Scribd Logo
Upload

Welcome to Scribd!

  • Networking Education

    Uploaded by

    Zunaira Amin
    2 views16 pages
    practical and labs

    Original Title

    networking education

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    practical and labs

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    2 views16 pages

    Networking Education

    Uploaded by

    Zunaira Amin
    practical and labs

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 16
    HCNP-IENP Chapter 4 Firewall Configuration Chapter 4 Firewall Configuration Lab 4-1 Firewall Zone and Security Policy Configuration Learning Objectives The objectives of this lab are to learn and understand: + How to configure firewall zones «How to configure security policies Topology LoopbickO 10.0.2.2 rust Figure 4-1 Firewall zone configuration HC Series HUAWEI TECHNOLOGIES 75 HCNP-IENP Chapter 4 Firewall Configuration Scenai Assume that you are a network administrator of an enterprise. The headquarters network is divided into three zones: trust, untrust, and DMZ. The firewall is used to control data, ensure internal network security, and provide services for external networks through the DMZ. Tasks Step 1 Log in to the device using the console port. 1. Connect cables of configuration ports. = Disable the firewall and configure a power supply for the terminal. = Connect the RS-232 serial port of the terminal to the console port of the firewall through the configuration cable. - Power on the device after checking the installation. 2. Configure HyperTerminal software. (You can obtain free HyperTerminal software such as PuTTY from the Internet.) = Download the PuTTY software to the local PC and double-click it to run the software. ~ Select Session and set Connection type to Serial = Set parameters for connecting the serial port to the device. Figure 1-2 shows parameter settings. HIG Series HUAWEI TECHNOLOGIES 76 (Qa Cogan Catan: seison Loaina Tein ojtoad bel Features ‘incon poveatnee Behevou Tarlton Sdecton Cou & Conreston Dae From Tort Flag si Gre HCNP-IENP Chapter 4 Firewall Configuration Pay (Rene =] Oren) (as taneel a] Figure 4-2 Setting PUTTY parameters for connecting the serial port to the firewall = Click Open. 3. Press Enter, and enter the default administrator account admin and password Admin@123. 4. Modify the password of the default admi cu. ‘rator account, and enter the To ensure security, the password must meet the minimum complexity requirement. That is, the password must contain at least three combinations of uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and special characters (such as !, @, #, $, and %). Remember the new password for future logins. Step 2 Perform basic configurations and configure IP addresses. Configure IP addresses and static routes for routers and the firewall, and configure HIG Series HUAWEI TECHNOLOGIES 17 HCNP-IENP. VLANs on the switch. aysten-view Enter syston view, return user view with ctrl+Z, Iuawed] sysnane RL face Cagabitethernst 0/0/1 JpitBthernet0/0/1]ip address 10.9.10.1 24 IRi~Gigabitethernet0/0/1]quit ° [Ri-LoopBackO] ip address 10.0.1.1 24 cezface Loophact systen-view Enter systen view, return user view with Ctzl+Z. Ivawed] sysname 32 face Cagabitethernet0/0/1 JpitBthernet0/0/i]ip address 10.9.20.1 24 [R2~Cigapitethernetd/0/Iiquit [s2]inzerface Loopback 0 [R2-LoopBackOl ip addres systen-view Enter systen view, return user view with Ctri+Z [086300] sysnane FM Gigabitathernet 0/0/0 JeitBthernet0/0/O]unds ip address eitEthernet9/0/0]quit [sWlincerface Gigabitathernet 1/0/0 [sW-Gigabiteeherneti/0/0]ip address 10.0.10.254 24 pitBthernet1/0/01quit face Gigabitathernst 1/0/1 [eW-Gigabitetherseti/0/1lip address 10.0.20.254 24 HC Series HUAWEI TECHNOLOGIES 76 HCNP-IENP. [FR-Gigabitetherneti/0/2)quit [FW] incertace Gigabitatnernct 1/0/2 [FW-GigabitEtherneri/0/2)p address 10.0.30.254 24 pitetherneti/o/2}qust [FR-Gige Configure VLANs on the switch as required. [ouicway|sysnane 51 [st]vian baten 11 to 13 [si}inserface Gigabitethernet 0/0/1 [si~Gigabiteenernet0/0/1}port Link-type