网络安全-pppoe拨号-防火墙的负载分担-ensp

 

• 实验名称：

防火墙应用有关实验

• 实验拓扑图：

• 实验需求：

1.AR1是一台PPPoE服务器，内网防火墙通过拨号进行获得地址。

2.通过所学技术实现对内网PC机的访问外网的数据分流，实现防火墙的负载分担

 

• 实验步骤：

  1、PPPOE

AR1

创建地址池

[ar1-ip-pool-pppoe1]net 61.67.1.0 m 24

创建虚拟模板

[ar1]int Virtual-Template 1

虚拟模板地址

[ar1-Virtual-Template1]ip address 61.67.1.11 24

模板认证模式chap

[ar1-Virtual-Template1]ppp authentication-mode chap

分配地址池中地址

[ar1-Virtual-Template1]remote address pool pppoe1

Aaa模式创建本地用户

[ar1-aaa]local-user user1 password cipher 123

设置服务类型ppp

[ar1-aaa]local-user user1 service-type ppp

绑定虚拟模板1

[ar1-GigabitEthernet0/0/1]pppoe-server bind virtual-template 1

 

 

 

[ar1]ip pool pppoe2

Info: It's successful to create an IP address pool.

[ar1-ip-pool-pppoe2]net 61.67.2.0 m 24

[ar1]int Virtual-Template 2

[ar1-Virtual-Template2]ip a 61.67.2.11 24

[ar1-Virtual-Template2]ppp authentication-mode chap

[ar1-Virtual-Template2]remote address pool pppoe2

[ar1]aaa

[ar1-aaa]local-user user2 password cipher 123

Info: Add a new user.

[ar1-aaa]local-user user2 service-type ppp

[ar1-aaa]int g 0/0/0

[ar1-GigabitEthernet0/0/0]pppoe-server bind virtual-template 2

 

FW1

 

 

[USG6000V1-Dialer1]dis th

#

interface Dialer1

 link-protocol ppp

 ppp chap user user1

 ppp chap password cipher 123

 ip address ppp-negotiate

 dialer user user1

 dialer bundle 1

#

将拨号接口加入trust

[USG6000V1-zone-untrust]add interface Dialer 1

对应接口加入对应安全区域

[USG6000V1-zone-dmz]add int g 1/0/0

[USG6000V1-zone-trust]add int g 1/0/1

 

 

FW2

 

[USG6000V1-Dialer2]dis th

#

interface Dialer2

 link-protocol ppp

 ppp chap user user2

 ppp chap password cipher %$%$QpbH6wWBd#ELQh~;Jx"!I4/Y%$%$

 ip address ppp-negotiate

 dialer user user2

 dialer bundle 2

#

 

将拨号接口加入trust

[USG6000V1-zone-untrust]add  interface  Dialer  2

对应接口加入对应安全区域

[USG6000V1-zone-dmz]add int g 1/0/0

[USG6000V1-zone-trust]add int g 1/0/1

 

2、防火墙的负载分担

Hrp进行主备同步

Fw1

[USG6000V1]hrp enable

HRP_M[USG6000V1]hrp int g 1/0/0 remote 192.168.12.2

Fw2

[USG6000V1]hrp  enable

HRP_M[USG6000V1]hrp int g 1/0/0 remote 192.168.12.1

由vgmp组管理vrrp备份组

 

Vrrp1

trust安全区域

Vrrp2

Trust安全区域

Fw1

HRP_M[USG6000V1-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 192.168.1.254 24 act

ive

HRP_M[USG6000V1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 192.168.1.253 24 sta

ndby

 

Fw2

HRP_S[USG6000V1-GigabitEthernet1/0/1]vrrp vrid 1 virtual-ip 192.168.1.254 24 sta

ndby

HRP_S[USG6000V1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 192.168.1.253 24 act

ive

 

 

 

安全策略

HRP_M[USG6000V1]security-policy (+B)

 

HRP_M[USG6000V1-policy-security]rule name t_unt (+B)

 

HRP_M[USG6000V1-policy-security-rule-t_unt]source-zone trust  (+B)

HRP_M[USG6000V1-policy-security-rule-t_unt]destination-zone untrust  (+B)

HRP_M[USG6000V1-policy-security-rule-t_unt]action permit  (+B)

 

 

HRP_M[USG6000V1-policy-security]dis th

#

security-policy

 rule name t_unt

  source-zone trust

  destination-zone untrust

  action permit

#

Nat策略

 

HRP_M[USG6000V1-policy-nat]rule name t_un_nat (+B)

HRP_M[USG6000V1-policy-nat-rule-t_un_nat]destination-zone untrust  (+B)

HRP_M[USG6000V1-policy-nat-rule-t_un_nat]action nat easy-ip  (+B)

 

HRP_M[USG6000V1-policy-nat-rule-t_un_nat]dis th

#

 rule name t_un_nat

  destination-zone untrust

  action nat easy-ip

#

 

• 结果测试

 

 

• 实验心得：

[ar1]int Virtual-Template 2

[ar1-Virtual-Template2]ip address  61.67.1.12  24

Error: The specified address conflicts with another address.

[ar1-Virtual-Template2]ip address 61.67.1.10 24

Error: The specified address conflicts with another address.

此处创建了另一个地址池

 

对于这个实验，我在访问防火墙trust区域的接口的时候ping不通，做安全策略trust到local的，之后可以ping通