第10章 网络安全综合案例1

需求：
1.IP地址基本配置
2.企业1内网访问internet-easp-ip，Web服务器对外提供服务-不能额外购买IP
3.企业2内网访问internet-No-pat，Web服务器对外提供服务-额外购买IP
4.企业3内网访问internet-easp-ip，访问WEB服务器server3，需要经过防火墙FW2
5.企业1、2服务器能被企业3访问

1.ISP配置

#R1
ospf 1
 area 0.0.0.0

interface GigabitEthernet0/0/0
 ip address 100.1.1.254 255.255.255.0
 ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/1
 ip address 12.1.1.1 255.255.255.252
 ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/3
 ip address 101.1.1.2 255.255.255.252
 ospf enable 1 area 0.0.0.0

#R2
ospf 1
 area 0.0.0.0

interface GigabitEthernet0/0/1
 ip address 12.1.1.2 255.255.255.252
 ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/2
 ip address 23.1.1.1 255.255.255.252
 ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/3
 ip address 102.1.1.2 255.255.255.252
 ospf enable 1 area 0.0.0.0

#R3
ospf 1
 area 0.0.0.0

interface GigabitEthernet0/0/0
 ip address 200.1.1.254 255.255.255.0
 ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/2
 fastfeeling
 ip address 23.1.1.2 255.255.255.252
 ospf enable 1 area 0.0.0.0

interface GigabitEthernet0/0/3
 ip address 103.1.1.2 255.255.255.252
 ospf enable 1 area 0.0.0.0

2.企业1配置

#AR1
interface GigabitEthernet0/0/1
 ip address 192.168.1.254 255.255.255.0


interface GigabitEthernet0/0/0
 ip address 101.1.1.1 255.255.255.252

interface GigabitEthernet0/0/2
 ip address 192.168.2.254 255.255.255

#配置默认路由
ip route-static 0.0.0.0 0.0.0.0 101.1.1.2

#配置ACL
acl number 2000  
 rule 10 permit source 192.168.1.0 0.0.0.255 

#配置NAT
interface GigabitEthernet0/0/0
  nat outbound 2000

#配置公网客户机Client3访问内网服务器Server1
interface GigabitEthernet0/0/0
#nat server global 101.1.1.1 inside 192.168.2.100
  #Error: The address conflicts with interface or ARP IP. 
#接口IP已经用于NAT，做地址映射是显示有冲突
#正确配置如下：
interface GigabitEthernet0/0/0
  nat server protocol tcp global current-interface 18080 inside 192.168.2.100 www

3.企业2配置

#FW1
interface GigabitEthernet1/0/1
 ip address 192.168.1.254 255.255.255.0
 service-manage all permit

interface GigabitEthernet1/0/2
 ip address 192.168.2.254 255.255.255.0
 service-manage all permit

interface GigabitEthernet1/0/0
 ip address 102.1.1.1 255.255.255.252
 service-manage all permit

firewall zone dmz
 add interface GigabitEthernet1/0/2

firewall zone trust
 add interface GigabitEthernet1/0/1

firewall zone untrust
 add interface GigabitEthernet1/0/0

#配置默认路由
ip route-static 0.0.0.0 0.0.0.0 102.1.1.2

#安全策略
security-policy
 rule name t_2_ISP
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.1 mask 255.255.255.255
  source-address 192.168.1.2 mask 255.255.255.255
action permit

#配置内网访问外网
#NAT策略地址组
nat address-group ag01 0
 mode no-pat global
 section 0 102.1.1.101 102.1.1.102

#NAT策略
 rule name t_2_isp
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.1 mask 255.255.255.255
  source-address 192.168.1.2 mask 255.255.255.255
  action source-nat address-group ag01

#R2配置路由
ip route-static 102.1.1.101 32 102.1.1.1
ip route-static 102.1.1.102 32 102.1.1.1
ip route-static 102.1.1.103 32 102.1.1.1

#R2配置路由引入
ospf 1
 import-route static

#配置黑洞路由，防止环路
nat address-group ag01 0
 route enable

#配置公网客户机Client3访问内网服务器Server2
security-policy
rule name isp_2_dmz
  source-zone untrust
  destination-zone dmz
  destination-address 192.168.2.100 mask 255.255.255.255
  action permit

#配置NAT
nat server web01 protocol tcp global 102.1.1.103 80 inside 192.168.2.100 80 no-reverse unr-route

4.企业3配置

#AR2
interface GigabitEthernet0/0/0
 ip address 103.1.1.1 255.255.255.252

interface GigabitEthernet0/0/1
 ip address 192.168.1.254 255.255.255.0

interface GigabitEthernet0/0/2
 ip address 10.1.1.254 255.255.255.0 

interface GigabitEthernet4/0/0
 ip address 10.2.1.1 255.255.255.252 

#配置默认路由
ip route-static 0.0.0.0 0.0.0.0 103.1.1.2

#配置NAT
acl number 2000  
 rule 10 permit source 192.168.1.0 0.0.0.255 

interface GigabitEthernet0/0/0
 nat outbound 2000

#内网客户机访问内网服务器Server3（往返需要经过防火墙FW2），配置双向NAT
#FW2
interface GigabitEthernet1/0/0
 ip address 10.2.1.2 255.255.255.252
 service-manage all permit

firewall zone untrust
 add interface GigabitEthernet1/0/0

#防火墙双向NAT
destination-nat address-group ag11 0
 section 10.1.1.1 10.1.1.1

 rule name be_nat_web
  source-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 10.2.2.1 mask 255.255.255.255
  action source-nat easy-ip
  action destination-nat address-group ag11

#FW2配置路由
ip route-static 10.1.1.1 32 10.2.1.1
ip route-static 192.168.1.0 24 10.2.1.1

#AR2配置路由
ip route-static 10.2.2.1 32 10.2.1.2