hcnp security安全cisn实验指导书操作

©技术2012。保留一切权利。本书所有内容受 可，任何人、任何组织不得将本书的任何内容以任何方式进行、经销、翻印 。依托公司雄厚的技术实力和专业的培训体系，认证考虑到不同客户对ICT技术不同层次的需求，致力于为客户提供实战性、专业化的技术认证。根据ICT技术 认证）主要面向工，以及准备参加HCNA-Security认证考试的HCNP-Security( CertifiedNetworkProfessional-Security，认证网络HCNP-Security包括CISN（ConstructingInfrastructureofSecurityNetwork，构建安全网络架构）、CTSS（ConstructingTerminalSecuritySystem，构建终端安全体内容上涵盖高级技术（IPCar、IP-Link、Eth-Trunk、Link-Group、虚拟 、L2TPoverIPSEC 、DDOS防范技术及HCIE-Security（CertifiedInternetworkExpert--Security，认证互联网准备参加HCNP-Security认证考试的人员，了解面向大中型企业的通用技术，本书共包含8个Module，系统地介绍了高级安全特性、可靠性技术高级应用、基本防范技术、DDOS防范技术、基础特性和 Module1介绍了高级安全特性，课程的主要内容报文分片介绍IP-CAR技术、DHCP 与配置，IP-Link技术，Eth-Trunk技术,Link-group技术。Module4介绍了的高级应用，课程内容主要包括IPSec高级应用场景分析，IPSec高级应型配置，L2TP+IPSec应用场景分析，综合Module6介绍了DDOS防范技术，课程内容主要包括常见DDoS DDOS防范组网配置。基于源地址转换的故障排除，基于目的地址转换的故障排除，NAT故障排除案例，Module8介绍了 本书将引导学员完成所有Module，学完本课程之后将具备高级技术和

可靠性、虚拟技术、高级特性应用、TSM终端安全和统一威1台Windows2003主机（含InstallWindows2003StandardEditionandMSSQLEnterpriseEdition,MSSQLServer5.0ServerandGEnetwordcard）、1台NIP2200。每套实验环境适用于2-4人为一组（最多不超过8人）同时上机操作3G上网卡USB3GCDMA2000(orUSB3GIPS防御设Windows目录手册说 适用范 图 2高级安全特性实 DHCP 3可靠性实 ip-link实 虚拟实 5高级技术实验 IPSEC建立点到多点SA策略模板方 L2TPoverIPSEC组网 6防范实验 基于IP地址的SYN TCP反向源探测方式的SYNFlood防 基于接口的ARPFlood防 7基础特性故障排除实 7.1基础特性故障排 第9图1-1USG2100前面板 图1-2USG2100后面 图1-3USG2200产品交流机型前面 图1-4USG2250产品直流机型前面 图1-5USG产品后面板 图1-6USG5120产品前面 图1-7USG5120BSR产品后面板 图1-8USG5150产品前面 图1-9USG5150产品后面 图1-10USG5530S产品接口卡侧面板 图1-11USG5530S产品交流机型电源侧面板 图1-12USG5530/5550/5560产品接口卡侧面板 图1-13USG5550/5560直流机型电源侧面板 图1-14USG5530/5550/5560交流机型电源侧面板 图1-15USG9520直流机箱组成部件 图1-16USG9520交流机箱组成部件 图1-17USG9560部件 图2-1IP-CAR实验组网图 图2-2设备上应用DHCP 图3-1主备备份双机热备实验组网图 图3-2双机热备会话快速备份实验组网图 图3-3负载分担双机热备实验组网图 图3-4IP-Link组网实验图 图4-1虚拟配置实验图 图5-1点到多点SA策略模板实验组网图 图5-2NAT穿越实验组网图 图5-3L2TPoverIPSEC实验组网图 图6-1基于IP地址的SYNFlood防范实验组网图 图6-2TCP反向源探测方式SYNFlood防范实验组网图 图6-3基于接口的ARPFlood防范实验组网图 图6-4地址扫描防范实验组网图 第10如下图所示，USG21003G数据卡接口（USG2130支持、USB接口、Flash卡接口、指示灯和系统复位键。USG21203G数据卡接口，其他部分和USG2130的前面板完全第111.3G数据卡接 2.USB接 3.Flash卡接4.指示 5.系统复位如下图所示，USG2100后面板包括交流电源模块、MIC(MiniInterfaceCard)插并直接划到具体的区域里。LAN口为交换口，不能在接口上配置IP地址，需VLANVLANVLANinterfaceVLAN划到图1-2USG2100WAN5LAN6Console7MIC8.9.源开关和交流电源插孔；右侧包括的固定接口包括：1Console接口、2个GECombo接口、2USB2.0接口、1个闪存接口。第121USB2.02GECombo3.4Console.1USB2.02GECombo3.4Console.USG2210、USG2220、USG2230、USG2250后面板布局相同，如下图所示，4MIC2FIC插槽。如果选用的插卡为交如果选用插卡的接口为路由口，则配置方式与USG3000/USG5000或者USG2100上的WAN口配置方式一致。图1-5USG1MIC12MIC23MIC34MIC47.5FIC56FIC6第13USG220006个扩展插槽的槽位编号（1～6）采用先从左到右，再从下到上，先MIC槽位后FIC槽位的编号原则。接口编号为interface-typeX/0/Y，interface-type为接口类型（Ethernet均为0。Y表示接口序号。5FE-SW电接口卡从左到右的Ethernet接口编号Ethernet1/0/0、Ethernet1/0/1、Ethernet1/0/2、Ethernet1/0/3、Ethernet1/0/4。2CE1接口卡从左到右接口编号为：controllere15/0/0、e15/01GECombo接口从左到右接口编号为：GigabitEthernet0/0/0、GigabitEthernet0/0/1。第142.3.Console610/100/1000M7.10/100/1000M8.GECombo座1MIC12MIC23MIC34MIC45FIC5/DFIC56FIC6/DFIC67FIC7/DFIC710.8FIC89.第Console5.6USB2.07GECombo8GECombo9GECombo10GECombo11.12ESD13.14.交流/15.交流/第161MIC12MIC23MIC34MIC45FIC5/DFIC56FIC6/DFIC67FIC7/DFIC710FIC108FIC8/DFIC811.9FIC91.防静电手腕带插 2.系统复位 3.指示灯区4.Micro-SD卡插 5.FIC2插 6.管理7.光电互斥接口 10.Console接 11.USB2.0接

