Technology Sharing

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

The firewall experiment topology is shown in the figure:

Experimental requirements:

1. Servers in the DMZ area and the office area can only be accessed during office hours (9:00 - 18:00), while equipment in the production area can be accessed all day.

2. Internet access is not allowed in the production area, but is allowed in the office area and visitor area

3. The office device 10.0.2.10 is not allowed to access the FTP server and HTTP server in the DMZ area, and can only ping 10.0.3.10

4. The IP address of the office area is fixed, and anonymous authentication is used to access the DMZ area. The personnel in the visitor area are not fixed, and are not allowed to access the DMZ area and production area. Anonymous authentication is required when surfing the Internet, and the visitor group is used to go online.

5. When the production area visits the omz area, protol authentication is required, and a production area user organization structure is established, including at least three departments, three users in each department, and a unified user password of openlab123. The password needs to be changed for the first login, and the user expiration time is set to 10 days

6. Create a custom administrator who does not have system management capabilities.

To configure the firewall:

1. Interface IP address, area division
2. Write the return route for the intranet
3. security strategy
4. Inside-to-outside NAT
5. Server Mapping

Note: Before this we must ensure that the underlying devices can communicate with each other, so we must first divide VLANs on the switch.

LSW2：

[Huawei]vlan batch 2 3  //vlanDivision

[Huawei]int g 0/0/2

[Huawei-GigabitEthernet0/0/2]port link-type access  //Enterg0/0/2Mouth handle0/0/2Mouth type changed toaccesstype

[Huawei-GigabitEthernet0/0/2]int g 0/0/3

[Huawei-GigabitEthernet0/0/3]prot link-type access//Enterg0/0/3Mouth handle3Mouth becomesAccesstype.

[Huawei-GigabitEthernet0/0/3]port default  vlan 3///Bundle3Divide intovlan3

[Huawei-GigabitEthernet0/0/3]int g 0/0/1

[Huawei-GigabitEthernet0/0/1]port link-type trunk//Enter0/1Mouth handle0/1Mouth changed totrunktype.

[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3This channel allowsvaln2andvlan3Traffic flows through.

[Huawei-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1//Bundlevlan1 Delete the traffic otherwise2 3 Traffic cannot pass through the main road.

Configure the switchvlanLater, when entering the firewallIPAddress configuration:

FW4:

[USG6000V1-GigabitEthernet0/0/0]ip add 192.168.100.2 24//Enter the main service port and changeIPAddress ready

[USG6000V1-GigabitEthernet0/0/0]service-manage all permit//Enable all services

After all configurations are completed, you can enter the web page for configuration:

turn upg1/0/3Interface configuration:

The same can be saidg1/0/4The interface can also be operated according to the above steps;

Willg1/0/1Divided intoDMZarea;

Then create two zones in the security zone, namely the office network zone and the production network zone, as shown in the figure:

Configure two sub-interfaces under the main interface as shown in the figure:

Similarly, the same is true for the production area sub-interface:

After completing the above operations, check whether the same LAN can communicate data.ping This command checks whetherpingPass gateway.

The same is true for the office network:

The same is true for servers;

Then we make the server into aHTTPServer office areapaidAccess is not possible because there is no strategy.

Enter the policy section to configure access for office usersDMZZone server strategy:

After creation, it will look like this:

Once the strategy is ready, you can accessHTTPServer

Since I did it at night, the reason for the access failure was that it was not within the strategic time.

Similarly, the principle of the production area is the same as shown in the figure:

Here the first requirement has been completed

Create a policy for production users to access the server:

authenticating:

Come visit again3.10The server is not connected, which means our strategy is successful:

Then add anotherpaidAccessing the server should not be possible.

At this point the third requirement has been completed.

Create the office area, production area, and visitor area in order as shown in the figure:

Then create two departments under the office area: R&D department and marketing department:

Establish departments in the production area123as the picture shows:

Then create users in batches as shown in the figure:

Create all user groups and batch users as shown in the figure:

Finally, select the option that requires changing password for first login:

Start from R&D

Create three authentication policies in sequence as shown in the figure:

Verify the strategy:

Successful access indicates that the strategy is correct

Create an administrator role as shown:

Create another administrator as shown:

Finally, verify whether the account has been successfully created and logged out to log in:

Without the administrator option, the system can now only read but not write, indicating that the experiment is complete.