13 eudemon basic function and configuration
Post on 08-Nov-2014
385 Views
Preview:
TRANSCRIPT
T
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
www.huawei.com
Eudemon Basic Function
and Configuration
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 2
This course will introduce work mode of
firewall, security area concept, ACL,
NAT such basic function and
configuration.
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 3
Upon completion of this course, you will be able to:
Master the concept of security area
Master work mode of firewall
Master the function and configuration of ACL
Master the function and configuration of NAT
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 4
Chapter 1 Work Mode
Chapter 2 Security Zone
Chapter 3 ACL
Chapter 4 NAT
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 5
Route Mode
Server
PC PC
202.10.0.0/24
Trust Zone
Server
Eudemon
PC
10.110.1.0/24
202.10.0.1 10.110.1.254
Untrust Zone
Internal network External network
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 6
Transparent Mode
Server
PC PC Trust
Server
Eudemon
PC
Untrust
202.10.0.0/24 Internal network External network
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 7
Composite Mode
Eudemon(active)
202.10.0.0/24
Eudemon(standby)
VRRP
202.10.0.0/24
Trust
Server
PC
Server
PC PC
Untrust
Internal network External network
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 8
Configure Work Mode
[Eudemon]firewall mode composite
[Eudemon]quit
<Eudemon>reboot
[Eudemon]display firewall mode
firewall mode composite
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 9
Chapter 1 Work Mode
Chapter 2 Security Zone
Chapter 3 ACL
Chapter 4 NAT
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 10
Security Zone of Firewall
Local Zone
100 Trust Zone
85
DMZ Zone
50 UnTrust Zone
5
Interface 2
Interface 3
Interface 4 Interface 1
Zone defined by user
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 11
Among Security Zones of Firewall---InterZone
Server
Server
Untrust
DMZ
Eth1/0/1
E1/0/2
inbound
outbound
inbound
outbound
Internal network
E1/0/0
Eudemon
Local
External network
inbound
outbound
Trust
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 12
Configure Security Zone
[Eudemon] firewall zone name userzone
[Eudemon-zone-userzone] set priority 60
[Eudemon-zone-userzone] add interface Ethernet 0/0/1
[Eudemon]display zone username
username
priority is 60
interface of the zone is (1):
Ethernet0/0/1
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 13
Configure InterZone policy
[Eudemon]acl 3000
[Eudemon-acl-adv-3000] rule permit ip
[Eudemon]firewall interzone trust untrust
[Eudemon-interzone-trust-untrust]packet-filter 3000 inbound
Server
PC PC Trust Zone
Server
Eudemon
PC
Untrust Zone
Internal network External network
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 14
Chapter 1 Work Mode
Chapter 2 Security Zone
Chapter 3 ACL
Chapter 4 NAT
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 15
ACL Application
Packet filtering
Determine to discard or forward packet according to ACL rule
NAT
Determine to implement NAT to which packet According to ACL
IPSec
Determine to protect which packet according to ACL
Qos
Classify flow according to ACL
Routing policy
Filter routes according to ACL
What is ACL?
Permit
Deny
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 16
ACL Classification
Basic ACL (range: 2000~2999)
Use source address to define data flow
Advanced ACL (range: 3000~3999)
Use source address,destination address,source port
number,destination port number ,up-level protocol number and so
on combination to define data flow
Firewall ACL (range:5000~5499)
Use source address,destination address, destination port number to
define data flow
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 17
ACL Classification
Firewall ACL Advanced ACL Basic ACL
Match priorly the route with Acl-number
Match priorly the route with small Rule-id
acl [ number ] acl-number
rule [ rule-id ] { permit | deny } [ source { sour-address sour-
wildcard | any } ] [ time-range time-name ]
rule [ rule-id ] { permit | deny } protocol [ source { sour-
address sour-wildcard | any } ] [ destination { dest-address
dest-mask | any } ] [ source-port operator port1 [ port2 ] ]
[ destination-port operator port1 [ port2 ] ] [ icmp-type
{ icmp-type icmp-code | icmp-message } ] [ precedence
precedence ] [ tos tos ] [ time-range time-name ]
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 18
ACL Application Example
Special PC in external network
202.39.2.3 Special PC in internal network
129.38.1.4
129.38.1.1
202.38.160.1
WAN
Eudemon
FTP Server
129.38.1.2
Telnet Server
129.38.1.3
www Server
129.38.1.5
E1/0/0
E0/0/0
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 19
ACL Application Example-Configuration
[Eudemon] acl number 3101
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.4 0
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.1 0
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.2 0
[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.3 0
[Eudemon-acl-adv-3101] rule deny ip
[Eudemon-acl-adv-3101] quit
[Eudemon] acl number 3102
[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.1 0
[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.2 0
[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.3 0
[Eudemon-Interzone-trust-untrust] packet-filter 3101 outbound
[Eudemon-Interzone-trust-untrust] packet-filter 3102 inbound
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 20
Chapter 1 Work Mode
Chapter 2 Security Zone
Chapter 3 ACL
Chapter 4 NAT
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 21
NAT (Network Address Translation)
NAT is used to translate IP address in IP data packet header
into another IP address.
