「Huawei VRP」- eNSP,防火墙实验

  CREATED BY JENKINSBOT

问题描述

该笔记将记录:在 eNSP 中,如果使用 USG6000V 进行防火墙实验,以及常见问题解决方案。

环境搭建

设备访问

// 防火墙默认地址 192.168.0.1/24
// 所以 Cloud 绑定的 Loopback 接口,配置地址 192.168.0.100/24
// 然后,主机能够通过 Web HTTPS 访问防火墙

https://192.168.0.1:8443
admin
Admin@123

如果无法 Web 访问设备:

// 或许是模拟器的默认配置不同,导致无法访问
// 需要进入 GigabitEthernet0/0/0 接口,开启下配置
[Interface-GigabitEthernet0/0/0] service-manage ssh permit
[Interface-GigabitEthernet0/0/0] service-manage ping permit
[Interface-GigabitEthernet0/0/0] service-manage http permit
[Interface-GigabitEthernet0/0/0] service-manage https permit
[Interface-GigabitEthernet0/0/0] service-manage telnet permit

// 或者是 Cloud 桥接网卡配置错误
// 需要检查 Cloud 桥接网卡的地址配置

设备查看

<USG6000V1>display zone
2022-02-08 07:34:08.780 
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (1):
    GigabitEthernet0/0/0
#
untrust
 priority is 5
 interface of the zone is (0):
#
dmz
 priority is 50
 interface of the zone is (0):
#

配置实验

配置地址

[USG6000V1-GigabitEthernet1/0/1]ip address 10.0.12.254 24

[USG6000V1-GigabitEthernet1/0/2]ip address 10.0.23.254 24

划分区域

[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1

[USG6000V1]firewall zone untrust 
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/2

配置访问

# 允许 ping 接口
# 如果开启 Serice Manage 功能,则接口不再受到安全策略影响,不再执行安全策略定义;
[Interface] service-manage ping permit 

security-policy
  rule name permit_trust2untrust_http
  source-zone trust 
  destnation-zone untrust
  service http # 允许 HTTP 访问
  long-link aging-time xxx # 修改老化时间
  action permit

# 针对多通道协议,例如 FTP 协议,开启配置
[USG6000V1]firewall detect ftp
<USG6000V1>display firewall session table 
2022-02-09 03:01:22.870 
 Current Total Sessions : 4
 ftp  VPN: public --> public  10.0.12.1:2051 +-> 10.0.23.100:21
 ftp  VPN: public --> public  10.0.12.1:2053 +-> 10.0.23.100:21
 ftp  VPN: public --> public  10.0.12.1:2055 +-> 10.0.23.100:21
 ftp-data  VPN: public --> public  10.0.23.100:20 --> 10.0.12.1:2056

<USG6000V1>display firewall server-map 
2022-02-09 03:01:28.920 
 Current Total Server-map : 1
 Type: ASPF,  10.0.23.100 -> 10.0.12.1:2056,  Zone:---
 Protocol: tcp(Appro: ftp-data),  Left-Time:00:00:07
 Vpn: public -> public

查看会话

[USG6000V1]display firewall session table 
2022-02-08 07:43:32.540 
 Current Total Sessions : 2
 tcp  VPN: default --> default  192.168.0.100:5688 --> 192.168.0.1:8443
 http  VPN: public --> public  10.0.12.1:2051 --> 10.0.23.100:80
 
[USG6000V1]display firewall session table  verbose 
2022-02-08 07:44:18.670 
 Current Total Sessions : 4
 http  VPN: public --> public  ID: c387f3fc68ff48846f62021f50
 Zone: trust --> untrust  TTL: 00:00:10  Left: 00:00:09
 Recv Interface: GigabitEthernet1/0/1
 Interface: GigabitEthernet1/0/2  NextHop: 10.0.23.100  MAC: 5489-98e6-027a
 <--packets: 4 bytes: 471 --> packets: 6 bytes: 401
 10.0.12.1:2052 --> 10.0.23.100:80 PolicyName: permit_trust2untrust_http
 TCP State: close

 tcp  VPN: default --> default  ID: c387f3fc6900dd0a4b62021f3f
 Zone: trust --> local  TTL: 00:20:00  Left: 00:19:42
 Recv Interface: GigabitEthernet0/0/0
 Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 0000-0000-0000
 <--packets: 416 bytes: 591,837 --> packets: 256 bytes: 20,833
 192.168.0.100:10557 --> 192.168.0.1:8443 PolicyName: ---
 TCP State: established
 
# 补充说明:
# PolicyName,为 --- 表示该会话表不受安全策略控制,而是通过其他方式(比如 Service Manage 等等)。