.6.第17USG5530/5550/5560由机箱、扩展接口卡组成。USG5530/5550/5560的机箱尺寸为19口卡扩展插槽。其中，6FIC4个DFIC接口卡扩展插槽，2MIC接口卡扩展插槽可合并为1个DMIC接口卡扩展插槽。USG5530/5550/5560暂不支持MIC和DFIC接口卡。1.防静电手腕带插 2.系统复位 3.USB2.0接4.指示灯区 5.Console接 6.Micro-SD卡插7.管理 8.10/100/1000M自适应以太网电接 9.光电互斥接

12.MIC3插13.FIC9插 14.FIC7/DFIC7插 15.假面16.FIC5/DFIC5插 17.FIC8插 18.FIC6/DFIC6插19假面 20.FIC4/DFIC4插 21.接地端如下图所示，USG5530没有直流机型，只有交流机型；USG5550/5560具有直第..USG9000系列产品都采用机箱，可安装在N68E-22机柜或深度不小于USG9000产品外观如下图所示。第19图1-15USG95201.2ESD3LPU4MPU.第20图1-16USG95ESD5LPU6MPU0.11.12.第21图1-17USG9560第.ESD.9.10.11PEM12.集中模第23第241.2.3.ESD.8.9PEM10.11.集中模12.第25第26PC3台、USG5000系列1第27<USG5000>system-[USG5000]interfaceGigabitEthernet[USG5000-GigabitEthernet0/0/0]ipaddress24[USG5000-GigabitEthernet0/0/0]quit[USG5000]interfaceGigabitEthernet[USG5000-GigabitEthernet0/0/1]ipaddress24[USG5000-GigabitEthernet0/0/1]quit[USG5000]interfaceGigabitEthernet[USG5000-GigabitEthernet0/0/2]ipaddress24[USG5000-GigabitEthernet0/0/2]quitUSG5000[USG5000]firewallzone[USG5000-zone-trust]addinterfaceGigabitEthernet0/0/0[USG5000-zone-trust]quit[USG5000]firewallzone[USG5000-zone-dmz]addinterfaceGigabitEthernet0/0/2[USG5000-zone-dmz]quit[USG5000]firewallzone[USG5000-zone-untrust]addinterfaceGigabitEthernet0/0/1[USG5000-zone-untrust]quit配置域间策略[USG5000]interzonetrustuntrustoutbound[USG5000--interzone-trust-untrust-outbound]1[USG5000--interzone-trust-untrust-outbound-1]sourcemask第28[USG5000--interzone-trust-untrust-outbound-1]actionpermit[USG5000--interzone-trust-untrust-outbound-1]quit[USG5000--interzone-trust-untrust-outbound]quit[USG5000]interzonetrustdmzoutbound[USG5000--interzone-trust-dmz-outbound]1[USG5000--interzone-trust-dmz-outbound-1]sourcemask[USG5000--interzone-trust-dmz-outbound-1]destination0[USG5000--interzone-trust-dmz-outbound-1]serviceservice-setftp[USG5000--interzone-trust-dmz-outbound-1]actionpermit[USG5000--interzone-trust-dmz-outbound-1]quit[USG5000--interzone-trust-dmz-outbound]quit[USG5000]interzoneuntrustdmzinbound[USG5000--interzone-dmz-untrust-inbound]2[USG5000--interzone-dmz-untrust-inbound-2]destination0[USG5000--interzone-dmz-untrust-inbound-2]serviceservice-setftp[USG5000--interzone-dmz-untrust-inbound-2]actionpermit[USG5000--interzone-dmz-untrust-inbound-2]quit[USG5000--interzone-dmz-untrust-inbound]quit[USG5000]nataddress-group100[USG5000]nat-interzonetrustuntrustoutbound[USG5000-nat--interzone-trust-untrust-outbound]1[USG5000nat--interzone-trust-untrust-outbound-1]sourcemask24[USG5000-nat--interzone-trust-untrust-outbound-1]actionsource-nat[USG5000-nat--interzone-trust-untrust-outbound-1]address-group1[USG5000-nat--interzone-trust-untrust-outbound-1]quit第29[USG5000]natserverprotocoltcpglobal00ftpinsideftp[USG5000]firewallinterzonetrustdmz[USG5000-interzone-trust-dmz]detectftp[USG5000-interzone-trust-dmz]quit[USG5000]firewallinterzonedmzuntrust[USG5000-interzone-dmz-untrust]detectftp[USG5000-interzone-dmz-untrust]quit[USG5000]firewallconn-class1500[USG5000]firewallcar-class1[USG5000]firewallcar-class2ACL[USG5000]acl[USG5000-acl-adv-3000]rulepermittcpdestination0destination-porteqftp[USG5000-acl-adv3000][USG5000]acl[USG5000-acl-adv-3001]rulepermittcpsource0source-porteqftp[USG5000-acl-adv-3001]quit行IP连接数和带宽的限制。