Technology Sharing

Firewall basic experiment configuration

2024-07-12

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

1. Experimental topology

Second, experimental requirements:

1. Servers in the DMZ area can only be accessed during office hours (9:00 - 18:00) in the office area, and equipment in the production area can be accessed all day
2. Internet access is not allowed in the production area, but is allowed in the office area and for visitors
3. The office device 10.0.2.10 is not allowed to access the FTP server and HTTP server in the DMZ area, and can only ping 10.0.3.10
4. The office area is divided into the marketing department and the R&D department. The IP address of the R&D department is fixed, and anonymous authentication is used to access the DMZ area. The marketing department requires users to bind IP addresses, and no authentication is used to access the DMZ area;
The number of visitors in the visitor area is not fixed. They are not allowed to visit the DMZ area and the production area. They all log in using the Guest user with the password Admin@123. Visitors only have the right to visit the company's portal website and surf the Internet. The portal website address is 10.0.3.10.
5. When the production area accesses the DMZ area, protal authentication is required. A production area user organization structure is established, which includes at least three departments, three users in each department, and a unified user password of openlab123. The first login requires modification.
Change password, user expiration time is set to 10 days, and multiple users are not allowed to use
6. Create a custom administrator who cannot have system management functions

3. Configuration ideas

1. First realize "full network interconnection" (full network interconnection can be realized when the firewall is only used as a router. In fact, due to the firewall, corresponding policies must be written to make it accessible), configure IP, and Layer 2 configuration such as configuring VLAN on LSW1, and setting sub-interfaces of firewall device G1/0/1 as gateway sub-interfaces of VLAN2 and VLAN3 respectively.

2. Configure some firewall policies (including security policies and authentication policies) through the web interface, first create interfaces and divide areas.

4. Experimental process:

(1) Configure the IP address of each device (omitted) and configure the Layer 2 device VLAN:

LSW1:

  1. [LSW1]inter g0/0/2
  2. [LSW1-GigabitEthernet0/0/2]port link-type access 
  3. [LSW1-GigabitEthernet0/0/2]port default vlan 2
  4. [LSW1]inter g0/0/3
  5. [LSW1-GigabitEthernet0/0/3]port link-type access 
  6. [LSW1-GigabitEthernet0/0/3]port default vlan 3
  7. [LSW1]inter g0/0/1
  8. [LSW1-GigabitEthernet0/0/1]port link-type trunk 
  9. [LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3

FW2:
The G0/0/0 interface is configured with an IP address. The IP address of the cloud accessed through ENSP to the local machine is 192.168.100.2, so the firewall is configured with 192.168.100.1.

G1/0/0 interface:

Create a sub-interface on G1/0/1 and a security zone (taking the office area as an example, you also need to create a sub-interface for the production area)

Security zone. Select the sub-interface you just created to divide the network segment under it into this security zone.

Sub-interfaces of the production area (created configuration):

G1/0/4(Tourist Area)

G1/0/2 (Internet):

G1/0/3 (Internet backup):

(2) Security strategy:
1. Servers in the DMZ area can only be accessed during office hours (9:00 - 18:00) in the office area, and equipment in the production area can be accessed all day

2. Internet access is not allowed in the production area, but is allowed in the office area and for visitors

Production area is not accessible

The office and visitor areas have access to:

3. The office device 10.0.2.10 is not allowed to access the FTP server and HTTP server in the DMZ area, and can only ping 10.0.3.10

test:

4. The office area is divided into the marketing department and the R&D department. The IP address of the R&D department is fixed, and anonymous authentication is used to access the DMZ area. The marketing department requires users to bind IP addresses, and no authentication is used to access the DMZ area;
The number of visitors in the visitor area is not fixed. They are not allowed to visit the DMZ area and the production area. They all log in using the Guest user with the password Admin@123. Visitors only have the right to visit the company's portal website and surf the Internet. The portal website address is 10.0.3.10.

R&D department certification strategy: no certification required

Marketing Department Authentication Strategy: Anonymous Authentication

Visitors access DMZ10.0.3.10 (visitors access DZM and production areas are denied by default):

5. When the production area accesses the DMZ area, protal authentication is required. A production area user organization structure is established, which includes at least three departments, three users in each department, and a unified user password of openlab@123. The first login requires modification.
Change password, user expiration time is set to 10 days, and multiple users are not allowed to use

6. Create a custom administrator who cannot have system management functions

Personal profile

I have devoted myself to the research of technology for more than 30 years. I am proficient in various languages ​​such as Java, Linux, JavaScript, PHP, CSS, etc. I have made many contributions in the field of open source. I have established a developer documentation site to share some problems in technology development for everyone to read.

my contact information

Mail