防御保护第三次练习

一、实验拓扑

二、实验要求

完成基础配置，配置真实DNS服务信息，创建虚拟服务，配置DNS透明代理功能并进行合理需求的补充

三、需求分析

1.创建用户并进行认证策略 2.安全策略划分接口 3.ip与策略配置（为增强熟练度倾向使用代码配置）包括安全策略，nat策略，透明dns等

四、实验步骤 1.划分安全策略接口 [FW]firewall zone name untrust1 [FW-zone-untrust1]add int g1/0/1 [FW]firewall zone trust [FW-zone-trust]add interface GigabitEthernet 1/0/0 [FW]firewall zone untrust1 [FW-zone-untrust1]set priority 10 [FW]firewall zone name untrust2 [FW-zone-untrust2]set priority 15 [FW-zone-untrust2]add int g1/0/2 2.创建用户并进行策略认证

分免认证与portal认证

3.路由ip [FW]int g 1/0/0 [FW-GigabitEthernet1/0/0]ip add 192.168.1.254 24 [FW-GigabitEthernet1/0/0]int g 1/0/1 [FW-GigabitEthernet1/0/1]ip add 11.0.0.1 24 [FW-GigabitEthernet1/0/1]int g 1/0/2 [FW-GigabitEthernet1/0/2]ip add 12.0.0.1 24 [r1]int g 0/0/0 [r1-GigabitEthernet0/0/0]ip add 11.0.0.2 24 [r1-GigabitEthernet0/0/0]int g 0/0/1 [r1-GigabitEthernet0/0/1]ip add 100.1.1.254 24 [r1-GigabitEthernet0/0/1]int g 0/0/2 [r1-GigabitEthernet0/0/2]ip add 110.1.1.254 24 [r2]int g 0/0/0 [r2-GigabitEthernet0/0/0]ip add 12.0.0.2 24 [r2-GigabitEthernet0/0/0]int g 0/0/1 [r2-GigabitEthernet0/0/1]ip add 210.1.1.254 24 [r2-GigabitEthernet0/0/1]int g 0/0/2 [r2-GigabitEthernet0/0/2]ip add 200.1.1.254 24 4.配置安全策略 [FW]security-policy [FW-policy-security]rule name dns [FW-policy-security-rule-dns]source-zone trust [FW-policy-security-rule-dns]destination-zone untrust1 untrust2 [FW-policy-security-rule-dns]source-address 192.168.1.0 mask 255.255.255.0 [FW-policy-security-rule-dns]action permit [FW-policy-security-rule-dns]rule name web [FW-policy-security-rule-web]source-zone trust [FW-policy-security-rule-web]destination-zone untrust1 untrust2 [FW-policy-security-rule-web]source-address 192.168.1.0 mask 255.255.255.0 [FW-policy-security-rule-web]action permit

5.NAT配置 [FW]nat address-group nat_1 [FW-address-group-nat_1]section 11.0.0.10 11.0.0.10 [FW-address-group-nat_1]mode pat [FW-address-group-nat_1]route enable [FW-address-group-nat_1]nat address-group nat_2 [FW-address-group-nat_2]section 12.0.0.10 12.0.0.10 [FW-address-group-nat_2]mode pat [FW-address-group-nat_2]route enable [FW-address-group-nat_2]nat-policy [FW-policy-nat]rule name policy_1 [FW-policy-nat-rule-policy_1]source-zone trust [FW-policy-nat-rule-policy_1]destination-zone untrust1 [FW-policy-nat-rule-policy_1]source-address 192.168.1.0 24 [FW-policy-nat-rule-policy_1]action source-nat address-group nat_1 [FW-policy-nat]rule name policy_2 [FW-policy-nat-rule-policy_2]source-zone trust [FW-policy-nat-rule-policy_2]destination-zone untrust2 [FW-policy-nat-rule-policy_2]source-address 192.168.1.0 24 [FW-policy-nat-rule-policy_2]action source-nat address-group nat_2

6.透明DNS [FW]slb enable [FW]slb [FW-slb]group 0 dns [FW-slb-group-0]metric roundrobin [FW-slb-group-0]rserver 1 rip 100.1.1.1 port 53 [FW-slb-group-0]rserver 2 rip 200.1.1.1 port 53 [FW-slb]vserver 0 dns [FW-slb-vserver-0]vip 10.10.10.10 [FW-slb-vserver-0]group dns [FW-slb-vserver-0]dns-transparent-policy [FW-policy-dns]dns transparent-proxy enable [FW-policy-dns]dns server bind interface GigabitEthernet 1/0/1 preferred 100.1.1.1 [FW-policy-dns]dns server bind interface GigabitEthernet 1/0/2 preferred 200.1.1.1 [FW-policy-dns]rule name dnspolicy_1 [FW-policy-dns-rule-dnspolicy_1]source-address 192.168.1.0 24 [FW-policy-dns-rule-dnspolicy_1]enable [FW-policy-dns-rule-dnspolicy_1]action tpdns

补.isp选路 [FW]healthcheck enable [FW]healthcheck name dianxin [FW-healthcheck-dianxin]destination 110.1.1.1 interface GigabitEthernet 1/0/1 protocol tcp-simple destination-port 80

[FW]int g 1/0/1 [FW-GigabitEthernet1/0/1]healthcheck dianxin [FW-GigabitEthernet1/0/1]int g 1/0/2 [FW-GigabitEthernet1/0/2]healthcheck liantong

五、结果测试 1.免认证直接访问

2.protal认证无用户名密码无法访问