实验拓扑

使用华为ensp 1.2.00.370模拟器

wKioL1bDPQry45ZlAAB2KthX-oE775.png

实验需求


USG-1和USG-2模拟企业边缘设备,分别在2台设备上配置NAT和IPsec ×××实现2边私网可以通过×××互相通信



实验配置



R1 IP地址配置省略


USG-1配置

[USG-1]firewall zone trust          //配置trust区域

[USG-1-zone-trust]add interface g0/0/0    //将接口加入trust区域

[USG-1-zone-trust]quit

[USG-1]firewall zone untrust           //配置untrust区域

[USG-1-zone-untrust]add int g0/0/1          //将接口加入untrust区域

[USG-1-zone-untrust]quit

[USG-1]int g0/0/0

[USG-1-GigabitEthernet0/0/0]ip add 192.168.10.1 24

[USG-1-GigabitEthernet0/0/0]int g0/0/1

[USG-1-GigabitEthernet0/0/1]ip add 11.0.0.2 24

[USG-1-GigabitEthernet0/0/1]quit

[USG-1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1   //配置默认路由上公网

[USG-1]nat-policy interzone trust untrust outbound 

//进入trust到untrust区域out方向的策略视图

[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 1     //创建一个策略

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.20.0 0.0.0.255

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]action no-nat 

//以上三条命令意思是不允许将源为192.168.10.0/24网段目标为192.168.20.0/24网段的数据包进行NAT

[USG-1-nat-policy-interzone-trust-untrust-outbound-1]quit

[USG-1-nat-policy-interzone-trust-untrust-outbound]policy 2  //创建策略2

[USG-1-nat-policy-interzone-trust-untrust-outbound-2]action source-nat

//允许对源IP进行NAT

[USG-1-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/1

//对接口G0/0/1地址复用

[USG-1-nat-policy-interzone-trust-untrust-outbound-2]quit

[USG-1-nat-policy-interzone-trust-untrust-outbound]quit


---------------------------阶段一-----------------------------------------------------


[USG-1]ike proposal 1     //配置一个安全提议

[USG-1-ike-proposal-1]authentication-method pre-share   //配置IKE认证方式为预共享密钥

[USG-1-ike-proposal-1]authentication-algorithm sha1   //配置IKE认证算法为sha1

[USG-1-ike-proposal-1]integrity-algorithm aes-xcbc-96  //配置IKE完整性算法

[USG-1-ike-proposal-1]dh group2  //配置IKE密钥协商DH组

[USG-1-ike-proposal-1]quit

[USG-1]ike peer USG-2             //创建一个IKE对等体名字为USG-2

[USG-1-ike-peer-usg-2]pre-shared-key abc123    //配置预共享密钥

[USG-1-ike-peer-usg-2]remote-address 12.0.0.2  //配置对等体IP地址

[USG-1-ike-peer-usg-2]ike-proposal 1       //调用ike安全提议

[USG-1-ike-peer-usg-2]quit

----------------------------阶段二-----------------------------------------------------

[USG-1]ipsec proposal test        //配置一个ipsec安全提议

[USG-1-ipsec-proposal-test]encapsulation-mode tunnel    //封装方式采用隧道

[USG-1-ipsec-proposal-test]transform esp    //配置IPSEC安全协议为ESP

[USG-1-ipsec-proposal-test]esp encryption-algorithm aes   //配置ESP协议加密算法为aes

[USG-1-ipsec-proposal-test]esp authentication-algorithm sha1  //配置ESP协议认证算法

[USG-1-ipsec-proposal-test]quit

[USG-1]acl 3000         //创建一个ACL定义感兴趣流

[USG-1-acl-adv-3000]rule permit ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255

[USG-1]ipsec policy map 1 isakmp    //创建一个安全策略,名称为map

[USG-1-ipsec-policy-isakmp-map-1]ike-peer USG-2    //调用ike对等体

[USG-1-ipsec-policy-isakmp-map-1]proposal test     //调用IPsec安全提议

[USG-1-ipsec-policy-isakmp-map-1]security acl 3000   //配置感兴趣流

[USG-1-ipsec-policy-isakmp-map-1]quit

[USG-1]int g0/0/1

[USG-1-GigabitEthernet0/0/1]ipsec policy map     //在外网口上调用安全策略


区域间策略配置

[USG-1]policy interzone trust untrust outbound .

//进入trust到untrust区域out方向策略视图

[USG-1-policy-interzone-trust-untrust-outbound]policy 1    //创建策略

[USG-1-policy-interzone-trust-untrust-outbound-1]action permit  

//允许trust区域所有主机访问untrust区域 

[USG-1-policy-interzone-trust-untrust-outbound-1]quit

[USG-1-policy-interzone-trust-untrust-outbound]quit

[USG-1]policy interzone trust untrust inbound 

//进入trust区域到untrust区域的in方向策略视图

[USG-1-policy-interzone-trust-untrust-inbound]policy 1

[USG-1-policy-interzone-trust-untrust-inbound-1]policy source 192.168.20.0 0.0.0.255

