华为eNSP配置USG防火墙网络联通实验

1、一、搭建拓扑结构

防火墙三台

路由器两台

2、二、配置所有设备的接口信息

[R1]int g0/0/0[R1-GigabitEthernet0/0/0]ip add 10.0.10.2 24

[R1-GigabitEthernet0/0/0]int s3/0/0[R1-Serial3/0/0]ip add 10.0.12.1 24[R1-Serial3/0/0]int loop 0[R1-LoopBack0]ip add 10.0.1.1 24

R2]int g0/0/0[R2-GigabitEthernet0/0/0]ip add 10.0.20.1 24 [R2-GigabitEthernet0/0/0]int s3/0/0[R2-Serial3/0/0]ip add 10.0.12.2 24 [R2-Serial3/0/0]int s4/0/0[R2-Serial4/0/0]ip add 10.0.23.2 24[R2-Serial4/0/0]int loop 0[R2-LoopBack0]ip add 10.0.2.2 24

[R3]int s4/0/0[R3-Serial4/0/0]ip add 10.0.23.3 24[R3-Serial4/0/0]Aug 14 2017 15:00:53-08:00 R3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol PPP IPCP on the interface Serial4/0/0 has entered the UP state. [R3-Serial4/0/0]int loop 0[R3-LoopBack0]ip add 10.0.3.3 24

3、三、查看当前网络的连通性

[FW1-policy-security-rule-policy_sec_2]ping 10.0.20.2     PING 10.0.20.2: 56  data bytes, press CTRL_C to break    Request time out    Request time out    Request time out    Request time out    Request time out[FW1]ping 10.0.12.1   PING 10.0.12.1: 56  data bytes, press CTRL_C to break    Request time out    Request time out    Request time out    Request time out    Request time out

4、四、配置防火墙的包策略过滤行为

security-policy rule name policy_sec_1  source-zone trust  destination-zone untrust  action permit rule name policy_sec_2  source-zone local  source-zone untrust  destination-zone local  destination-zone untrust  action permit

5、五、配置OSPF协议保证网络的连通性

先从R1到R3再配置FW1、FW2

[R1]ospf 1 [R1-ospf-1]area 0.0.0.0 [R1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255 [R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 [R2]ospf 1 [R2-ospf-1]area 0.0.0.0 [R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255 [R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 [R2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255 [R3]ospf 1 [R3-ospf-1]area 0.0.0.0 [R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255 [FW1]ospf 1 [FW1-ospf-1]area 0.0.0.0 [FW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255 [FW2]ospf 1 [FW2-ospf-1]area 0.0.0.0 [FW2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255

6、六、查看当前各个设备的路由表，并开启防火墙端口的ping功能

[FW1]dis ip rouRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public         Destinations : 7        Routes : 7       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

      10.0.10.0/24  Direct  0    0           D   10.0.10.1       GigabitEthernet1/0/0      10.0.10.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0      10.0.12.0/24  OSPF    10   49          D   10.0.10.2       GigabitEthernet1/0/0      10.0.20.0/24  OSPF    10   50          D   10.0.10.2       GigabitEthernet1/0/0      10.0.23.0/24  OSPF    10   97          D   10.0.10.2       GigabitEthernet1/0/0      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

开启ping功能

service-manager ping enable

7、七、测试网络的连通性

[FW1]ping 10.0.20.2  PING 10.0.20.2: 56  data bytes, press CTRL_C to break    Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=253 time=23 ms    Reply from 10.0.20.2: bytes=56 Sequence=2 ttl=253 time=21 ms    Reply from 10.0.20.2: bytes=56 Sequence=3 ttl=253 time=15 ms    Reply from 10.0.20.2: bytes=56 Sequence=4 ttl=253 time=21 ms    Reply from 10.0.20.2: bytes=56 Sequence=5 ttl=253 time=20 ms

  --- 10.0.20.2 ping statistics ---    5 packet(s) transmitted    5 packet(s) received    0.00% packet loss    round-trip min/avg/max = 15/20/23 ms