access: [si-Gigabitethernet0/0/1}pert default vlan 11 [s1-Gigabiteenernet0/0/1}quit isn [s1~Gigabiteenernet0/0/2}port oror2 erface Gigabitethernct Linketype access ie vlan 12, [st-Gigabitethernet0/0/2)port de [st-Gigabiteenernet0/0/2}quit [s!]incerface Gigabituthernct 0/0/3 [sl-Gigabiteenernet0/0/3}port Link-type access: Ist-aig: default vian 12 AtEthernet0/0/2]port [st-Gigabiteenernetd/0/3}quit isd oyovaa erface Cigabitethernet itethernet0/0/21}port Link-type access ~Gigabituthernet0/0/21}port default vian 1 tEtheznet0/0/21}quit ¢ Cigabivsthernet 0/0/22 itethernet0/0/22}port Link-type access ituthernet0/0/22}port default vian 12 jabicethezaet0/0/22]aait ¢ Cigabitsthernet 0/0/23 jabitetheraet0/0/23)port Link-type access jabitethernet0/0/22]port default vian 13 Chapter 4 Firewall Configuration Configure default routes on R1, R2, and R3 and specific static routes on the firewall to implement connectivity of three network segments that are connected by three Loopback0 interfaces. [RL ]ip route-static 0.0.0.0 0 19.0.10.254 In2}ip route-static 0.0.0.0 © 19.0.20.254 [R3}ip route-static 0.0.0.0 0 10.0.20.254 HC Series HUAWEI TECHNOLOGIES 79 HCNP-IENP Chapter 4 Firewall Configuration 0.0.1.0 2 0.0.2.0 21 0.0.3.0 2 After the configuration is complete, check routing information on the firewall. Destinations Routes 1 1 Destination/Maak Proto Pre Coat Flags Nextiop atertace 10:0,1,0/24 static 60 0 RD 10.010: GigabitEthernet1/0/0 10.0.2.0/24 static 60 9 RD 19.0.20.1 Gigabitstnernets/0/1 10.0.3.0/24 Static 60 0 RD 10,0-30:1 Gigabitrthernetz/0/2 10.0,10.0/24 Direct 0 9 . Gigabitetherneti/o/o 0,20.254/92 Direct 0 0 2 IntoopBack® ° . Gigabitethernett/0/2 ° D intoapsackd ° . Gigabiterhernett/0/2 ° D intoapsackd ° a TnbcopBack® oo . InuoopBackd Step 3 Configure firewall zones. The firewall has four zones by default: local zone, trust zone, untrust zone, and DMZ. Here, the trust zone, untrust zone, and DMZ are used. Add interfaces to zones. To prevent address conflicts, delete GE0/0/0 because GE0/0/0 is added to the trust zone by default. Pe] ficewall zone dime jone-dnz)add interface Gigabitzthernet, 1/0/2 jone-dnz}qus WW) firewall zone teust Jone-teust add interface Gigabitstherse: 1/0/ HC Series HUAWEI TECHNOLOGIES w HCNP-IENP. Chapter 4 Firewall Configuration [Fe-zone-teust | quit [FW] #trewall zone untrust [Fe-zone-untruatJadd interface Gigabitethesnet 1/0/0 [Fe-none-untruat| quit Check zones where interfaces belong. [sW)dieplay zone interface docal + interface of the zone ts (1): Gigabiteeherneti/0/1 + interface of the zone ts (1): Gigabitzeherneti/0/0 ’ nz interface of the zone ts (1): Gigabitzehernet1/0/2 Check the priority of each zone. [eW)ateplay zone docal priority is 100, + priority 1s 65 interface of the zone is (1): hernetl/0/ Gigabit + untae priority 1s 5 face of the sone te (1): Gigabitzehernet1/0/0 ane HC Series HUAWEI TECHNOLOGIES a HCNP-IENP Chapter 4 Firewall Configuration priority 12 50 You can see that three interfaces have been added to corresponding zones. By default, interfaces in different zones cannot communicate with each other. Traffic between routers cannot pass through zones, so inter-zone security policies are required to allow traffic to pass, Step 4 Configure a security policy. If no inter-zone security policy is configured on the firewall or no security policy is matched, the default packet filtering policy is used by default. That is, all traffic is denied Configure a security policy to enable devices in the trust zone to access devices in other zones and prevent access between other zones. © name policy sect Verify the configuration. va)dteplay 2 rota sa HC Series HUAWEI TECHNOLOGIES @ HCNP-IENP Chapter 4 Firewall Configuration 2 poliley_ see enable permit ° 2 poltey_sec.2 enable permit 0 [FW)aieplay seeurity-peliey rule poliey see 1 (o tines matched) rale name policy_sec_t destination-zone entrust action permit [eWldieplay security-poliey rule policy ses 2 (0 tines matened) rale nase policy sec 2 destination-zene ane action permit Check the connectivity from the trust zone to