一、拓扑
二、实验配置步骤
1、配置接口IP和区域划分
FW1:
[FW1]int g0/0/0
[FW1-GigabitEthernet0/0/0]service-manage all permit
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 1.1.1.1 24
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 10.1.1.254 24
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/1
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/0
FW2:
[FW2]int g0/0/0
[FW2-GigabitEthernet0/0/0]ip add 192.168.0.2 24
[FW2-GigabitEthernet0/0/0]service-manage all permit
[FW2-GigabitEthernet0/0/0]int g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 1.1.2.2 24
[FW2-GigabitEthernet1/0/0]int g1/0/1
[FW2-GigabitEthernet1/0/1]ip add 192.168.1.254 24
[FW2]firewall zone trust
[FW2-zone-trust]add int g1/0/1
[FW2]firewall zone untrust
[FW2-zone-untrust]add int g1/0/0
ISP:
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip add 1.1.1.2 24
[ISP-GigabitEthernet0/0/0]int g0/0/1
[ISP-GigabitEthernet0/0/1]ip add 1.1.2.1 24
[ISP-GigabitEthernet0/0/1]
Client1:
Server1:
2、配置公网路由
FW1:
[FW1]ip route-static 0.0.0.0 0 1.1.1.2
FW2:
[FW2]ip route-static 0.0.0.0 0 1.1.2.1
3、安全策略
用户互访流量:
FW1:
[FW1]security-policy
[FW1-policy-security]rule name trust_to_untrust
[FW1-policy-security-rule-trust_to_untrust]source-zone trust
[FW1-policy-security-rule-trust_to_untrust]de
[FW1-policy-security-rule-trust_to_untrust]destination-zone
[FW1-policy-security-rule-trust_to_untrust]destination-zone untrust
[FW1-policy-security-rule-trust_to_untrust]source-address 10.1.1.0 24
[FW1-policy-security-rule-trust_to_untrust]action permit
[FW1-policy-security]rule name untrust_to_trust
[FW1-policy-security-rule-untrust_to_trust]source-zone untrust
[FW1-policy-security-rule-untrust_to_trust]destination-zone trust
[FW1-policy-security-rule-untrust_to_trust]source-address 192.168.1.0 24
[FW1-policy-security-rule-untrust_to_trust]destination-address 10.1.1.0 24
[FW1-policy-security-rule-untrust_to_trust]action permit
FW2:
[FW2]security-policy
[FW2-policy-security]rule name trust_to_untrust
[FW2-policy-security-rule-trust_to_untrust]source-zone trust
[FW2-policy-security-rule-trust_to_untrust]destination-zone untrust
[FW2-policy-security-rule-trust_to_untrust]source-address 192.168.1.0 24
[FW2-policy-security-rule-trust_to_untrust]destination-address 10.1.1.0 24
[FW2-policy-security-rule-trust_to_untrust]action permit
[FW2-policy-security]rule name untrust_to_trust
[FW2-policy-security-rule-untrust_to_trust]source-zone untrust
[FW2-policy-security-rule-untrust_to_trust]destination-zone trust
[FW2-policy-security-rule-untrust_to_trust]source-address 10.1.1.0 24
[FW2-policy-security-rule-untrust_to_trust]destination-address 192.168.1.0 24
[FW2-policy-security-rule-untrust_to_trust]action permit
IPSec隧道策略:
FW1:
[FW1-policy-security]rule name untrust_to_local
[FW1-policy-security-rule-untrust_to_local]source-zone untrust
[FW1-policy-security-rule-untrust_to_local]destination-zone local
[FW1-policy-security-rule-untrust_to_local]source-address 1.1.2.2 32
[FW1-policy-security-rule-untrust_to_local]destination-address 1.1.1.1 32
[FW1-policy-security-rule-untrust_to_local]action permit
