hc eudemon產(chǎn)品基本功能特性與配置

1、Eudemon產(chǎn)品基本功能特性與配置Page2前 言 本課程旨在介紹Eudemon防火墻工作模式、安全區(qū)域概念、ACL以及NAT等常用的基本功能和配置。Page3培訓(xùn)目標(biāo) 學(xué)完本課程后，您應(yīng)該能：掌握安全區(qū)域的概念掌握防火墻的工作模式掌握ACL的作用與基本配置掌握NAT的作用與配置Page4目 錄安全區(qū)域工作模式ACLNATPage5防火墻的安全區(qū)域Local區(qū)域100Trust區(qū)域85DMZ區(qū)域50UnTrust區(qū)域5接口2接口3接口4接口1 用戶自定義區(qū)域Vzone0Page6接口、網(wǎng)絡(luò)和安全區(qū)域關(guān)系Eth1/0/0Eth2/0/0inboundoutboundinboundoutboun

2、dEth0/0/0EudemonLocalinboundoutboundinboundoutboundinboundoutboundVzoneTrust內(nèi)部網(wǎng)絡(luò)UntrustServerServerDMZ外部網(wǎng)絡(luò)inboundoutboundPage7安全區(qū)域配置 1 創(chuàng)建一個(gè)安全區(qū)域Eudemon firewall zone name userzone 設(shè)置優(yōu)先級(jí)Eudemon-zone-userzone set priority 60 給安全區(qū)域添加接口Eudemon-zone-trust add interface GigabitEthernet 0/0/1Page8安全區(qū)域配置驗(yàn)證 查

3、看防火墻安全區(qū)域配置Eudemondisplay zone usernameusername priority is 60 interface of the zone is (1): GigabitEthernet0/0/1Page9安全區(qū)域配置2 system-viewEudemon policy interzone trust untrust outboundEudemon-policy-interzone-trust-untrust-outbound policy 1Eudemon-policy-interzone-trust-untrust-outbound-1 action perm

4、itPage10目 錄安全區(qū)域工作模式ACLNATPage11路由模式服務(wù)器PCPC/24Trust區(qū)服務(wù)器EudemonPC/2454Untrust區(qū)內(nèi)部網(wǎng)絡(luò)外部網(wǎng)絡(luò)Page12透明模式服務(wù)器PCPCTrust服務(wù)器EudemonPCUntrust/24內(nèi)部網(wǎng)絡(luò)外部網(wǎng)絡(luò)Page13混合模式Eudemon（主）/24Eudemon（備）VRRP/24Trust服務(wù)器PC服務(wù)器PCPCUntrust內(nèi)部網(wǎng)絡(luò)外部網(wǎng)絡(luò)Page14配置工作模式Eudemonfirewall mode composite EudemonquitrebootEudemondisplay firewall mode fir

5、ewall mode compositePage15目 錄安全區(qū)域工作模式ACLNATPage16ACL應(yīng)用 包過濾根據(jù)ACL規(guī)則決定數(shù)據(jù)包的丟棄和轉(zhuǎn)發(fā) NAT根據(jù)ACL決定哪些報(bào)文進(jìn)行地址轉(zhuǎn)換 IPSec根據(jù)ACL決定哪些數(shù)據(jù)需要保護(hù) Qos采用ACL進(jìn)行流分類 路由策略根據(jù)ACL對(duì)路由進(jìn)行過濾什么是ACL?PermitDenyPage17ACL分類 基本ACL （組號(hào)范圍為20002999）使用源地址定義數(shù)據(jù)流 高級(jí)ACL （組號(hào)范圍為30003999）使用源地址、目的地址、源端口號(hào)、目的端口號(hào)、上層協(xié)議號(hào)等多種元素組合定義數(shù)據(jù)流Page18ACL分類acl number acl-numb

6、er rule rule-id permit | deny source sour-address sour-wildcard | any time-range time-name rule rule-id permit | deny protocol source sour-address sour-wildcard | any destination dest-address dest-mask | any source-port operator port1 port2 destination-port operator port1 port2 icmp-type icmp-type i

7、cmp-code | icmp-message precedence precedence tos tos time-range time-name Page19ACL應(yīng)用實(shí)例公司外部特定PC公司內(nèi)部特定PCWANEudemonFTP ServerTelnet Serverwww ServerE1/0/0E0/0/0Page20ACL應(yīng)用實(shí)例配置Eudemon acl number 3101Eudemon-acl-adv-3101 rule permit ip source 0Eudemon-acl-adv-3101 rule permit ip source 0Eudemon-acl-adv

