《简单的ZBF(Zone-Based-Firewall)实验》由会员分享,可在线阅读,更多相关《简单的ZBF(Zone-Based-Firewall)实验(6页珍藏版)》请在金锄头文库上搜索。
1、简单的ZBF(Zone-Based Firewall)实验实验拓扑如下:需求:路由器R1为防火墙,R2属于安全区域A,R3属于安全区域B,R4属于安全区域C,区域A中的设备可以正常访问区域B和区域C中的设备;区域B中的设备可以正常访问区域C中的设备所有访问均为单向访问,即:区域B中的设备不能访问区域A中的设备,区域C中的设备不能访问区域A和区域B中的设备。本实验中用telnet和ping作为访问方式。实验配置如下:(1)各路由器初始配置:路由器R1:interface Serial1/0 ip address 10.1.13.1 255.255.255.0no shutdowninterfac
2、e Serial1/1 ip address 10.1.12.1 255.255.255.0no shutdowninterface Serial1/2 ip address 10.1.14.1 255.255.255.0no shutdownline vty 0 4 password cisco login路由器R2:interface Serial1/1 ip address 10.1.12.2 255.255.255.0 no shutdownip route 0.0.0.0 0.0.0.0 Serial1/1line vty 0 4 password cisco login路由器R3:
3、interface Serial1/0 ip address 10.1.13.3 255.255.255.0 no shutdownip route 0.0.0.0 0.0.0.0 Serial1/0line vty 0 4 password cisco login路由器R4:interface Serial1/2 ip address 10.1.14.4 255.255.255.0no shutdownip route 0.0.0.0 0.0.0.0 Serial1/2line vty 0 4 password cisco login下面测试各路由器之间的ping和telnet的连通性:在路
4、由器R2上:R2#ping 10.1.13.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/60/140 msR2#ping 10.1.14.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.14.4, timeout is 2 sec
5、onds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 40/72/168 msR2#telnet 10.1.13.3Trying 10.1.13.3 . OpenUser Access VerificationPassword: R3exitConnection to 10.1.13.3 closed by foreign hostR2#telnet 10.1.14.4Trying 10.1.14.4 . OpenUser Access VerificationPassword: R4exitConnection t
6、o 10.1.14.4 closed by foreign hostR2#在其他路由器上的测试同样,这里不再进行(2)防火墙的配置:/配置三个安全区域,分别为A、B、Czone security Azone security Bzone security C/将三个接口分别划到相应的安全区域interface Serial1/0zone-member security Binterface Serial1/1 zone-member security Ainterface Serial1/2 zone-member security C/用ACL匹配感兴趣流量access-list 100 p
7、ermit ip any any/用class-map调用ACLclass-map type inspect match-all XtoY match access-group 100/用policy-map调用class-mappolicy-map type inspect firewall class type inspect XtoY inspect class class-default /默认的,不用敲/最后,用zone-pair调用policy-mapzone-pair security AtoB source A destination B service-policy type
8、 inspect firewallzone-pair security AtoC source A destination C service-policy type inspect firewallzone-pair security BtoC source B destination C service-policy type inspect firewall测试效果:在路由器R2上:R2#ping 10.1.13.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2
9、 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/62/148 msR2#ping 10.1.14.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.14.4, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 40/75/152 msR2#telnet 10.1.13.3Trying 10.1.1
10、3.3 . OpenUser Access VerificationPassword: R3exitConnection to 10.1.13.3 closed by foreign hostR2#telnet 10.1.14.4Trying 10.1.14.4 . OpenUser Access VerificationPassword: R4exitConnection to 10.1.14.4 closed by foreign hostR2#/从以上结果可以看出,一切正常在路由器R3上:R3#ping 10.1.12.2Type escape sequence to abort.Sen
11、ding 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:./由于防火墙的限制,R3无法ping通R2Success rate is 0 percent (0/5)R3#ping 10.1.14.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.14.4, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 36/71/148
12、msR3#telnet 10.1.12.2Trying 10.1.12.2 . /由于防火墙的限制,R3无法telnetR2,但是可以正常访问R4% Connection timed out; remote host not respondingR3#telnet 10.1.14.4Trying 10.1.14.4 . OpenUser Access VerificationPassword: R4exitConnection to 10.1.14.4 closed by foreign hostR3#在路由器R4上:/可以看到,R4无法访问R2和R3,无论是ping还是telnetR4#pi
13、ng 10.1.12.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:.Success rate is 0 percent (0/5)R4#ping 10.1.13.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:.Success rate is 0 percent (0/5)R4#telnet 10.1.12.2Trying 10.1.12.2 . % Connection timed out; remote host not respondingR4#telnet 10.1.13.3Trying 10.1.13.3 . % Connection timed out; remote host not respondingR4#ZBF的基本实验就到这里
