「Huawei VRP」- eNSP，防火墙实验

2023-01-30 CREATED BY JENKINSBOT

问题描述

该笔记将记录：在 eNSP 中，如果使用 USG6000V 进行防火墙实验，以及常见问题解决方案。

环境搭建

设备访问

通过控制台访问：

admin
Admin@123

通过 Web 访问设备：

// 防火墙默认地址 192.168.0.1/24
// 所以 Cloud 绑定的 Loopback 接口，配置地址 192.168.0.100/24
// 然后，主机能够通过 Web HTTPS 访问防火墙

https://192.168.0.1:8443
admin
Admin@123

// 或许是模拟器的默认配置不同，导致无法访问
// 需要进入 GigabitEthernet0/0/0 接口，开启下配置
[Interface-GigabitEthernet0/0/0] service-manage ssh permit
[Interface-GigabitEthernet0/0/0] service-manage ping permit
[Interface-GigabitEthernet0/0/0] service-manage http permit
[Interface-GigabitEthernet0/0/0] service-manage https permit
[Interface-GigabitEthernet0/0/0] service-manage telnet permit

// 或者是 Cloud 桥接网卡配置错误
// 需要检查 Cloud 桥接网卡的地址配置

设备查看

<USG6000V1>display zone
2022-02-08 07:34:08.780 
local
 priority is 100
 interface of the zone is (0):
#
trust
 priority is 85
 interface of the zone is (1):
    GigabitEthernet0/0/0
#
untrust
 priority is 5
 interface of the zone is (0):
#
dmz
 priority is 50
 interface of the zone is (0):
#

配置实验

配置地址

[USG6000V1-GigabitEthernet1/0/1]ip address 10.0.12.254 24

[USG6000V1-GigabitEthernet1/0/2]ip address 10.0.23.254 24

划分区域

[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1

[USG6000V1]firewall zone untrust 
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/2

配置访问

# 允许 ping 接口
# 如果开启 Serice Manage 功能，则接口不再受到安全策略影响，不再执行安全策略定义；
[Interface] service-manage ping permit 

security-policy
  rule name permit_trust2untrust_http
  source-zone trust 
  destnation-zone untrust
  service http # 允许 HTTP 访问
  long-link aging-time xxx # 修改老化时间
  action permit

# 针对多通道协议，例如 FTP 协议，开启配置
[USG6000V1]firewall detect ftp
<USG6000V1>display firewall session table 
2022-02-09 03:01:22.870 
 Current Total Sessions : 4
 ftp  VPN: public --> public  10.0.12.1:2051 +-> 10.0.23.100:21
 ftp  VPN: public --> public  10.0.12.1:2053 +-> 10.0.23.100:21
 ftp  VPN: public --> public  10.0.12.1:2055 +-> 10.0.23.100:21
 ftp-data  VPN: public --> public  10.0.23.100:20 --> 10.0.12.1:2056

<USG6000V1>display firewall server-map 
2022-02-09 03:01:28.920 
 Current Total Server-map : 1
 Type: ASPF,  10.0.23.100 -> 10.0.12.1:2056,  Zone:---
 Protocol: tcp(Appro: ftp-data),  Left-Time:00:00:07
 Vpn: public -> public

查看会话

[USG6000V1]display firewall session table 
2022-02-08 07:43:32.540 
 Current Total Sessions : 2
 tcp  VPN: default --> default  192.168.0.100:5688 --> 192.168.0.1:8443
 http  VPN: public --> public  10.0.12.1:2051 --> 10.0.23.100:80
 
[USG6000V1]display firewall session table  verbose 
2022-02-08 07:44:18.670 
 Current Total Sessions : 4
 http  VPN: public --> public  ID: c387f3fc68ff48846f62021f50
 Zone: trust --> untrust  TTL: 00:00:10  Left: 00:00:09
 Recv Interface: GigabitEthernet1/0/1
 Interface: GigabitEthernet1/0/2  NextHop: 10.0.23.100  MAC: 5489-98e6-027a
 <--packets: 4 bytes: 471 --> packets: 6 bytes: 401
 10.0.12.1:2052 --> 10.0.23.100:80 PolicyName: permit_trust2untrust_http
 TCP State: close

 tcp  VPN: default --> default  ID: c387f3fc6900dd0a4b62021f3f
 Zone: trust --> local  TTL: 00:20:00  Left: 00:19:42
 Recv Interface: GigabitEthernet0/0/0
 Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 0000-0000-0000
 <--packets: 416 bytes: 591,837 --> packets: 256 bytes: 20,833
 192.168.0.100:10557 --> 192.168.0.1:8443 PolicyName: ---
 TCP State: established
 
# 补充说明：
# PolicyName，为 --- 表示该会话表不受安全策略控制，而是通过其他方式（比如 Service Manage 等等）。

补充说明

关于 ping 命令

如果 Client-1 需要 ping 通 .12.254 / .23.254，则需要：[GE 1/0/1] service-manage ping permit
当执行该命令后，两个接口都能够 ping 通；