8、-3101 rule permit ip source 0Eudemon-acl-adv-3101 rule permit ip source 0Eudemon-acl-adv-3101 rule deny ipEudemon-acl-adv-3101 quitEudemon acl number 3102Eudemon-acl-adv-3102 rule permit tcp source 0 destination 0Eudemon-acl-adv-3102 rule permit tcp source 0 destination 0Eudemon-acl-adv-3102 rule pe

9、rmit tcp source 0 destination 0Eudemon-Interzone-trust-untrust packet-filter 3101 outboundEudemon-Interzone-trust-untrust packet-filter 3102 inboundPage21目 錄安全區(qū)域工作模式ACLNATPage22NAT (Network Address Translation) 網(wǎng)絡(luò)地址轉(zhuǎn)換 NAT是將IP數(shù)據(jù)報(bào)報(bào)頭中的IP地址轉(zhuǎn)換為另一個(gè)IP地址的過程 NAT可以解決以下問題IP地址匱乏節(jié)省公有IP地址安全因素屏蔽私有網(wǎng)絡(luò)企業(yè)合并便于網(wǎng)絡(luò)合并Page2

10、3私有地址和公有地址InternetLAN1LAN2LAN3私有地址范圍：-55-55 -55Page24Eudemon NATPC CServer BPC BPC AEudemonE0/0/0E0/0/0TrustUntrust數(shù)據(jù)報(bào)1源 目的 Internet數(shù)據(jù)報(bào)1源 目的 數(shù)據(jù)報(bào)2源 目的 數(shù)據(jù)報(bào)2源 目的 Page25Eudemon NAPTPC CServer BPC BPC AEudemonE0/0/0E0/0/0TrustUntrust數(shù)據(jù)報(bào)2源 源端口 2468Internet數(shù)據(jù)報(bào)2源 源端口 2468數(shù)據(jù)報(bào)3源 源端口 11111數(shù)據(jù)報(bào)3源 源端口 11111數(shù)據(jù)報(bào)4源

11、源端口 11111數(shù)據(jù)報(bào)4源 源端口 22222數(shù)據(jù)報(bào)1源 源端口 1357數(shù)據(jù)報(bào)1源 源端口 1357Page26Eudemon 內(nèi)部服務(wù)器NATMail ServerWeb ServerFTP ServerDMZInternet/26/2400/2401/2402/24E1/0/0E0/0/1Untrust 數(shù)據(jù)報(bào)1源 目的 1數(shù)據(jù)報(bào)1源 目的 01數(shù)據(jù)報(bào)2源 1目的 數(shù)據(jù)報(bào)2源 01 目的 1-01ALG功能Page27Eudemon NAT實(shí)現(xiàn)ACL私有地址公有地址EudemonPage28內(nèi)部服務(wù)器NAT組網(wǎng)內(nèi)部網(wǎng)絡(luò)/240-001:80-01:80802:1021-02:ftpE0

12、/0/0/24Trust Mail ServerWeb ServerFTP ServerDMZInternet/24/2400/2401/2402/24E1/0/0E0/0/1Untrust Page29出口網(wǎng)絡(luò)NAT典型配置Eudemon acl 2000Eudemon-acl-basic-2000rule permitEudemon-acl-basic-2000quitEudemon nat address-group 1 0 0Eudemon acl 3000Eudemon-acl-adv-3000 rule permit ip source-address 55 Eudemon fir

13、ewall interzone trust untrustEudemon-interzone-trust-untrust packet-filter 2000 outbound Eudemon-interzone-trust-untrust nat outbound 3000 address-group 1 配置地址池啟動(dòng)地址轉(zhuǎn)換功能并綁定地址池和ACLPage30NAT Server典型配置Eudemon nat server global 0 inside 00Eudemon nat server protocol tcp global 1 80 inside 01 8080Eudemon

14、 nat server protocol tcp global 2 1021 inside 02 ftpEudemon acl 3001Eudemon rule permit ip destination-address 55Eudemon firewall interzone DMZ untrustEudemon-interzone-DMZ-untrust packet-filter 3001 inbound Eudemon-interzone-DMZ-untrust detect ftp配置全局地址與內(nèi)部服務(wù)器地址的映射關(guān)系Page31NAT配置驗(yàn)證Eudemon display nat allNAT address-group information: 1: from 0 to 0, reference 1 times Total 1 address-groupsNAT outbound information: interzone-trust-untrust: acl(2000) NAT address-group( 1) Total 1 nat outboundsServer in private network information: zone GlobalAddr GlobalPort