Hi Guys,
For the Huawei devices lab, I will using eNSP simulator. You can download it here.
In this topology, I have divided the firewall into two zones, which are untrust and trust zone. Client 4 and Client 2 are in different vlan 100 and 200. Configure FW to be a default GW to vlan 100 and 200 using router on a stick. Then configure the NAT internal server on Firewall.
Below are the step-by-step configuration for the SW and Firewall :
Switch :
1. Configure the vlan interface & types :
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface Ethernet0/0/2
port link-type access
port default vlan 100
#
interface Ethernet0/0/3
port link-type access
port default vlan 200
#
Firewall :
1. Configure IP and Inter-vlan routing ( router on a stick) :
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 1.1.1.2 255.255.255.248
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.100
vlan-type dot1q 100
alias GigabitEthernet0/0/1.100
ip address 192.168.0.2 255.255.255.248
#
interface GigabitEthernet0/0/1.200
vlan-type dot1q 200
alias GigabitEthernet0/0/1.200
ip address 192.168.0.10 255.255.255.248
#
2. Create FW zone trust, untrust & allowed the interface:
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1.100
add interface GigabitEthernet0/0/1.200
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
2. Allowed the packet from local --> trust & untrust , trust --> untrust for both direction
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
Verify the rule - display firewall packet-filter default all
Firewall default packet-filter action is:
----------------------------------------------------------------------
packet-filter in public:
local -> trust :
inbound : default: permit; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
local -> untrust :
inbound : default: permit; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
local -> dmz :
inbound : default: deny; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
trust -> untrust :
inbound : default: permit; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
trust -> dmz :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
dmz -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
packet-filter between VFW:
Lastly do the internal NAT configurations from trust --> untrust :
#
nat address-group 1 1.1.1.3 1.1.1.4
#
nat-policy interzone trust untrust outbound
policy 1
action source-nat
address-group 1
#
Verify : display firewall session-table
[SRG]dis firewall session table
Current Total Sessions : 5
icmp VPN:public --> public 192.168.0.1:64398[1.1.1.4:2053]-->1.1.1.1:2048
icmp VPN:public --> public 192.168.0.1:64910[1.1.1.4:2054]-->1.1.1.1:2048
icmp VPN:public --> public 192.168.0.1:65166[1.1.1.4:2055]-->1.1.1.1:2048
icmp VPN:public --> public 192.168.0.1:65422[1.1.1.4:2056]-->1.1.1.1:2048
icmp VPN:public --> public 192.168.0.1:143[1.1.1.4:2057]-->1.1.1.1:2048
[SRG]
No comments:
Post a Comment