NAT can solve the following problems:
IP address shortage
− Save public IP address
Security element
− Shield private network
Enterprise combination
− Easy to combine networks
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 22
Private Address and Public Address
Internet
192.168.0.1
192.168.0.2
192.168.0.1
LAN1
LAN2
LAN3
Private address range:
10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 23
Eudemon NAT
PC C
202.130.10.3
Server B
202.120.10.2
PC B
192.168.1.2
PC A
192.168.1.3
Eudemon
E0/0/0
202.169.10.1
E0/0/0
192.168.1.1
Trust Untrust
Data packet 1
Source 192.168.1.3
destination 202.120.10.2
Internet
Data packet 1
source 202.169.10.1
Destination 202.120.10.2
Data packet 2
source 202.120.10.2
destination 202.169.10.1
Data packet 2
Source 202.120.10.2
destination192.168.1.3
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 24
Eudemon NAPT
PC C
202.130.10.3
Server B
202.120.10.2
PC B
192.168.1.2
PC A
192.168.1.3
Eudemon
E0/0/0
202.169.10.1
E0/0/0
192.168.1.1
Trust Untrust
Data packet 2
source 192.168.1.3
Source port 2468
Internet
Data packet2
source 202.169.10.1
Source port 2468
Data packet3
source 192.168.1.1
Source port 11111
Data packet3
source 202.169.10.1
Source port 11111
Data packet4
source 192.168.1.2
Source port 11111
Data packet4
source 202.169.10.1
Source port 22222
Data packet 1
source 192.168.1.3
Source port 1357
Data packet 1
source 202.169.10.1
Source port 1357
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 25
Eudemon Internal Server NAT
Mail Server Web Server FTP Server
DMZ
Internet
202.168.0.1/26
192.168.1.1/24
192.168.1.100/24 192.168.1.101/24 192.168.1.102/24
E1/0/0
E0/0/1
Untrust Data packet 1
source 202.168.0,2
Destination 202.168.0.11
Data packet 1
source 202.168.0,2
destination 192.168.0.101
Data packet 2
source 202.168.0.11
destination 202.168.0.2
Data packet 2
source 192.168.0.101
destination 202.168.0.2
202.168.0.11-192.168.1.101
ALG function
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 26
Eudemon NAT Implementation
ACL Private
address Public
address
Eudemon
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 27
Internal Server NAT Network
Internal network
192.168.0.0/24
202.168.0.10-192.168.1.100
202.168.0.11:80-192.168.1.101:8080
202.168.0.12:1021-192.168.1.102:ftp
E0/0/0
192.168.0.1/24
Trust
Mail Server Web Server FTP Server
DMZ
Internet
202.168.0.1/24
192.168.1.1/24
192.168.1.100/24 192.168.1.101/24 192.168.1.102/24
E1/0/0
E0/0/1
Untrust
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 28
Egress Network NAT Typical Configuration
[Eudemon] acl 2000
[Eudemon-acl-basic-2000]rule permit
[Eudemon-acl-basic-2000]quit
[Eudemon] nat address-group 1 202.168.0.10 202.168.0.20
[Eudemon] acl 3000
[Eudemon-acl-adv-3000] rule permit ip source-address
192.168.0.0 0.0.0.255
[Eudemon] firewall interzone trust untrust
[Eudemon-interzone-trust-untrust] packet-filter 2000
outbound
[Eudemon-interzone-trust-untrust] nat outbound 3000
address-group 1
Configure address pool
Enable NAT function, bind address pool and ACL
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 29
NAT Server Typical Configuration
[Eudemon] nat server global 202.168.0.10 inside 192.168.1.100
[Eudemon] nat server protocol tcp global 202.168.0.11 80 inside
192.168.1.101 8080
[Eudemon] nat server protocol tcp global 202.168.0.12 1021 inside
192.168.1.102 ftp
[Eudemon] acl 3000
[Eudemon] rule permit ip destination-address 192.168.1.0
0.0.0.255
[Eudemon] firewall interzone DMZ untrust
[Eudemon-interzone-DMZ-untrust] packet-filter 3000 inbound
[Eudemon-interzone-DMZ-untrust] detect ftp
Configure mapping information between global
address and internal server address
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 30
NAT Configuration Verification
[Eudemon] display nat all
NAT address-group information:
1: from 202.168.0.10 to 202.168.0.20, reference 1 times
Total 1 address-groups
NAT outbound information:
interzone-trust-untrust: acl(2000) --- NAT address-group( 1)
Total 1 nat outbounds
Server in private network information:
zone GlobalAddr GlobalPort InsideAddr InsidePort Pro VPN
---- 202.168.0.10 ---- 192.168.1.100 ---- --- public
---- 202.168.0.11 8080 192.168.1.101 8080 6(tcp) public
---- 202.168.0.12 1021 192.168.1.102 21(ftp) 6(tcp) public
Total 3 NAT servers
If address pool is imported, it
can not be deleted directly.
T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Page 31
Summary
Which work mode does Eudemon include?
What is the default security Zone of Eudemon?
What is the difference between basic ACL and
advanced ACL?
Which kind of NAT does Eudemon support?
T
Thank you
www.huawei.com
top related