | GE0/0/0 | untrust | 12.1.1.20/24 |
GE0/0/1 | untrust | 202.100.2.20/24 | |
Loopback0 | untrust | 3.3.3.3/32 | |
Loopback1 | untrust | 4.4.4/32 | |
GE0/0/2 | untrust | 223.6.6.20/24 | |
Internet | GE0/0/0 | untrust | 11.1.1.30/24 |
GE0/0/1 | untrust | 12.1.1.30/24 | |
GE0/0/2 | untrust | 120.1.1.30/24 | |
http_server | Ethernet0/0/0 | untrust | 120.1.1.2/24 |
ISP1_DNS1 | Ethernet0/0/0 | untrust | 223.5.5.5/24 |
ISP1_DNS2 | Ethernet0/0/0 | untrust | 223.5.5.6/24 |
ISP2_DNS1 | Ethernet0/0/0 | untrust | 223.6.6.6/24 |
ISP2_DNS2 | Ethernet0/0/0 | untrust | 223.6.6.7/24 |
DMZ_Server | Ethernet0/0/0 | dmz | 192.168.34.1/24 |
kali_linux | Ethernet0/0/0 | trust | 10.1.1.128/24 |
RHEL | Ethernet0/0/0 | trust | 10.1.2.2/24 |
PC2 | Ethernet0/0/0 | trust | 10.1.3.1/24 |
MGMT_PC | Ethernet0/0/0 | trust | 192.168.0.1/24 |
2.2實驗需求
當內網使用者訪問某個域名,DNS透明代理的功能將原本DNS伺服器地址轉換為防火牆設定的DNS地址。不同的介面會分發到不同的ISP的鏈路和DNS。
三,配置部分
3.1防火牆以外的配置
3.1.1 ISP1路由器
<Huawei>system-view [Huawei]sysname ISP1 [ISP1]user-interface con 0 [ISP1-ui-console0]idle-timeout 0 0 [ISP1]interface GigabitEthernet 0/0/0 [ISP1-GigabitEthernet0/0/0]ip address 11.1.1.20 24 [ISP1-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [ISP1-GigabitEthernet0/0/1]ip address 202.100.1.20 24 [ISP1-GigabitEthernet0/0/1]interface Loopback 0 [ISP1-LoopBack0]ip address 1.1.1.1 32 [ISP1-LoopBack0]interface Loopback 1 [ISP1-LoopBack1]ip address 2.2.2.2 32 [ISP1-LoopBack1]ip route-static 0.0.0.0 0 11.1.1.30
[ISP1-LoopBack1]interface GigabitEthernet0/0/2
[ISP1-GigabitEthernet0/0/2]ip address 223.5.5.20 24
3.1.2ISP2路由器
<Huawei>system-view [Huawei]sysname ISP2 [ISP2]user-interface con 0 [ISP2-ui-console0]idle-timeout 0 0 [ISP2-ui-console0]interface GigabitEthernet 0/0/0 [ISP2-GigabitEthernet0/0/0]ip address 12.1.1.20 24 [ISP2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [ISP2-GigabitEthernet0/0/1]ip address 202.100.2.20 24 [ISP2-GigabitEthernet0/0/1]interface Loopback 0 [ISP2-LoopBack0]ip address 3.3.3.3 32 [ISP2-LoopBack0]interface Loopback 1 [ISP2-LoopBack1]ip address 4.4.4.4 32 [ISP2-LoopBack1]ip route-static 0.0.0.0 0 12.1.1.30
[ISP2-LoopBack1]interface GigabitEthernet0/0/2
[ISP2-GigabitEthernet0/0/2]ip address 223.6.6.20 24
3.1.3Internet路由器
<Huawei>system-view [Huawei]sysname Internet [Internet]user-interface con 0 [Internet-ui-console0]idle-timeout 0 0 [Internet-ui-console0]interface GigabitEthernet 0/0/0 [Internet-GigabitEthernet0/0/0]ip address 11.1.1.30 24 [Internet-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 [Internet-GigabitEthernet0/0/1]ip address 12.1.1.30 24 [Internet-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2 [Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24 [Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24 [Internet-GigabitEthernet0/0/2]ip route-static 202.100.1.0 24 11.1.1.20 [Internet]ip route-static 1.1.1.1 32 11.1.1.20 [Internet]ip route-static 2.2.2.2 32 11.1.1.20 [Internet]ip route-static 202.100.2.0 24 12.1.1.20 [Internet]ip route-static 3.3.3.3 32 12.1.1.20 [Internet]ip route-static 4.4.4.4 32 12.1.1.20
[Internet]ip route-static 223.5.5.0 11.1.1.20
[Internet]ip route-static 223.6.6.0 12.1.1.20
3.1.4 Http Server
Http Server是使用ENSP橋接的一臺vmware workstation的一臺虛機,簡單的配置了http。
3.1.5MGMT_PC
MGPT_PC是ENSP橋接到我本地的物理機,可以通過瀏覽器進行圖形化管理FW1。
3.1.6 內網測試主機
①kali_linux
②RHEL
3.1.7DNS伺服器
3.2 防火牆配置
3.2.1介面地址以及安全區域
