一、 实验目的
通过本次课程设计,检验对防火墙学习的熟悉程度,以及能否对防火墙正确配置
二、 实验任务
内网Ping通外网,内网ping通DMZ区,外网ping通DMZ区 NAT,访问控制 VPN的配置
防火墙日志服务器
三、 实验设备
PIX防火墙,CISCO 交换机、路由器,控制线、网络连接线若干
四、 实验拓扑图及内容
内外网的基本配置:
FW1上的配置:
R1的配置:
R2的配置:
R3的配置:
测试:内网Ping外网
外网ping DMZ 区
内网ping 通DMZ区
日志防火墙的配置:
开启日志服务器:
在防火墙里进行配置:
结果测试:
VPN的配置:
破解PIX防火墙:
具体配置:
FW2
pixfirewall(config)# host FW2 FW2(config)# int e1
FW2(config-if)# nameif outside
INFO: Security level for \"outside\" set to 0 by default. FW2(config-if)# ip add 30.0.1.2 255.255.255.0 FW2(config-if)# du fu FW2(config-if)# no shut
FW2(config-if)# ping 30.0.1.1
Sending 5, 100-byte ICMP Echos to 30.0.1.1, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/28/120 ms FW2(config-if)# int e0
FW2(config-if)# nameif inside
INFO: Security level for \"inside\" set to 100 by default. FW2(config-if)# ip add 50.0.1.1 255.255.255.0 FW2(config-if)# du fu FW2(config-if)# no shut
FW2(config-if)# global (outside) 1 30.0.1.10-30.0.1.30 FW2(config)# route outside 0 0 30.0.1.1 FW2(config)# FW2(config)#
FW2(config)# isakmp enable outside FW2(config)# isakmp policy 10
FW2(config-isakmp-policy)# authentication pre-share FW2(config-isakmp-policy)# isakmp identity address
FW2(config)# isakmp key 111aaa address 40.0.1.2 netmask 255.255.255.255 FW2(config)# access-list 101 permit ip host 50.0.1.2 host 60.0.1.2 FW2(config)# crypto ipsec transform-set FW3 esp-des FW2(config)# crypto map peer1 10 ipsec-isakmp
FW2(config)# crypto map peer1 10 match address 101 FW2(config)# crypto map peer1 10 set peer 40.0.1.2
FW2(config)# crypto map peer1 10 set transform-set FW3 FW2(config)# crypto map peer1 interface outside FW2(config)#
FW3:
pixfirewall# conf t
pixfirewall(config)# host FW3 FW3(config)#
FW3(config)# int e1
FW3(config-if)# nameif outside
INFO: Security level for \"outside\" set to 0 by default. FW3(config-if)# ip add 40.0.1.2 255.255.255.0 FW3(config-if)# no shut FW3(config-if)# du fu FW3(config-if)# int e0
FW3(config-if)# nameif inside
INFO: Security level for \"inside\" set to 100 by default. FW3(config-if)# ip add 60.0.1.1 255.255.255.0 FW3(config-if)# du fu FW3(config-if)# no shut
FW3(config-if)# global (outside) 1 40.0.1.10-40.0.1.20
FW3(config)# route outside 0 0 40.0.1.1 FW3(config)#
FW3(config)# isakmp enable outside FW3(config)# isakmp policy 10
FW3(config-isakmp-policy)# authentication pre-share FW3(config-isakmp-policy)# isakmp identity address
FW3(config)# isakmp key 111aaa address 30.0.1.2 netmask 255.255.255.255 FW3(config)# access-list 101 permit ip host 60.0.1.2 host 50.0.1.2 FW3(config)# crypto ipsec transform-set FW2 esp-des FW3(config)# crypto map peer1 10 ipsec-isakmp
FW3(config)# crypto map peer1 10 match address 101 FW3(config)# crypto map peer1 10 set peer 30.0.1.2
FW3(config)# crypto map peer1 10 set transform-set FW2 FW3(config)# crypto map peer1 interface outside FW3(config)#
R1:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z. Router(config)#host R1 R1(config)# R1(config)# R1(config)#
R1(config)#int f1/0
R1(config-if)#ip add 30.0.1.1 255.255.255.0 R1(config-if)#fu
R1(config-if)#full-duplex R1(config-if)#no shut R1(config-if)#
00:03:25: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
00:03:26: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#int f2/0
R1(config-if)#ip add 40.0.1.1 255.255.255.0 R1(config-if)#fu
R1(config-if)#no shut
R4:
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z. R4(config)#int f0/0
R4(config-if)#ip add 50.0.1.2 255.255.255.0
R4(config-if)#duplex full R4(config-if)#no shut R4(config-if)#
00:23:04: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