[USG5000]firewallzone[USG5000-zone-dmz]statisticconnect-numberiptcpinbound1acl-number第30[USG5000-zone-dmzstatisticcaripoutbound1acl-number30001[USG5000-zone-dmz]statisticcaripinbound2acl-number3000IP地址的统计功能。[USG5000-zone-dmz]statisticenableipinzone[USG5000-zone-dmz]statisticenableip[USG5000]firewallcar-class3[USG5000]firewallcar-class4600000#配置ACL。[USG5000]aclnumber[USG5000-acl-adv-3001]description[USG5000-acl-adv-3001]rulepermitipsource55[USG5000]aclnumber3002[USG5000-acl-adv-3002]description[USG5000-acl-adv-3002rulepermitipdestination55#启用带宽限制。[USG5000]firewallzone[USG5000-zone-trust]statisticcaripoutbound3acl-number3001[USG5000-zone-trust]statisticcaripinbound4acl-number3002#启用基于IP地址的统计功能。[USG5000-zone-trust]statisticenableipinzone[USG5000-zone-trust]statisticenableip[USG5000]disyfirewallstatisticipdestination-第31IPstatistics[DSTIPTable]statisticCurrentTCPCurrentUDPCurrentICMPIPconnectionTotalhalfCurrentTCPCurrentUDPBlacklistdiscardDefaultACLdiscardDefaultACLdiscardICMPACLdiscardICMPACLdiscardICMPACLdiscardnon-ICMPACLdiscardnon-ICMPDHCP PC1台、DHCPServer1台、USG50001第32DHCPSnoo是一种DHCP安全特性，通过MAC地址限制，DHCPSnoo安全绑定、遇到DHCPDoS、DHCPServer仿冒、ARP中间人及IP/MACSpoofing攻GigabitEthernet0/0/2<USG5000>system-view[USG]sysnameDHCP-Relay[DHCP-Relay]interfaceGigabitEthernet[DHCP-Relay-GigabitEthernet0/0/2]ipaddress24[DHCP-Relay-GigabitEthernet0/0/2]quit第33[DHCP-Relay]interfaceGigabitEthernet[DHCP-Relay-GigabitEthernet0/0/1]ipaddress5424[DHCP-Relay-GigabitEthernet0/0/1]dhcpselectrelay[DHCP-Relay-GigabitEthernet0/0/1]iprelayaddress[DHCP-Relay-GigabitEthernet0/0/1]quit开启DHCPSnoo功[DHCP-Relay]dhcpsnoo[DHCP-Relay]interfaceGigabitEthernet[DHCP-Relay-GigabitEthernet0/0/1]dhcpsnooenable[DHCP-Relay-GigabitEthernet0/0/1]quit[DHCP-Relay]interfaceGigabitEthernet[DHCP-Relay-GigabitEthernet0/0/2]dhcpsnoo[DHCP-Relay-GigabitEthernet0/0/2]dhcpsnootrusted[DHCP-Relay-GigabitEthernet0/0/2]quit模式，那么开启了接口的Snoo特性后，接口模式默认为“Untrusted”），这样可以防止DHCPServer仿冒者。[DHCP-Relay]interfaceGigabitEthernet[DHCP-Relay-GigabitEthernet0/0/1]dhcpsnoocheckarpenable[DHCP-Relay-GigabitEthernet0/0/1]dhcpsnoocheckipenable#配置在DHCPClinetDHCPRequest报文检查[DHCP-Relay-GigabitEthernet0/0/1]dhcpsnoocheckdhcp-requestenable#配置在DHCPClinet侧接口进行CHADDR检查[DHCP-Relay-GigabitEthernet0/0/1]dhcpsnoocheckdhcp-chaddrenable#配置静态绑定表项[DHCP-Relay-GigabitEthernet0/0/1]dhcpsnoobind-tablestaticip-mac-address00e0-fc5e-008a[DHCP-Relay-GigabitEthernet0/0/1]quit第34[DHCP-Relay]dhcpsnoocheckdhcp-rate90[DHCP-Relay]dhcpsnoocheckdhcp-rateenable[DHCP-Relay]interfaceGigabitEthernet[DHCP-Relay-GigabitEthernet0/0/1]dhcpoption82insertenable[DHCP-Relay-GigabitEthernet0/0/1]quit[DHCP-Relay]dhcpsnoonomatch-packetarpactiondiscard[DHCP-Relay]dhcpsnoonomatch-packetipactiondiscard#配置对接口ARP报文和IP报文转为[DHCP-Relay]interfaceGigabitEthernet[DHCP-Relay-GigabitEthernet0/0/1]dhcpsnoonomatch-packetarpactiondiscard[DHCP-Relay-GigabitEthernet0/0/1]dhcpsnoonomatch-packetipactiondiscard#查看全局和接口视图下DHCPSnoo功能状[DHCP-Relay]disydhcpsnooglobaldhcpsnooenabledhcpsnoonomatch-packetipactiondiscarddhcpsnoonomatch-packetarpactiondiscarddhcpsnoocheckdhcp-rateenabledhcpsnoocheckdhcp-ratealarmenabledhcpsnoocheckdhcp-rate90dhcpsnoocheckdhcp-ratealarmthreshold40#查看DHCPSnoo绑定表表项信息[DHCP-Relay]disydhcpbind-table