实验拓扑
需求
让FW1(PPPoE Client)模拟拨号用户,向内部服务器发送建立拨号连接的请求,并保证连通。
配置
接口ip配置和区域划分
fw1:
[fw1]interface GigabitEthernet 0/0/0
[fw1-GigabitEthernet0/0/0]service-manage all permit [fw1]interface GigabitEthernet 1/0/0
[fw1-GigabitEthernet1/0/0]ip address 1.1.1.1 24[fw1-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1
[fw1-GigabitEthernet1/0/1]ip address 10.1.1.254 24[fw1]firewall zone trust
[fw1-zone-trust]add interface GigabitEthernet 1/0/1[fw1]firewall zone untrust
[fw1-zone-untrust]add interface GigabitEthernet 1/0/0fw2:
[fw2]interface GigabitEthernet 0/0/0
[fw2-GigabitEthernet0/0/0]ip address 192.168.0.2 24
[fw2-GigabitEthernet0/0/0]service-manage all permit [fw2]interface GigabitEthernet 1/0/0
[fw2-GigabitEthernet1/0/0]ip address 1.1.2.2 24[fw2]interface GigabitEthernet 1/0/1
[fw2-GigabitEthernet1/0/1]ip address 192.168.1.254 24[fw2]firewall zone trust
[fw2-zone-trust]add interface GigabitEthernet 1/0/1[fw2]firewall zone untrust
[fw2-zone-untrust]add interface GigabitEthernet 1/0/0
ISP:
[isp]interface GigabitEthernet 0/0/0
[isp-GigabitEthernet0/0/0]ip address 1.1.1.2 24[isp-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[isp-GigabitEthernet0/0/1]ip address 1.1.2.1 24
配置公网路由
[fw1]ip route-static 0.0.0.0 0 1.1.1.2[fw2]ip route-static 0.0.0.0 0 1.1.2.1安全策略
fw1
[fw1]security-policy
[fw1-policy-security]rule name trust_to_untrust
[fw1-policy-security-rule-trust_to_untrust]source-zone trust
[fw1-policy-security-rule-trust_to_untrust]destination-zone untrust
[fw1-policy-security-rule-trust_to_untrust]source-address 10.1.1.0 24
[fw1-policy-security-rule-trust_to_untrust]destination-address 192.168.1.0 24
[fw1-policy-security-rule-trust_to_untrust]action permit [fw1-policy-security]rule name untrust_to_trust
[fw1-policy-security-rule-untrust_to_trust]source-zone untrust
[fw1-policy-security-rule-untrust_to_trust]destination-zone trust
[fw1-policy-security-rule-untrust_to_trust]source-address 192.168.1.0 24
[fw1-policy-security-rule-untrust_to_trust]destination-address 10.1.1.0 24
[fw1-policy-security-rule-untrust_to_trust]action permit
fw2
[fw2]security-policy
[fw2-policy-security]rule name trust_to_untrust
[fw2-policy-security-rule-trust_to_untrust]source-zone trust
[fw2-policy-security-rule-trust_to_untrust]destination-zone untrust
[fw2-policy-security-rule-trust_to_untrust]source-address 192.168.1.0 24
[fw2-policy-security-rule-trust_to_untrust]destination-address 10.1.1.0 24
[fw2-policy-security-rule-trust_to_untrust]action permit [fw2-policy-security]rule name untrust_to_trust
[fw2-policy-security-rule-untrust_to_trust]source-zone untrust
[fw2-policy-security-rule-untrust_to_trust]destination-zone trust
[fw2-policy-security-rule-untrust_to_trust]source-address 10.1.1.0 24
[fw2-policy-security-rule-untrust_to_trust]destination-address 192.168.1.0 24
[fw2-policy-security-rule-untrust_to_trust]action permit fw1:
[fw1-policy-security]rule name untrust_to_local
[fw1-policy-security-rule-untrust_to_local]source-zone untrust
[fw1-policy-security-rule-untrust_to_local]destination-zone local
[fw1-policy-security-rule-untrust_to_local]source-address 1.1.2.2 32
[fw1-policy-security-rule-untrust_to_local]destination-address 1.1.1.1 32
[fw1-policy-security-rule-untrust_to_local]action permit [fw1-policy-security]rule name local_to_untrust
[fw1-policy-security-rule-local_to_untrust]source-zone local
[fw1-policy-security-rule-local_to_untrust]destination-zone untrust
[fw1-policy-security-rule-local_to_untrust]destination-address 1.1.2.2 32
[fw1-policy-security-rule-local_to_untrust]source-address 1.1.1.1 32
[fw1-policy-security-rule-local_to_untrust]action permit
fw2:
[fw2-policy-security]rule name local_to_untrust
[fw2-policy-security-rule-local_to_untrust]source-zone local
