安全设备 大作业

地址改成自个儿的

PC地址配置

设备	IP地址	子网掩码	网关
PC1	192.168.17.100	255.255.255.0	192.168.17.1
PC2	172.16.17.100	255.255.255.0	172.16.17.1
PC3	2.2.2.2	255.255.255.0	2.2.2.1
PC4	10.10.17.100	255.255.255.0	10.10.17.1

FW1

[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip a 124.16.8.1 24
[USG6000V1-GigabitEthernet1/0/0]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip a 192.168.101.1 24
[USG6000V1-GigabitEthernet1/0/1]int g1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip a 192.168.102.1 24

[USG6000V1]firewall zone trust 
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1 
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/2

[USG6000V1]ospf
[USG6000V1-ospf-1]a 0
[USG6000V1-ospf-1-area-0.0.0.0]n 192.168.101.0 0.0.0.255
[USG6000V1-ospf-1-area-0.0.0.0]n 192.168.102.0 0.0.0.255
[USG6000V1-ospf-1-area-0.0.0.0]q
[USG6000V1-ospf-1]default-route-advertise


[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name nat
[USG6000V1-policy-nat-rule-nat]source-zone trust
[USG6000V1-policy-nat-rule-nat]destination-zone untrust
[USG6000V1-policy-nat-rule-nat]source-address 172.16.17.0 mask 255.255.255.0
[USG6000V1-policy-nat-rule-nat]source-address 192.168.17.0 mask 255.255.255.0
[USG6000V1-policy-nat-rule-nat]action source-nat easy-ip

[USG6000V1]sec
[USG6000V1-policy-security]rule name tr2un
[USG6000V1-policy-security-rule-tr2un]source-zone trust
[USG6000V1-policy-security-rule-tr2un]destination-zone untrust
[USG6000V1-policy-security-rule-tr2un]source-address 172.16.17.0 mask 255.255.255.0
[USG6000V1-policy-security-rule-tr2un]source-address 192.168.17.0 mask 255.255.255.0
[USG6000V1-policy-security-rule-tr2un]action permit

[USG6000V1]ip route-static 0.0.0.0 0 124.16.8.2

[USG6000V1]acl 3000
[USG6000V1-acl-adv-3000]rule permit ip source 172.16.17.0 0.0.0.255 destination 10.10.17.0 0.0.0.255
[USG6000V1-acl-adv-3000]q
[USG6000V1]ike proposal 1
[USG6000V1-ike-proposal-1]q ## 使用默认提议
[USG6000V1]ike peer FW2
[USG6000V1-ike-peer-FW2]pre-shared-key huawei.com
[USG6000V1-ike-peer-FW2]ike-proposal 1
[USG6000V1-ike-peer-FW2]remote-address 1.1.1.2
[USG6000V1-ike-peer-FW2]q
[USG6000V1]ipsec proposal ipsec
[USG6000V1-ipsec-proposal-ipsec]q ## 使用默认提议
[USG6000V1]ipsec policy map 1 isakmp 
[USG6000V1-ipsec-policy-isakmp-map-1]security acl 3000
[USG6000V1-ipsec-policy-isakmp-map-1]ike-peer FW2
[USG6000V1-ipsec-policy-isakmp-map-1]proposal ipsec 
[USG6000V1-ipsec-policy-isakmp-map-1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ipsec policy map

[USG6000V1]sec
[USG6000V1-policy-security-rule-ipsec]source-zone local 
[USG6000V1-policy-security-rule-ipsec]destination-zone untrust 
[USG6000V1-policy-security-rule-ipsec]source-address 124.16.8.1 32
[USG6000V1-policy-security-rule-ipsec]destination-address 1.1.1.2 32

[USG6000V1-policy-security-rule-ipsec]source-zone trust 
[USG6000V1-policy-security-rule-ipsec]destination-zone local 
[USG6000V1-policy-security-rule-ipsec]source-address 1.1.1.2 32
[USG6000V1-policy-security-rule-ipsec]destination-address 124.16.8.1 32
[USG6000V1-policy-security-rule-ipsec]ac p

.............................

RT

<Huawei>sy
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip a 124.16.8.2 24
[Huawei-GigabitEthernet0/0/1]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip a 2.2.2.1 24
[Huawei-GigabitEthernet0/0/0]int g0/0/2
[Huawei-GigabitEthernet0/0/2]ip a 1.1.1.1 24

LSW1

<Huawei>sy
[Huawei]v b 10 20 101 
[Huawei]un in e
Info: Information center is disabled.
[Huawei]int vl 10
[Huawei-Vlanif10]ip a 192.168.17.10 24
[Huawei-Vlanif10]int vl 20
[Huawei-Vlanif20]ip a 172.16.17.10 24
[Huawei-Vlanif20]int vl 101
[Huawei-Vlanif101]ip a 192.168.101.2 24
[Huawei]int vl 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.17.1
[Huawei-Vlanif10]vrrp vrid 1 priority 120
[Huawei-Vlanif10]vrrp vrid 1 preempt-mod timer delay 10
[Huawei-Vlanif10]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 30
[Huawei-Vlanif10]int vl 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.17.1
[Huawei-Vlanif20]vrrp vrid 2 preempt-mode timer d 10
[Huawei-Vlanif20]vrrp vrid 2 track interface GigabitEthernet 0/0/1 r 30



[Huawei]ospf 
[Huawei-ospf-1]a 0
[Huawei-ospf-1-area-0.0.0.0]net 192.168.101.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]q
[Huawei-ospf-1]i d

[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]p l a
[Huawei-GigabitEthernet0/0/1]p d v 101
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]p l t
[Huawei-GigabitEthernet0/0/2]p t a v 10 20