vrfvsi ip-tp第35 0000 0000/000000e0-fc5e-008a Sbinditemcount: binditemtotalcount:1#显示接口上DHCPSnoo相关信息[DHCP-Relay]disydhcpsnoointerfaceGigabitEthernet0/0/1dhcpsnooenabledhcpsnoocheckarpenabledhcpsnooalarmarpdhcpsnooalarmarpthresholddhcpsnoonomatch-packetarpactiondiscarddhcpsnoocheckipenabledhcpsnoonomatch-packetipactiondiscarddhcpsnooalarmdhcp-replyenabledhcpsnooalarmdhcp-replythreshold10dhcpsnoocheckdhcp-chaddrenabledhcpsnooalarmdhcp-chaddrenabledhcpsnooalarmdhcp-chaddrthreshold10dhcpsnoocheckdhcp-requestenabledhcpsnooalarmdhcp-requestenabledhcpsnooalarmdhcp-requestthreshold10arptotal ip dhcp-request chaddr&srcmac dhcp-reply [DHCP-Relay]disydhcpoption82interfaceGigabitEthernet0/0/1dhcpoption82insertenable[DHCP-Relay]disydhcpsnoointerfaceGigabitEthernetdhcpdhcparp0ip00chaddr&srcmac dhcp-reply 第36PC2台、USG5000系列2台、交换机2台<USG5000A>system-[USG5000A]interfaceGigabitEthernet第37[USG5000A-GigabitEthernet0/0/1]ipaddress24[USG5000A-GigabitEthernet0/0/1]quitGigabitEthernet0/0/2IP[USG5000A]interfaceGigabitEthernet[USG5000A-GigabitEthernet0/0/2]ipaddress24[USG5000A-GigabitEthernet0/0/2]quitGigabitEthernet0/0/3IP[USG5000A]interfaceGigabitEthernet[USG5000A-GigabitEthernet0/0/3]ipaddress24[USG5000A-GigabitEthernet0/0/3]quit[USG5000A]firewallzone[USG5000A-zone-trust]addinterfaceGigabitEthernet0/0/1[USG5000A-zone-trust]quit[USG5000A]firewallzone[USG5000A-zone-dmz]addinterfaceGigabitEthernet0/0/2[USG5000A-zone-dmz]quit[USG5000A]firewallzone[USG5000A-zone-untrust]addinterfaceGigabitEthernet0/0/3[USG5000A-zone-untrust]quit[USG5000A]interfaceGigabitEthernet[USG5000A-GigabitEthernet0/0/1]vrrpvrid1virtual-ip第38HRP_M[USG5000A]disyvrrpGigabitEthernet0/0/1|VirtualRouter1VRRPGroup:Masterstate:VirtualIP:PriorityRun:PriorityConfig:MasterPriority:Preempt:YES DelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/3|VirtualRouter2VRRPGroup:Masterstate:VirtualIP:PriorityRun:PriorityConfig:MasterPriority:Preempt:YES DelayTime:0Timer:1AuthType:NONECheckTTL:YESGigabitEthernet0/0/2|VirtualRouter3VRRPGroup:Masterstate:VirtualIP:PriorityRun:PriorityConfig:MasterPriority:第39Preempt:YES DelayTime:0Timer:1AuthType:NONECheckTTL:YESHRP_M[USG5000A]disyhrpstateThefirewall'sconfigstateis:MASTERCurrentstateofvirtualroutersconfiguredas1:2:3:PC2台、USG5000系列2台、交换机2第40[USG5000A]hrpmirrorsessionenable[USG5000B]hrpmirrorsession在处于Trust区域的PC1端VRRP组1的虚拟IP地址，在USG5000A上检HRP_M[USG5000A]disyfirewallsessiontable15:20:252009/05/09Currenttotalsessions:icmp :public->public):2048<--PC2HTTPUntrustHTTPTrustPC1HRP_M[USG5000A]disyfirewallsessiontable15:25:252009/05/09Currenttotalsessions:http :public->public):2048-->HRP_S[USG5000B]disyfirewallsessiontable15:25:262009/05/09Currenttotalsessions:http :public->public)Remote:2048-->第41业务报文分担发送到两台USG5000上。