拓扑
Untitled.png
实验要求
- 某企业部署两台业务服务器
- Server1通过TCP 8888端口对外提供服务
- Server2通过UDP 6666端口对外提供服务
- 通过防火墙进行访问控制,周一至周六的8:00~17:00的上班时间段内
- 禁止IP地址为10.1.1.2、10.2.1.2的两台PC使用这两台服务器对外提供的服务
- 其他PC(10.3.1.2)在任何时间都可以使用这两台服务器对外提供的服务
数据规划
| 项目 | 端口 | 数据 |
|---|---|---|
| 防火墙 | GigabitEthernet 1/0/0 | IP地址:10.2.0.1/24 安全区域:dmz |
| 防火墙 | GigabitEthernet 1/0/1 | IP地址:10.1.1.1/24 安全区域:trust |
| 防火墙 | GigabitEthernet 1/0/2 | IP地址:10.2.1.1/24 安全区域:trust |
| 防火墙 | GigabitEthernet 1/0/3 | IP地址:10.3.1.1/24 安全区域:trust |
| Server 1 | IP地址:10.2.0.10/24 端口:TCP 8888 | |
| Server 2 | IP地址:10.2.0.11/24 端口:UDP 6666 | |
| PC1 | IP地址:10.1.1.2/24 | |
| PC2 | IP地址:10.2.1.2/24 | |
| PC3 | IP地址:10.3.1.2/24 |
设备配置
-
防火墙基本配置
[FW]interface GigabitEthernet 1/0/0 [FW-GigabitEthernet1/0/0]ip address 10.2.0.1 24 [FW]interface GigabitEthernet 1/0/1 [FW-GigabitEthernet1/0/1]ip address 10.1.1.1 24 [FW]interface GigabitEthernet 1/0/2 [FW-GigabitEthernet1/0/2]ip address 10.2.1.1 24 [FW]interface GigabitEthernet 1/0/3 [FW-GigabitEthernet1/0/3]ip address 10.3.1.1 24 [FW]firewall zone dmz [FW-zone-dmz]add interface GigabitEthernet 1/0/0 [FW]firewall zone trust [FW-zone-trust]add interface GigabitEthernet 1/0/1 [FW-zone-trust]add interface GigabitEthernet 1/0/2 [FW-zone-trust]add interface GigabitEthernet 1/0/3 -
Server基本配置
Server1(config)#interface ethernet 0/0 Server1(config-if)#ip address 10.2.0.10 255.255.255.0 Server1(config)#ip default-gateway 10.2.0.1 Server1(config)#ip http server Server1(config)#ip http port 8888 Server2(config)#interface ethernet 0/0 Server2(config-if)#ip address 10.2.0.11 255.255.255.0 Server2(config)#ip route 0.0.0.0 0.0.0.0 10.2.0.1 Server2(config)#ip http server Server2(config)#ip http port 6666 -
配置禁止访问服务器IP地址集
[FW]ip address-set server_deny type object [FW-object-address-set-server_deny]address 10.1.1.2 mask 32 [FW-object-address-set-server_deny]address 10.2.1.2 mask 32 -
配置禁止访问服务器的时间段
[FW]time-range time_deny [FW-time-range-time_deny]period-range 08:00:00 to 17:00:00 Mon Tue Wed Thu Fri Sun -
配置服务器端口服务集
[FW]ip service-set server1_port type object [FW-object-service-set-server1_port]service protocol tcp destination-port 8888 //不加source-port默认为所有源端口 [FW]ip service-set server2_port type object [FW-object-service-set-server2_port]service protocol udp source-port 0 to 65535 destination-port 6666 -
配置安全策略
[FW]security-policy 禁止PC访问Server1对外提供的服务安全策略 [FW-policy-security]rule name sec_deny_server1 [FW-policy-security-rule-sec_deny_server1]source-zone trust [FW-policy-security-rule-sec_deny_server1]destination-zone dmz [FW-policy-security-rule-sec_deny_server1]source-address address-set server_deny [FW-policy-security-rule-sec_deny_server1]destination-address 10.2.0.10 32 [FW-policy-security-rule-sec_deny_server1]service server1_port [FW-policy-security-rule-sec_deny_server1]time-range time_deny [FW-policy-security-rule-sec_deny_server1]action deny 禁止PC访问Server2对外提供的服务安全策略 [FW-policy-security]rule name sec_deny_serve2 [FW-policy-security-rule-sec_deny_serve2]source-zone trust [FW-policy-security-rule-sec_deny_serve2]destination-zone dmz [FW-policy-security-rule-sec_deny_serve2]source-address address-set server_deny [FW-policy-security-rule-sec_deny_serve2]destination-address 10.2.0.11 32 [FW-policy-security-rule-sec_deny_serve2]service server2_port [FW-policy-security-rule-sec_deny_serve2]time-range time_deny [FW-policy-security-rule-sec_deny_serve2]action deny 允许所有PC访问Server对外提供服务的安全策略 [FW-policy-security]rule name sec_permit_all [FW-policy-security-rule-sec_permit_all]source-zone trust [FW-policy-security-rule-sec_permit_all]destination-zone dmz [FW-policy-security-rule-sec_permit_all]destination-address 10.2.0.10 32 [FW-policy-security-rule-sec_permit_all]destination-address 10.2.0.11 32 [FW-policy-security-rule-sec_permit_all]service server1_port [FW-policy-security-rule-sec_permit_all]service server2_port [FW-policy-security-rule-sec_permit_all]action permit -
验证结果
通过PC1、PC2、PC3测试 telnet 10.2.0.10 8888 telnet 10.2.0.10 6666 非限制时间段,PC1、PC2、PC3正常访问(Open状态) 限制时间段,PC1、PC2无法访问(% Connection timed out; remote host not responding),PC3正常访问(Open状态) 查看防火墙会话表状态