[FW1-policy-security]rule name local_to_untrust
[FW1-policy-security-rule-local_to_untrust]source-zone local
[FW1-policy-security-rule-local_to_untrust]destination-zone untrust
[FW1-policy-security-rule-local_to_untrust]source-address 1.1.1.1 32
[FW1-policy-security-rule-local_to_untrust]destination-address 1.1.2.2 32
[FW1-policy-security-rule-local_to_untrust]action permit
FW2:
[FW2-policy-security]rule name local_to_untrust
[FW2-policy-security-rule-local_to_untrust]source-zone local
[FW2-policy-security-rule-local_to_untrust]destination-zone untrust
[FW2-policy-security-rule-local_to_untrust]source-address 1.1.2.2 32
[FW2-policy-security-rule-local_to_untrust]destination-address 1.1.1.1 32
[FW2-policy-security-rule-local_to_untrust]action permit
[FW2-policy-security]rule name untrust_to_local
[FW2-policy-security-rule-untrust_to_local]source-zone untrust
[FW2-policy-security-rule-untrust_to_local]destination-zone local
[FW2-policy-security-rule-untrust_to_local]source-address 1.1.1.1 32
[FW2-policy-security-rule-untrust_to_local]destination-address 1.1.2.2 32
[FW2-policy-security-rule-untrust_to_local]action permit
4、IPSec配置
定义被保护的数据量
FW1:
[FW1]acl 3000
[FW1-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
FW2:
[FW2]acl 3000
[FW2-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
配置IPSec安全提议
FW1:
[FW1]ipsec proposal fw1
[FW1-ipsec-proposal-fw1]encapsulation-mode tunnel
[FW1-ipsec-proposal-fw1]transform esp
[FW1-ipsec-proposal-fw1]esp authentication-algorithm sha2-256
[FW1-ipsec-proposal-fw1]esp encryption-algorithm aes-256
FW2:
[FW2]ipsec proposal fw2
[FW2-ipsec-proposal-fw2]encapsulation-mode tunnel
[FW2-ipsec-proposal-fw2]transform esp
[FW2-ipsec-proposal-fw2]esp authentication-algorithm sha2-256
[FW2-ipsec-proposal-fw2]esp encryption-algorithm aes-256
配置IPSec安全策略
FW1:
[FW1]ipsec policy fw1 10 manual
[FW1-ipsec-policy-manual-fw1-10]security acl 3000
[FW1-ipsec-policy-manual-fw1-10]proposal fw1
[FW1-ipsec-policy-manual-fw1-10]tunnel local 1.1.1.1
[FW1-ipsec-policy-manual-fw1-10]tunnel remote 1.1.2.2
[FW1-ipsec-policy-manual-fw1-10]sa spi inbound esp 12345678
[FW1-ipsec-policy-manual-fw1-10]sa spi outbound esp 87654321
[FW1-ipsec-policy-manual-fw1-10]sa string-key inbound esp abc
[FW1-ipsec-policy-manual-fw1-10]sa string-key outbound esp cba
FW2:
FW2]ipsec policy fw2 10 manual
[FW2-ipsec-policy-manual-fw2-10]security acl 3000
[FW2-ipsec-policy-manual-fw2-10]proposal fw2
[FW2-ipsec-policy-manual-fw2-10]tunnel local 1.1.2.2
[FW2-ipsec-policy-manual-fw2-10]tunnel remote 1.1.1.1
[FW2-ipsec-policy-manual-fw2-10]sa spi inbound esp 87654321
[FW2-ipsec-policy-manual-fw2-10]sa spi outbound esp 12345678
[FW2-ipsec-policy-manual-fw2-10]sa string-key inbound esp cba
[FW2-ipsec-policy-manual-fw2-10]sa string-key outbound esp abc
调用IPSec策略
FW1:
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ipsec policy fw1
FW2:
[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]ipsec policy fw2
编写私网路由
FW1:
[FW1]ip route-static 192.168.1.0 24 1.1.1.2
FW2:
[FW2]ip route-static 10.1.1.0 24 1.1.2.1
5、测试
server1:开启http服务
client1:获取192.168.1.1
抓包信息