署在Trust区域。USG5000HRP备份通道接口GigabitEthernet0/0/2DMZ区域。第42<USG5000A>system-[USG5000A-GigabitEthernet0/0/1]ipaddress[USG5000A-GigabitEthernet0/0/1][USG5000A]firewallzone[USG5000A-zone-trust]addinterfaceGigabitEthernet0/0/1[USG5000A-zone-trust]quitGigabitEthernet0/0/3IP[USG5000A]interfaceGigabitEthernet[USG5000A-GigabitEthernet0/0/3]ipaddress24[USG5000A-GigabitEthernet0/0/3]quit[USG5000A]firewallzone[USG5000A-zone-untrust]addinterfaceGigabitEthernet0/0/3[USG5000A-zone-untrust]quit[USG5000A]interfaceGigabitEthernet0/0/1[USG5000A-GigabitEthernet0/0/1]link-group1[USG5000A-GigabitEthernet0/0/1]quit[USG5000A]interfaceGigabitEthernet0/0/3[USG5000A-GigabitEthernet0/0/3]link-group1[USG5000A-GigabitEthernet0/0/3]quitGigabitEthernet0/0/2IP[USG5000A]interfaceGigabitEthernet[USG5000A-GigabitEthernet0/0/2]ipaddress24[USG5000A-GigabitEthernet0/0/2]quit[USG5000A]firewallzone[USG5000A-zone-dmz]addinterfaceGigabitEthernet0/0/2[USG5000A-zone-dmz]quit第43[USG5000A]interfaceGigabitEthernet[USG5000A-GigabitEthernet0/0/2]vrrpvrid1virtual-ipmaster[USG5000A-GigabitEthernet0/0/2]vrrpvrid2virtual-ipslave[USG5000A-GigabitEthernet0/0/2]quit[USG5000A]ospf[USG5000A-ospf-101]area[USG5000A-ospf-101-area-]network[USG5000A-ospf-101-area-]network[USG5000A-ospf-101-area-]为Master管理组。息表示VRRP组建立成功HRP_M[USG5000A]disyvrrpGigabitEthernet0/0/2|VirtualRouter1VRRPGroup:Masterstate:VirtualIP:PriorityRun:PriorityConfig:MasterPriority:Preempt:YES DelayTime:0Timer:1AuthType:NONECheckTTL:YES第44GigabitEthernet0/0/2|VirtualRouter2VRRPGroup:Slavestate:VirtualIP:PriorityRun:PriorityConfig:MasterPriority:Preempt:YES DelayTime:0Timer:1AuthType:NONECheckTTL:YES示HRP建立成功。HRP_M[USG5000A]disyhrpstateThefirewall'sconfigstateis:MASTERCurrentstateofvirtualroutersconfiguredasmaster: 1:master 2:slave HRP_M[USG5000A]disyfirewallsessiontable15:26:252009/05/09Currenttotal http :public->public):2048-->HRP_S[USG5000B]disyfirewallsessiontable15:26:262009/05/09Currenttotalsessions:http :public->public)Remote:2048-->第45

<USG5000A>system-[USG5000A]interfaceGigabitEthernet[USG5000A-GigabitEthernet0/0/1]ipaddress24[USG5000A-GigabitEthernet0/0/1]quit[USG5000A]firewallzone[USG5000A-zone-trust]addinterfaceGigabitEthernet0/0/1[USG5000A-zone-trust]quitGigabitEthernet0/0/3IP[USG5000A]interfaceGigabitEthernet[USG5000A-GigabitEthernet0/0/3]ipaddress24[USG5000A-GigabitEthernet0/0/3]quit第46[USG5000A]firewallzone[USG5000A-zone-untrust]addinterfaceGigabitEthernet0/0/3[USG5000A-zone-untrust]quitGigabitEthernet0/0/2IP[USG5000A]interfaceGigabitEthernet[USG5000A-GigabitEthernet0/0/2]ipaddress24[USG5000A-GigabitEthernet0/0/2]quit[USG5000A]firewallzone[USG5000A-zone-dmz]addinterfaceGigabitEthernet0/0/2[USG5000A-zone-dmz]quit[USG5000A]interfaceGigabitEthernet[USG5000A-GigabitEthernet0/0/2]vrrpvrid1virtual-ipmaster[USG5000A-GigabitEthernet0/0/2]quit[USG5000A]hrpinterfaceGigabitEthernet0/0/2#创建IP-Link链路。[USG5000A]ip-link1destinationmodeicmp#配置IP-LinkVRRP组。