LSW2

<Huawei>sy
[Huawei]u in e
[Huawei]v b 10 20 102
[Huawei]int vl 10
[Huawei-Vlanif10]ip a 192.168.17.20 24
[Huawei]int vl 20
[Huawei-Vlanif20]ip a 172.16.17.20 24
[Huawei-Vlanif20]int vl 102
[Huawei-Vlanif102]ip a 192.168.102.2 24



[Huawei]int vl 10
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.17.1 
[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 10
[Huawei-Vlanif10]vrrp vrid 1 track i g 0/0/1 r 30
[Huawei-Vlanif10]int vl 20
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 172.16.17.1
[Huawei-Vlanif20]vrrp vrid 2 pri 120
[Huawei-Vlanif20]vrrp vrid 2 preempt-mode timer d 10
[Huawei-Vlanif20]vrrp vrid 2 track i g 0/0/1 r 30

[Huawei-ospf-1]ospf
[Huawei-ospf-1]a 0
[Huawei-ospf-1-area-0.0.0.0]net 192.168.102.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.0]q
[Huawei-ospf-1]i d




[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]p l a
[Huawei-GigabitEthernet0/0/1]p d v 102
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]p l t
[Huawei-GigabitEthernet0/0/2]p t a v 10 20

LSW3

<Huawei>sy
[Huawei]v b 10 20
[Huawei]port-group group-member GigabitEthernet 0/0/1 to g 0/0/4
[Huawei-GigabitEthernet0/0/1]p l t
[Huawei-port-group]p t a v 10 20

LSW4

<Huawei>sy
[Huawei]v 10
[Huawei-vlan10]q
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]p l t
[Huawei-GigabitEthernet0/0/1]p t a v 10 20
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]p l a
[Huawei-GigabitEthernet0/0/2]p d v 10

LSW5

<Huawei>sy
[Huawei]v 20
[Huawei-vlan20]q
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]p l t
[Huawei-GigabitEthernet0/0/1]p t a v 10 20
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]p l a
[Huawei-GigabitEthernet0/0/2]p d v 20

FW2

<USG6000V1>sy
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip a 1.1.1.2 24
[USG6000V1-GigabitEthernet1/0/0]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip a 10.10.17.1 24

[USG6000V1]firewall zone trust 
[USG6000V1-zone-trust]a i g 1/0/1
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust 
[USG6000V1-zone-untrust]a i g 1/0/0
[USG6000V1-zone-untrust]q
[USG6000V1]sec
[USG6000V1-policy-security]rule n tr2un
[USG6000V1-policy-security-rule-tr2un]source-zone trust 
[USG6000V1-policy-security-rule-tr2un]destination-zone untrust 
[USG6000V1-policy-security-rule-tr2un]source-address 10.10.17.0 24
[USG6000V1-policy-security-rule-tr2un]ac p
[USG6000V1-policy-security-rule-tr2un]q
[USG6000V1-policy-security]q
[USG6000V1]nat-p
[USG6000V1-policy-nat]rule n nat
[USG6000V1-policy-nat-rule-nat]source-zone trust 
[USG6000V1-policy-nat-rule-nat]destination-zone untrust 
[USG6000V1-policy-nat-rule-nat]source-address 10.10.17.0 24
[USG6000V1-policy-nat-rule-nat]action source-nat easy-ip 

[USG6000V1]ip route-static 0.0.0.0 0 1.1.1.1

[USG6000V1]acl 3000
[USG6000V1-acl-adv-3000]rule permit ip source 10.10.17.0 0.0.0.255 destination 172.16.17.0 0.0.0.255
[USG6000V1-acl-adv-3000]q
[USG6000V1]ike proposal 1
[USG6000V1-ike-proposal-1]q ## 默认提议
[USG6000V1]ike peer FW1
[USG6000V1-ike-peer-FW1]ike-proposal 1
[USG6000V1-ike-peer-FW1]remote-address 124.16.8.1
[USG6000V1-ike-peer-FW1]pre-shared-key huawei.com
[USG6000V1-ike-peer-FW1]q
[USG6000V1]ipsec proposal ipsec
[USG6000V1-ipsec-proposal-ipsec]q ## 采用默认提议
[USG6000V1]ipsec policy map 1 isakmp 
[USG6000V1-ipsec-policy-isakmp-map-1]security acl 3000
[USG6000V1-ipsec-policy-isakmp-map-1]proposal ipsec
[USG6000V1-ipsec-policy-isakmp-map-1]ike-peer FW1

[USG6000V1-ipsec-policy-isakmp-ipsec-1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ipsec policy map

[USG6000V1]sec
[USG6000V1-policy-security]rule n ipsec
[USG6000V1-policy-security-rule-ipsec]source-zone local
[USG6000V1-policy-security-rule-ipsec]destination-zone untrust 
[USG6000V1-policy-security-rule-ipsec]source-address 124.16.8.1 32
[USG6000V1-policy-security-rule-ipsec]destination-address 1.1.1.2 32

[USG6000V1-policy-security-rule-ipsec]source-zone untrust 
[USG6000V1-policy-security-rule-ipsec]destination-zone local 
[USG6000V1-policy-security-rule-ipsec]source-address 1.1.1.2 32
[USG6000V1-policy-security-rule-ipsec]destination-address 124.16.8.1 32
[USG6000V1-policy-security-rule-ipsec]ac p

安全设备大作业

eNSP USG6000V

地址改成自个儿的

PC地址配置

FW1

RT

LSW1

LSW2

LSW3

LSW4

LSW5

FW2

未完待续…