[fw2-policy-security-rule-local_to_untrust]destination-zone untrust
[fw2-policy-security-rule-local_to_untrust]source-address 1.1.2.2 32
[fw2-policy-security-rule-local_to_untrust]destination-address 1.1.1.1 32
[fw2-policy-security-rule-local_to_untrust]action permit [fw2-policy-security]rule name untrust_to_local
[fw2-policy-security-rule-untrust_to_local]source-zone untrust
[fw2-policy-security-rule-untrust_to_local]destination-zone local
[fw2-policy-security-rule-untrust_to_local]source-address 1.1.1.1 32
[fw2-policy-security-rule-untrust_to_local]destination-address 1.1.2.2 32
[fw2-policy-security-rule-untrust_to_local]action permit IPSec配置
定义被保护的数据流
fw1
[fw1]acl 3000
[fw1-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255fw2
[fw2]acl 3000
[fw2-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 10.1.1
.0 0.0.0.255配置IPSec安全提议
fw1
[fw1]ipsec proposal fw1
[fw1-ipsec-proposal-fw1]encapsulation-mode tunnel
[fw1-ipsec-proposal-fw1]transform esp
[fw1-ipsec-proposal-fw1]esp authentication-algorithm sha2-256
[fw1-ipsec-proposal-fw1]esp encryption-algorithm aes-256 fw2
[fw2]ipsec proposal fw2
[fw2-ipsec-proposal-fw2]encapsulation-mode tunnel
[fw2-ipsec-proposal-fw2]transform esp
[fw2-ipsec-proposal-fw2]esp authentication-algorithm sha2-256
[fw2-ipsec-proposal-fw2]esp encryption-algorithm aes-256
配置IPSec安全策略
fw1
[fw1]ipsec policy fw1 10 manual
[fw1-ipsec-policy-manual-fw1-10]security acl 3000
[fw1-ipsec-policy-manual-fw1-10]proposal fw1
[fw1-ipsec-policy-manual-fw1-10]tunnel local 1.1.1.1
[fw1-ipsec-policy-manual-fw1-10]tunnel remote 1.1.2.2 [fw1-ipsec-policy-manual-fw1-10]sa spi inbound esp 12345678
[fw1-ipsec-policy-manual-fw1-10]sa spi outbound esp 87654321 [fw1-ipsec-policy-manual-fw1-10]sa string-key inbound esp abc
[fw1-ipsec-policy-manual-fw1-10]sa string-key outbound esp cbafw2
[fw2]ipsec policy fw2 10 manual
[fw2-ipsec-policy-manual-fw2-10]security acl 3000
[fw2-ipsec-policy-manual-fw2-10]proposal fw2
[fw2-ipsec-policy-manual-fw2-10]tunnel local 1.1.2.2
[fw2-ipsec-policy-manual-fw2-10]tunnel remote 1.1.1.1[fw2-ipsec-policy-manual-fw2-10]sa spi inbound esp 87654321
[fw2-ipsec-policy-manual-fw2-10]sa spi outbound esp 12345678 [fw2-ipsec-policy-manual-fw2-10]sa string-key inbound esp cba
[fw2-ipsec-policy-manual-fw2-10]sa string-key outbound esp abc
调用IPSec策略
fw1
[fw1]interface GigabitEthernet 1/0/0
[fw1-GigabitEthernet1/0/0]ipsec policy fw1fw2
[fw2]interface GigabitEthernet 1/0/0
[fw2-GigabitEthernet1/0/0]ipsec policy fw2编写私网路由
[fw1]ip route-static 192.168.1.0 24 1.1.1.2[fw2]ip route-static 10.1.1.0 24 1.1.2.1测试
将esp改为ah方式
修改IPSec安全提议为ah,并删除esp
fw1
[fw1]ipsec proposal fw1
[fw1-ipsec-proposal-fw1]transform ahfw2
[fw2]ipsec proposal fw2
[fw2-ipsec-proposal-fw2]transform ah修改IPSec安全策略为ah,并删除esp
fw1
[fw1]ipsec policy fw1 10 manual
[fw1-ipsec-policy-manual-fw1-10]sa spi inbound ah 12345678 ---spi
[fw1-ipsec-policy-manual-fw1-10]sa spi outbound ah 87654321[fw1-ipsec-policy-manual-fw1-10]sa string-key inbound ah abc
[fw1-ipsec-policy-manual-fw1-10]sa string-key outbound ah cba[fw1-ipsec-policy-manual-fw1-10]undo sa spi inbound esp
[fw1-ipsec-policy-manual-fw1-10]un sa spi outbound esp
[fw1-ipsec-policy-manual-fw1-10]undo sa string-key inbound esp
[fw1-ipsec-policy-manual-fw1-10]undo sa string-key outbound esp
fw2
[fw2]ipsec policy fw2 10 manual
[fw2-ipsec-policy-manual-fw2-10]sa spi inbound ah 87654321
[fw2-ipsec-policy-manual-fw2-10]sa spi outbound ah 12345678[fw2-ipsec-policy-manual-fw2-10]sa string-key inbound ah cba
[fw2-ipsec-policy-manual-fw2-10]sa string-key outbound ah abc[fw2-ipsec-policy-manual-fw2-10]undo sa spi inbound esp
[fw2-ipsec-policy-manual-fw2-10]undo sa spi outbound esp
[fw2-ipsec-policy-manual-fw2-10]undo sa string-key inbound esp
[fw2-ipsec-policy-manual-fw2-10]undo sa string-key outbound esp