[USG5000A]interfaceGigabitEthernet[USG5000A-GigabitEthernet0/0/2]vrrpvrid1ip-link1[USG5000A-GigabitEthernet0/0/2]quit#启用IP-Link链路检查功能。[USG5000A]ip-linkcheckenable#启动HRP。[USG5000A]hrp第47无第48 PC主机6台、USG5000系列1台USG5000统一安全网关向外提供出租业务， 业B。第49域。其中，Trust安全区域部署内部用户，DMZ安全区域部署对外服务器，Untrust<USG5000>system-[USG5000]ip -instancevfw1 -id1 -vfw1]route-distinguisher100:1#Ethernet -vfw1][USG5000]interfaceGigabitEthernet[USG5000-GigabitEthernet0/0/2]ipbindng -instancevfw1[USG5000-GigabitEthernet0/0/2]ipaddress24USG5000-GigabitEthernet0/0/2]#Ethernet[USG5000]interfaceGigabitEthernet[USG5000-GigabitEthernet1/0/0]ipbinding -instancevfw1[USG5000-GigabitEthernet1/0/0]ipaddress24[USG5000-GigabitEthernet1/0/0]quit#Ethernet[USG5000]interfaceGigabitEthernet[USG5000-GigabitEthernet1/0/1]ipbinding -instancevfw1[USG5000-GigabitEthernet1/0/1]ipaddress24[USG5000-GigabitEthernet1/0/1]quit#[USG5000]firewall -instancevfw1[USG5000-zone-trust-vfw1]addinterfaceGigabitEthernet0/0/2[USG5000-zone-trust-vfw1]quit第50#[USG5000]firewall -instancevfw1[USG5000-zone-dmz-vfw1]addinterfaceGigabitEthernet1/0/0[USG5000-zone-dmz-vfw1]quit#[USG5000]firewall -instancevfw1[USG5000-zone-untrust-vfw1]addinterfaceGigabitEthernet1/0/1[USG5000-zone-untrust-vfw1]quit#NAT[USG5000]nataddress-group -instance#配置Trust到Untrust域间出方向的策略[USG5000]interzone -instancevfw1trustuntrustoutbound[USG5000--interzone-trust-untrust-vfw1-outbound]1[USG5000--interzone-trust-untrust-vfw1-outbound-1]source[USG5000--interzone-trust-untrust-vfw1-outbound-1]actionpermit[USG5000--interzone-trust-untrust-vfw1-outbound-1]quit[USG5000--interzone-trust-untrust-vfw1-outbound]quit#[USG5000]nat-interzone -instancevfw1trustuntrustoutbound[USG5000-nat--interzone-trust-untrust-vfw1-outbound]1[USG5000-nat--interzone-trust-untrust-vfw1-outbound-1]source[USG5000-nat--interzone-trust-untrust-vfw1-outbound-1]address-group1[USG5000-nat--interzone-trust-untrust-vfw1-outbound-1]quit[USG5000-nat--interzone-trust-untrust-vfw1-outbound]#vfw1[USG5000]natserverzone -instancevfw1untrustglobal00inside -instancevfw1#配置vfw1的DMZ和Untrust域间策略[USG5000]interzone-instancevfw1dmzuntrust第51第52

[USG5000--interzone-dmz-untrust-vfw1-inbound][USG5000--interzone-dmz-untrust-vfw1-inbound-1]destination0[USG5000--interzone-dmz-untrust-vfw1-inbound-1]actionpermit[USG5000--interzone-dmz-untrust-vfw1-inbound-1]quit[USG5000--interzone-dmz-untrust-vfw1-inbound]quit配置虚拟#创 [USG5000]ip -instancevfw2 -id2 -vfw2]route-distinguisher100:2 -vfw2]quit[USG5000]interfaceGigabitEthernet[USG5000-GigabitEthernet0/0/3]ipbinding -instancevfw2[USG5000-GigabitEthernet0/0/3]ipaddress101.1.124[USG5000-GigabitEthernet0/0/3]quit[USG5000]interfaceGigabitEthernet[USG5000-GigabitEthernet0/0/1]ipbinding -instancevfw2[USG5000-GigabitEthernet0/0/1]ipaddress24[USG5000-GigabitEthernet0/0/1]quit[USG5000]interfaceGigabitEthernet[USG5000-GigabitEthernet0/0/0]ipbinding-instancevfw2[USG5000-GigabitEthernet0/0/0]ipaddress24[USG5000-GigabitEthenet0/0/0]quit#GigabitEthernet0/0/3Trust[USG5000]firewall -instancevfw2[USG5000-zone-trust-vfw2]addinterfaceGigabitEthernet0/0/3[USG5000-zone-trust-vfw2]quitGgabitEthernet0/0/1DMZ[USG5000]firewall -instancevfw2[USG5000-zone-dmz-vfw2]addinterfaceGigabitEthernet0/0/1[USG5000-zone-dmz-vfw2]quit#[USG5000]firewall -instancevfw2[USG5000-zone-untrust-vfw2]addinterfaceGigabitEthernet#NAT[USG5000]nataddress-group -instance#配置Trust到Untrust域间出方向的策略[USG5000]interzone -instancevfw2trustuntrustoutbound[USG5000--interzone-trust-untrust-vfw2-outbound]1[USG5000--interzone-trust-untrust-vfw2-outbound-1]source[USG5000--interzone-trust-untrust-vfw2-outbound-1]actionpermit[USG5000--interzone-trust-untrust-vfw2-outbound-1]quit[USG5000--interzone-trust-untrust-vfw2-outbound]quit#[USG5000]nat-interzone -instancevfw2trustuntrustoutbound[USG5000-nat--interzone-trust-untrust-vfw2-outbound]1[USG5000-nat--interzone-trust-untrust-vfw2-outbound-1]source[USG5000-nat--interzone-trust-untrust-vfw2-outbound-1]address-group1[USG5000-nat--interzone-trust-untrust-vfw2-outbound-1]quit[USG5000-nat--interzone-trust-untrust-vfw2outbound]#vfw2[USG5000]natserverzone -instancevfw2untrustglobal00inside -instancevfw2#配置vfw2的DMZ和Untrust域间策略[USG5000]interzone -instancevfw2dmzuntrustinbound[USG5000--interzone-dmz-untrust-vfw2-inbound]1[USG5000--interzone-dmz-untrust-vfw2-inbound-1]destination0[USG5000--interzone-dmz-untrust-vfw2-inbound-1]actionpermit[USG5000--intezonedmz-untrust-vfw2-inbound-1]quit[USG5000--interzone-dmz-untrust-vfw2-inbound]quitC:\WINDOWS\Desktop>C:\WINDOWS\Desktop>C:\WINDOWS\Desktop>C:\WINDOWS\Desktop>第53总部FWA为固定公网地址FWBFWC为动态公网IP(IP模拟动IP,IPSEC的配置,现网可能是通过ADSLPPPOEIP)。全通信之后,PC2PC3能够通过FWA进行安全通信,FWA与FWBFWC之间使用IKE野蛮模式建立安全通道,FWBFWC不直接建立任何IPSEC连接。第54三个的缺省路由下一跳皆分别指向这三个三层接口IP（VLANIF）。###定义用于滤和加密的数据流,ACL3000定义到所有分支机构FWBFWC网段的数据流,Soure定义为总部，destination定义为各个分支的明细网段。[FWA-acl-adv-3000]rulepermitipsource55destination55#配置trust与untrust域间滤规则[FWA]firewallpacket-filterdefaultpermitinterzonetrustuntrust#配置untrust与local域间滤规则Trust和untrust的域间规则可以配置默认放开,也可以配置用ACL来放开.配置Local#tran1IPSec#配置安全协议。Esp为默认安全协议,可以不配置#Tunnel为默认封装类型,可以不配置#md5为默认ESP协议的认证算法,可以不配置#des为默认ESP协议的加密算法,可以不配置[FWA]ikeproposal第55#[FWA-ike-proposal-10authentication-methodpre-sharepre-shared-key验证方法为默认验证方法,可以不配置#配置使用SHA1验证算法。Sha1为默认验证算法,可以不配置#AIKEPeer#创建名为aIKEpeer[FWA]ikepeera#IKE安全提议#配置IKE的协商方式为野蛮模式。#配置验证字为“。#创建安全策略模板map1tmp。[FWA]IPSec-temtemap1tmp10#ike-peera。#名为tran1的安全提议。[FWA-IPSec-templet-map1tmp-10]proposaltran1#组号为3000的ACL。[FWAIPSec--templet-map1tmp-10]securityacl3000#退回系统视图。#创建IPSEC安全策略map1[FWA]IPSecmap110isakmptemte#第56[FWAinterfaceEthernet1/0/0#IPSec策略。##[FWB]iproute-static的明细网段,destination定义为总部和分支的所有网段.[FWB]acl[FWB-acl-adv-3000]rulepermitipsource55destination#配置trust与untrust域间滤规[FWB]firewallpacket-filterdefaultpermitinterzonetrustuntrust#配置untrust与local域间滤规则#tran1IPSec[FWB]IPSecproposaltran1#配置安全协议。Esp为默认安全协议,可以不配置#Tunnel为默认封装类型,可以不配置#md5为默认ESP协议的认证算法,可以不配置#des为默认ESP协议的加密算法,可以不配置#[FWB]ikeproposal第57#[FWB-ike-proposal-10]authentication-methodpre-sharepre-shared-key验证方法为默认验证方法,可以不配置#配置使用SHA1验证算法。