[USG-1-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.10.0 0.0.0.255

[USG-1-policy-interzone-trust-untrust-inbound-1]action permit 

//以上命令为允许数据包源地址为192.168.20.0/24网段和目标地址为192.168.10.0/24网段的流量过

[USG-1-policy-interzone-trust-untrust-inbound-1]quit

[USG-1-policy-interzone-trust-untrust-inbound]quit

[USG-1]policy interzone local untrust inbound

//进入local区域到untrust区域的in方向策略视图

[USG-1-policy-interzone-local-untrust-inbound]policy 1

[USG-1-policy-interzone-local-untrust-inbound-1]policy source 12.0.0.2 0

[USG-1-policy-interzone-local-untrust-inbound-1]policy destination 11.0.0.2 0

[USG-1-policy-interzone-local-untrust-inbound-1]action permit 

//允许源地址是12.0.0.2目标地址是11.0.0.2的数据包访问


USG-2配置

[USG-2]firewall zone trust 

[USG-2-zone-trust]add int g0/0/0

[USG-2-zone-trust]quit

[USG-2]firewall zone untrust 

[USG-2-zone-untrust]add int g0/0/1

[USG-2-zone-untrust]quit

[USG-2]int g0/0/0

[USG-2-GigabitEthernet0/0/0]ip add 192.168.20.1 24

[USG-2-GigabitEthernet0/0/0]int g0/0/1

[USG-2-GigabitEthernet0/0/1]ip add 12.0.0.2 24

[USG-2-GigabitEthernet0/0/1]quit

[USG-2]ip route-static 0.0.0.0 0.0.0.0 12.0.0.1

[USG-2]nat-policy interzone trust untrust outbound 

[USG-2-nat-policy-interzone-trust-untrust-outbound]policy 1

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.20.0 0.0.0.255

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.10.0 0.0.0.255

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]action no-nat 

[USG-2-nat-policy-interzone-trust-untrust-outbound-1]quit

[USG-2-nat-policy-interzone-trust-untrust-outbound]policy 2

[USG-2-nat-policy-interzone-trust-untrust-outbound-2]action source-nat 

[USG-2-nat-policy-interzone-trust-untrust-outbound-2]easy-ip GigabitEthernet0/0/1

[USG-2-nat-policy-interzone-trust-untrust-outbound-2]quit

[USG-2-nat-policy-interzone-trust-untrust-outbound]quit


[USG-2]ike proposal 1

[USG-2-ike-proposal-1]authentication-method pre-share 

[USG-2-ike-proposal-1]authentication-algorithm sha1 

[USG-2-ike-proposal-1]integrity-algorithm aes-xcbc-96 

[USG-2-ike-proposal-1]dh group2

[USG-2-ike-proposal-1]quit

[USG-2]ike peer USG-A

[USG-2-ike-peer-usg-a]pre-shared-key abc123

[USG-2-ike-peer-usg-a]ike-proposal 1

[USG-2-ike-peer-usg-a]remote-address 11.0.0.2

[USG-2-ike-peer-usg-a]quit

[USG-2]ipsec proposal test

[USG-2-ipsec-proposal-test]encapsulation-mode tunnel 

[USG-2-ipsec-proposal-test]transform esp 

[USG-2-ipsec-proposal-test]esp encryption-algorithm aes

[USG-2-ipsec-proposal-test]esp authentication-algorithm sha1 

[USG-2-ipsec-proposal-test]quit

[USG-2]acl 3000

[USG-2-acl-adv-3000]rule permit ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255

[USG-2-acl-adv-3000]quit

[USG-2]ipsec policy map 1 isakmp 

[USG-2-ipsec-policy-isakmp-map-1]ike-peer USG-A

[USG-2-ipsec-policy-isakmp-map-1]proposal test

[USG-2-ipsec-policy-isakmp-map-1]security acl 3000

[USG-2-ipsec-policy-isakmp-map-1]quit

[USG-2]int g0/0/1

[USG-2-GigabitEthernet0/0/1]ipsec policy map

[USG-2-GigabitEthernet0/0/1]quit

[USG-2]policy interzone trust untrust outbound 

[USG-2-policy-interzone-trust-untrust-outbound]policy 1

[USG-2-policy-interzone-trust-untrust-outbound-1]action permit 

[USG-2-policy-interzone-trust-untrust-outbound-1]quit

[USG-2-policy-interzone-trust-untrust-outbound]quit

[USG-2]policy interzone trust untrust inbound 

[USG-2-policy-interzone-trust-untrust-inbound]policy 1

[USG-2-policy-interzone-trust-untrust-inbound-1]policy source 192.168.10.0 0.0.0.255

[USG-2-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.20.0 0.0.0.255

[USG-2-policy-interzone-trust-untrust-inbound-1]action permit 

[USG-2-policy-interzone-trust-untrust-inbound-1]quit

[USG-2-policy-interzone-trust-untrust-inbound]quit

[USG-2]policy interzone local untrust inbound 

[USG-2-policy-interzone-local-untrust-inbound]policy 1

[USG-2-policy-interzone-local-untrust-inbound-1]policy source 11.0.0.2 0

[USG-2-policy-interzone-local-untrust-inbound-1]policy destination 12.0.0.2 0

[USG-2-policy-interzone-local-untrust-inbound-1]action permit 



使用C1(192.168.10.10)去ping C2(192.168.20.10)

wKioL1bDO4nyFHGGAABA53LBy2M082.png


使用dispaly ike sa和display ipsec sa来查看邻居建立情况

wKiom1bDO92CS44dAAAuNUAX8wc433.png


wKioL1bDPGPii2_EAABQvvURiDE303.png