<USG6000V1>system-view [USG6000V1]sysname FW1 [FW1]user-interface con 0 [FW1-ui-console0]idle-timeout 0 0 [FW1-ui-console0]interface GigabitEthernet 0/0/0 [FW1-GigabitEthernet0/0/0]ip address 192.168.0.10 24 [FW1-GigabitEthernet0/0/0]service-manage http permit [FW1-GigabitEthernet0/0/0]service-manage https permit [FW1-GigabitEthernet0/0/0]service-manage ping permit [FW1-GigabitEthernet0/0/0]interface GigabitEthernet 1/0/0 [FW1-GigabitEthernet1/0/0]ip address 202.100.2.10 24 [FW1-GigabitEthernet1/0/0]service-manage ping permit [FW1-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1 [FW1-GigabitEthernet1/0/1]ip address 202.100.1.10 24 [FW1-GigabitEthernet1/0/1]service-manage ping permit [FW1-GigabitEthernet1/0/1]interface GigabitEthernet 1/0/2 [FW1-GigabitEthernet1/0/2]ip address 10.1.1.10 24 [FW1-GigabitEthernet1/0/2]service-manage ping permit [FW1-GigabitEthernet1/0/2]interface GigabitEthernet 1/0/3 [FW1-GigabitEthernet1/0/3]ip address 10.1.2.10 24 [FW1-GigabitEthernet1/0/3]service-manage ping permit [FW1-GigabitEthernet1/0/3]interface GigabitEthernet 1/0/4 [FW1-GigabitEthernet1/0/4]ip address 10.1.3.10 24 [FW1-GigabitEthernet1/0/4]service-manage ping permit [FW1-GigabitEthernet1/0/4]interface GigabitEthernet 1/0/5 [FW1-GigabitEthernet1/0/5]ip address 192.168.34.10 24 [FW1-GigabitEthernet1/0/5]service-manage ping permit [FW1-GigabitEthernet1/0/5]firewall zone trust [FW1-zone-trust]add interface GigabitEthernet 0/0/0 [FW1-zone-trust]add interface GigabitEthernet 1/0/2 [FW1-zone-trust]add interface GigabitEthernet 1/0/3 [FW1-zone-trust]add interface GigabitEthernet 1/0/4 [FW1-zone-trust]firewall zone dmz [FW1-zone-dmz]add interface GigabitEthernet 1/0/5 [FW1-zone-dmz]firewall zone untrust [FW1-zone-untrust]add interface GigabitEthernet 1/0/0 [FW1-zone-untrust]add interface GigabitEthernet 1/0/1 [FW1-zone-untrust]add interface GigabitEthernet 1/0/1
3.2.2 多出口聯動IP-Link
[FW1]ip-link check enable [FW1]ip-link name isp1 [FW1-iplink-isp1]destination 202.100.1.20 interface GigabitEthernet 1/0/1 mode icmp [FW1-iplink-isp1]quit [FW1]ip-link name isp2 [FW1-iplink-isp2]destination 202.100.2.20 interface GigabitEthernet 1/0/0 mode icmp [FW1]ip route-static 0.0.0.0 0 GigabitEthernet 1/0/1 202.100.1.20 track ip-link isp1 [FW1]ip route-static 0.0.0.0 0 GigabitEthernet 1/0/0 202.100.2.20 track ip-link isp2
3.2.3 源NAT
[FW1]nat-policy [FW1-policy-nat]rule name easy-ip [FW1-policy-nat-rule-easy-ip]source-zone trust [FW1-policy-nat-rule-easy-ip]destination-zone untrust [FW1-policy-nat-rule-easy-ip]source-address address-set pc [FW1-policy-nat-rule-easy-ip]action source-nat easy-ip
3.2.4 DNS透明代理
①使用CLI配置G1/0/1出口的主備DNS透明代理
[FW1]dns-transparent-policy [FW1-policy-dns]rule name dns-proxy [FW1-policy-dns-rule-dns-proxy]source-address 10.1.1.0 24 [FW1-policy-dns-rule-dns-proxy]source-address 10.1.2.0 24 [FW1-policy-dns-rule-dns-proxy]action tpdns [FW1-policy-dns-rule-dns-proxy]quit [FW1-policy-dns]dns transparent-proxy enable [FW1-policy-dns]dns server bind interface GigabitEthernet 1/0/1 preferred 223.5.5.5 alternate 223.5.5.6 health-check enable tx-interval 3 times 2
②GUI配置G1/0/0出口的主備DNS透明代理
四,測試效果
1.測試虛機的dns地址是114.114.114.114,也可以正常的進行地址解析
2.檢視會話表,發現地址進行的目的地址轉換,114.114.114.114轉換為ISP2的主DNS
3.將連線ISP2的介面關閉
[FW1]int g1/0/2 [FW1-GigabitEthernet1/0/2]shutdown
4.DNS立刻切換到ISP1的主裝置
5.在ISP1將DNS1的鏈路中斷
[SW1]interface GigabitEthernet 0/0/2 [SW1-GigabitEthernet0/0/2]shutdown
6.DNS切換到ISP1的備用地址