00:23:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R4(config-if)# R4(config-if)# R4(config-if)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 50.0.1.1 R2(config)#exit 测试
R4#ping 60.0.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 60.0.1.2, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 216/342/380 ms R4#
FW2(config)# sh crypto ipsec sa interface: outside
Crypto map tag: peer1, seq num: 10, local addr: 30.0.1.2
access-list 101 permit ip host 50.0.1.2 host 60.0.1.2
local ident (addr/mask/prot/port): (50.0.1.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (60.0.1.2/255.255.255.255/0/0) current_peer: 40.0.1.2
#pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 0 #pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 34, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0
local crypto endpt.: 30.0.1.2, remote crypto endpt.: 40.0.1.2
path mtu 1500, ipsec overhead 46, media mtu 1500 current outbound spi: 133F8A5F
inbound esp sas:
spi: 0x4E47EE1C (1313336860) transform: esp-des esp-none in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: peer1
sa timing: remaining key lifetime (kB/sec): (3824996/28286) IV size: 8 bytes
replay detection support: N outbound esp sas:
spi: 0x133F8A5F (322931295) transform: esp-des esp-none in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: peer1
sa timing: remaining key lifetime (kB/sec): (3824996/28286) IV size: 8 bytes
replay detection support: N
FW2(config)# sh isakmp
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
1 IKE Peer: 192.168.3.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Global IKE Statistics Active Tunnels: 1 Previous Tunnels: 1 In Octets: 4652 In Packets: 52 In Drop Packets: 0 In Notifys: 48
In P2 Exchanges: 0
In P2 Exchange Invalids: 0 In P2 Exchange Rejects: 0 In P2 Sa Delete Requests: 0 Out Octets: 4796 Out Packets: 53 Out Drop Packets: 0 Out Notifys: 96
Out P2 Exchanges: 1
Out P2 Exchange Invalids: 0 Out P2 Exchange Rejects: 0 Out P2 Sa Delete Requests: 0 Initiator Tunnels: 1 Initiator Fails: 0 Responder Fails: 0
System Capacity Fails: 0 Auth Fails: 0 Decrypt Fails: 0 Hash Valid Fails: 0 No Sa Fails: 0
Global IPSec over TCP Statistics -------------------------------- Embryonic connections: 0 Active connections: 0 Previous connections: 0 Inbound packets: 0
Inbound dropped packets: 0 Outbound packets: 0
Outbound dropped packets: 0 RST packets: 0
Recevied ACK heart-beat packets: 0 Bad headers: 0 Bad trailers: 0 Timer failures: 0 Checksum errors: 0 Internal errors: 0
FW2(config)#
for FW2
isakmp enable outside isakmp policy 10
authentication pre-share isakmp identity address
isakmp key cisco123 address 40.0.1.2 netmask 255.255.255.255 access-list 101 permit ip host 50.0.1.2 host 60.0.1.2 crypto ipsec transform-set FW3 esp-des
crypto map peer1 10 ipsec-isakmp
crypto map peer1 10 match address 101 crypto map peer1 10 set peer 40.0.1.2
crypto map peer1 10 set transform-set FW3 crypto map peer1 interface outside
for FW3
isakmp enable outside isakmp policy 10
authentication pre-share isakmp identity address
isakmp key cisco123 address 30.0.1.2 netmask 255.255.255.255 access-list 101 permit ip host 60.0.1.2 host 50.0.1.2 crypto ipsec transform-set FW2 esp-des crypto map peer1 10 ipsec-isakmp
crypto map peer1 10 match address 101 crypto map peer1 10 set peer 30.0.1.2
crypto map peer1 10 set transform-set FW2 crypto map peer1 interface outside
五、 实验总结
通过本次课程设计,我完成了防火墙基本的配置以及防火墙日志的配置等工作,通过此次设计,我极大地熟悉了一些网络设配的配置,但由于环境与个人能力有限,所完成的工作与老师要求的还有一定差距,希望在以后的学习中能查漏补缺。
因篇幅问题不能全部显示,请点此查看更多更全内容