[FWB-ike-proposal-10]authentication-algorithmsha1Sha1为默认验证算法,可以不配置#[FWB-ike-proposal-10]saduration86400BIKEPeer#创建名为bIKEpeer[FWB]ikepeerb#IKE安全提议#IKE[FWB-ike-peer-b]exchange-modeaggressive#配置隧道对端IP地址。[FWB-ike-peer-b]remote-address200.0.01#配置验证字为“。#[FWB]IPSecmap110isakmp#ike-peerb。[FWB-IPSec--isakmp-map1-10]ike-peerb#名为tran1的安全提议。[FWB-IPSec--isakmp-map1-10]proposaltran1#组号为3000的ACL。[FWB-IPSec--isakmp-map1-10]securityacl3000#退回系统视图。B安全策略#第58#IPSec策略[FWB-Ethernet1/0/0]IPSecFWC PC2PC3,PC2PC3也不能互访.IPSECSA只能由分支节点触发IPSECSA[FWA]disyikeconnection-id 0180102902flagRD--READYST--STAYALIVERL--RECEDFD--FADINGTO--<FWB>disyikeconnection-id 12PC主机2台、USG5000系列3第59#A、B、C之间需保证互通。B配置NAT后，需保证C能够在做地址转换后与A互通。B只需做普通NAT配置。##定义用于滤和加密的数据流,在模板方式下,总部只建立一个ACL,ACL的源可对于每一个分支机构,建议配置一个rule.[FWA-acl-adv-3000]rulepermitipsource55destination55#配置trust与untrust域间滤规则[FWA]firewallpacket-filterdefaultpermitinterzonetrustuntrust#配置untrust与local域间滤规则.3A配置IPSec安全提议#配置IKE本地名称[FWAikelocal-nameFWA#tran1IPSec第60#配置安全协议。Esp为默认安全协议,可以不配置#Tunnel为默认封装类型,可以不配置#md5为默认ESP协议的认证算法,可以不配置#des为默认ESP协议的加密算法,可以不配置#4.A配置IKE提议#[FWA-ike-proposal-10authentication-methodpre-sharepre-shared-key验证方法为默认验证方法,可以不配置#配置使用SHA1验证算法。Sha1为默认验证算法,可以不配置#[FWA-ike-proposal-10]saduration8640086400秒为默认AKMPSA的生存周期#5.A配置IKE#创建名为aIKEpeer,模板方式下,peer[FWA]ikepeera#IKE安全提议#配置验证字为“。#配置ID类型为name方式#配置对端认证使用的name第61#配置IKE的协商方式为野蛮模式。#配置NAT穿越。#退回系统视图。[FWA-ike-peer-a]6.A配置安全策略模##ike-peera。#名为tran1的安全提议。#组号为3000的ACL。#退回系统视图。7.A安全策#进入以太网接口视图。[FWAinterfaceEthernet1/0/0#IPSec策略。8.C基本配置，包括IP地址及路#[FWC]iproutestatic议配置一个ACL即可.[FWC]acl[FWC-acl-adv-3000]rulepermitipsource55destination#配置trust与untrust域间滤规[FWC]firewallpacket-filterdefaultpermitinterzonetrustuntrust#配置untrust与local域间滤规则第62Trustuntrust的域间可以配置默认放开,也可以配置ACL放开.Local9.C配置IPSec安全提议#配置IKE本地名称[FWAikelocal-nameFWC#tran1IPSec[FWC]IPSecproposaltran1#配置安全协议。Esp为默认安全协议,可以不配置#Tunnel为默认封装类型,可以不配置#md5为默认ESP协议的认证算法,可以不配置#des为默认ESP协议的加密算法,可以不配置#10.C配置IKE提议[FWC]ikeproposal#[FWC-ike-proposal10]authentication-methodpre-sharepre-shared-key验证方法为默认验证方法,可以不配置#配置使用SHA1验证算法。[FWC-ike-proposal-10]authentication-algorithmsha1Sha1为默认验证算法,可以不配置#[FWCike-proposal-10]saduration8640086400秒为默认ISAKMPSA的生存周期#11.C配置IKEcIKEpeer,Peer[FWC]ikepeerc第63#IKE安全提议#配置隧道对端IP地址,此处为FWA[FWC-ike-peer-cremote-address#配置验证字为“。[FWC-ike-peer-cpre-shared-key#配置ID类型为name方式[FWA-ike-peer-clocal-id-typename#配置对端认证使用的name#配置IKE的协商方式为野蛮模式。#配置NAT穿越。[FWC-ike-peer-cnattraversal#退回系统视图。12.C配置安全策[FWC]IPSecmap110isakmp#ike-peerc。[FWC-IPSec--isakmp-map1-10]ike-peerc#名为tran1的安全提议。[FWC-IPSec--isakmp-map1-10]proposaltran1#组号为3000的ACL。[FWC-IPSec--isakmp-map1-10]securityacl3000#退回系统视图。13.C安全策#进入以太网接口视图。[FWCinterfaceEthernet0/0/0#IPSec策略。[FWC-Ethernet0/0/0]IPSecPC2同时可以到公网,FWA的可以 查看NAT转换session表项第64<FWB>disfirewallsessiontableIPSECSA协商connection-id 101502flag14:23:3605-23-2008分支上FWC可以查看到总部peer的IKEphase1和phase2,FWC是发起方,<FWC>disikeconnection--2162总部FWA上可以查看到一对双向的IPSECSA,对应两个分支FWC,nattraversal:Y表示IPSEC的NAT穿越生效IPSecname:"map1"sequencenumber:10mode:temte:-connectionid:5encapsulationmode:tunneltunnellocal: tunnelremote: source:/0/0flowdestination:/ 第65:saremainingkeyduration(bytes/sec): maxreceivedseq