the untrust zone and DMZ. TezIping ~a 10.0.2.2 10.9.2. PING 10.0.2.1: 56 data bytes, press CURL _¢ to break Reply from 10,0.1.1: bytes=56 Sequence heply from 10.01.11 bytes=56 Sequence keply from 10.0.1.1: byte: keply from 10.01.11 byte: 1 2 Sequences3 Sequence=4 s Roply from 20.0.1.1: bytese56 Sequences: 20.0.1.1 ping 5 packet (s) transmitted 5 packet (s} received 0.00% packet toss round-teip min/avg/max = 1/1/1 ms Is2]ping a 10.0.2.2 10.9.3.3 PING 10.0.3.3: 5€ data bytes, press CIRL_¢ to broak Reply from 0.0.3.3: bytes=56 Sequence=1 ns Reply from 10.0.3.3: bytes=56 Sequence-2 ne Reply from 20.0,3.91 bytes=56 Sequen ns Reply from 20.0.3.3: bytes=56 Soquence-4 ns Resly fom 20.0,5.31 bytes=56 ns HC Series HUAWEI TECHNOLOGIES B HCNP-IENP Chapter 4 Firewall Configuration 10.0.3.3 ping sraristics —-- 5 packet (2) teananitted wcket (a) recetved 0.00% packet loss round-trip min/avg/nax = 1/1/1 es Check the connectivity from the untrust zone to the trust zone and DMZ. [Rt }ping ~2 10.0.1.1 10.0.2.2 10.0.2.2: 5€ data bytes, press CTRIC to break Request. time out Request time out Request time out Request time out Request time out 10.0.2.2 ping stazistics --~ .cket (3) tranenitted ° 100.008 packet lose wcket (6) received 0.0.1.1 10.0.3.3 0.0.3.3 56 data bytes, press CIRL_C to break Ist ping pine Request time out Request time out Request time out Request time out Request tims out 10.0.3.3 ping 5 5 packet (s) transmitted ° 100.008 packet loss \oket (s) received Check the connectivity from the DMZ to the untrust zone and trust zone. [R3)ping -2 10.0.3.3 10.0.1.1 BING 10.0.1.1: 56 data bytes, press CTRL C to break Request time out Request time out Request time out HC Series HUAWEI TECHNOLOGIES HCNP-IENP Chapter 4 Firewall Configuration at time out n-= 10.0.1-1 ping stazistics --— wcket (3) recetved 1S packet lose a3}ping -a 1 PING 10.0.2.2 eae Through verification, devices in the trust zone can access the untrust zone and the DMZ, but devices in other zones cannot access each other. Configure an inter-zone packet filtering policy to allow devices in the untrust zone to access the specified server in the DMZ. The Telnet service is enabled for the untrust zone on the server at 10.0.3.3 in the DMZ, Enable ICMP ping to test network connectivity. ty-policy ose yirule nane po y-security-rule-pol: yorole-po! iny-rule-pol, yorole-po! inycrule-pol, yorele-po! Enable the Telnet function on R3 to perform the Telnet test. R3]telnet server enable HC Series HUAWEI TECHNOLOGIES w HCNP-IENP Chapter 4 Firewall Configuration [Ra)aaa [R3-aaa) local-user test password irreversible-cipher Adningi23 [Ra-aaa|local-user test service-type telnet [R3-aaa}quie [R3]user-interface vty 0 4 [R3-us-veyo-4) authentication-node aaa [R3-us-vey0-d]prozocel inbound telnet Perform ping and Telnet operations from R1 (untrust zone) to R3 (DMZ). celnet 10.0.3.3 Press CIRL_] to quit telnet mode eying 20.0.3.3 « connected co 10.0.3.3 « Login authentication HC Series HUAWEI TECHNOLOGIES 8 HCNP-IENP Chapter 4 Firewall Configuration baer last Login caaauit celnet node. che cancte host Through verification, only ICMP and Telnet packets with the specified IP address can pass, and other traffic are denied. Device Configuration ' terface Gigabitetnerneto/o/1 port link-type access ' interface GigabitEtnernet/0/2 port link-type access port default, ' vlan 12 interface Gigebitethernsto/0/3 HC Series HUAWEI TECHNOLOGIES 7 HCNP-IENP. Chapter 4 Firewall Configuration port link-type access port default vian 13 ' interface Gigabitetherneta/0/21 port link-type access port default vian 11 ' interface Gigebiteenernst9/0/22 port link-type access port default vian 12 ' interface Gigebitethernst9/0/23 port link-type access port defautt vian 13 ' deplay current-configuration Iv200R007¢9082C600) ' sysnane Bz + interface GigabitEthernst0/0/1 ip addzass 10.0,20.1 258.255.255.0 + interface LeopBacko ip address 10.0.2.2 255.28: + ip roue-static 0.0.0.0 255.9 -0,0.0 10.0.20,256 HC Series HUAWEI TECHNOLOGIES co HCNP-IENP. Chapter 4 Firewall Configuration '

    You might also like