As the egress gateway of a campus or a large enterprise, the USG enables intranet users to access the Internet through two carriers and protects the intranet from network attacks.
Learning Content:
The user gateway is at the interface of the egress firewall, and the aggregation switch does not need to be configured as a transfer station. It is directly connected to the access switch below, which is a simple three-layer configuration.
Experimental goals:
1. On-campus users can access the Internet through two operators, and the traffic destined for different operators is forwarded by the corresponding interface connected to the operator on the USG.
2. When the links to both operators work normally, users in the dormitory area access the Internet through ISP1, and users in the teaching building access the Internet through ISP2.
3. When a link fails, traffic can be switched to another link in time to avoid long-term network interruption.
Configuration idea:
1. On-campus users are mainly distributed in teaching buildings and dormitory areas, and are connected to the USG through aggregation switches
2. The intranet can access the server without connecting to the external network.
2. The school is connected to the Internet through two different operators (ISP1 and ISP2), and the two operators have assigned 4 IP addresses to the school. The IP addresses allocated by ISP1 are 200.1.1.1 to 200.1.1.4, and the IP addresses allocated by ISP2 are 220.1.1.1 to 220.1.1.4, and the masks are both 24 bits.
Topology:
The configuration is as follows:
FW配置:
一、基本配置:
Username:
Username:admin
Password:
The password needs to be changed. Change now? [Y/N]: y
Please enter old password:
Please enter new password:
Please confirm new password:
<USG6000V1>language-mode Chinese
Change language mode, confirm? [Y/N] y
提示:改变语言模式成功。
<USG6000V1>sy
进入系统视图,键入Ctrl+Z退回到用户视图。
[USG6000V1]sys FW
[FW]int g1/0/0
[FW-GigabitEthernet1/0/0]ip add 10.1.1.1 16
[FW-GigabitEthernet1/0/0]int g1/0/1
[FW-GigabitEthernet1/0/1]ip add 172.1.1.1 24
[FW-GigabitEthernet1/0/1]int g 1/0/2
[FW-GigabitEthernet1/0/2]ip add 200.1.1.1 24
[FW-GigabitEthernet1/0/2]int g1/0/3
[FW-GigabitEthernet1/0/3]ip add 220.1.1.1 24
二、安全域配置:
[FW]fir zone trust
[FW-zone-trust]add int g1/0/0
[FW-zone-trust]fir zone dmz
[FW-zone-dmz]add int g1/0/1
[FW-zone-dmz]fir zone name ISP1
[FW-zone-ISP1]add int g1/0/2
[FW-zone-ISP1]set priority 15
[FW-zone-ISP1]fir zone name ISP2
[FW-zone-ISP2]add int g1/0/3
[FW-zone-ISP2]set priority 20
三、区域间放行策略配置:
[FW]security-policy
[FW-policy-security]rule name trust_IPS1
[FW-policy-security-rule-trust_IPS1]source-zone trust
[FW-policy-security-rule-trust_IPS1]source-address 10.1.0.0 mask 255.255.0.0
[FW-policy-security-rule-trust_IPS1]destination-zone ISP1
[FW-policy-security-rule-trust_IPS1]action permit
[FW-policy-security-rule-trust_IPS1]rule name trust_ISP2
[FW-policy-security-rule-trust_ISP2]source-zone trust
[FW-policy-security-rule-trust_ISP2]source-address 10.1.0.0 mask 255.255.0.0
[FW-policy-security-rule-trust_ISP2]destination-zone ISP2
[FW-policy-security-rule-trust_ISP2]action permit
[FW-policy-security]rule name trust_dmz
[FW-policy-security-rule-trust_dmz]source-zone trust
[FW-policy-security-rule-trust_dmz]source-address 10.1.0.0 mask 255.255.0.0
[FW-policy-security-rule-trust_dmz]destination-zone dmz
[FW-policy-security-rule-trust_dmz]destination-address 172.16.1.0 mask 255.255.2
55.0
[FW-policy-security-rule-trust_dmz]action permint
四、在域间开启ASPF功能,防止多通道协议无法建立连接:
[FW]firewall interzone trust ISP1
[FW-interzone-trust-ISP1]detect ftp
[FW-interzone-trust-ISP1]detect qq
[FW-interzone-trust-ISP1]detect msn
[FW]firewall interzone trust ISP2
[FW-interzone-trust-ISP2]detect ftp
[FW-interzone-trust-ISP2]detect qq
[FW-interzone-trust-ISP2]detect msn
五、建立nat地址池及nat转换策略
[FW]nat address-group 1
[FW-address-group-1]section 0 200.1.1.2 200.1.1.3
[FW-address-group-1]nat address-group 2
[FW-address-group-2]section 0 220.1.1.2 220.1.1.3
[FW]nat-policy
[FW-policy-nat]rule name ISP1
[FW-policy-nat-rule-ISP1]source-zone trust
[FW-policy-nat-rule-ISP1]destination-zone ISP1
[FW-policy-nat-rule-ISP1]action source-nat address-group 1
[FW-policy-nat-rule-ISP1]
[FW-policy-nat-rule-ISP1]rule name ISP2
[FW-policy-nat-rule-ISP2]source-zone trust
[FW-policy-nat-rule-ISP2]destination-zone ISP2
[FW-policy-nat-rule-ISP2]action source-nat address-group 2
六、配置IP-Link、多条静态路由和两条缺省路由,实现网络的双出口特性和链路的可靠性。
配置链路可达性检查后,当发现该链路不可达时,则选择另一条链路可达的路由。
# 配置IP-Link,并使用ICMP报文进行链路检测
[FW]ip-link check enable
[FW]ip-link name ISP1
[FW-iplink-ISP1]destination 200.1.1.4 mode icmp
[FW-iplink-ISP1]ip-link name ISP2
[FW-iplink-ISP2]destination 220.1.1.4 mode icmp
七、配置缺省路由:
[FW]ip route-s 0.0.0.0 0 g1/0/2 200.1.1.4 track ip-link ISP1
[FW]ip route-s 0.0.0.0 0 g1/0/3 220.1.1.4 track ip-link ISP2
八、配置策略路由:
[FW]policy-based-route
[FW-policy-pbr]rule name ISP1
[FW-policy-pbr-rule-ISP1]ingress-interface g1/0/0
[FW-policy-pbr-rule-ISP1]source-address 10.1.1.1 mask 255.255.255.128
[FW-policy-pbr-rule-ISP1]action pbr egress-interface g1/0/2 next-hop 200.1.1.4
[FW-policy-pbr-rule-ISP1]rule name ISP2
[FW-policy-pbr-rule-ISP2]ingress-interface g1/0/0
[FW-policy-pbr-rule-ISP2]source-address 10.1.1.128 mask 255.255.255.128
[FW-policy-pbr-rule-ISP2]action pbr egress-interface g1/0/3 next-hop 220.1.1.4
Summary: At present, this topology only does load sharing and redundancy configurations, but does not configure the server's external network access configuration and more detailed configurations. The user gateway is configured on the firewall, and should be configured on the core switch under normal circumstances. ACL and VLAN are not divided. There is a lot of room to expand. The routing strategy is roughly the same, and we can make changes after learning more routing protocols. Now we are learning, modifying, and practicing at the same time.