试题三(共20分)
某全国连锁企业的总部和分布在全国各地的30家分公司之间经常需要传输各种内部数据,因此公司决定在总部和各分公司之间建立VPN技术。具体拓扑如下:
配置部分只显示了与总部与分公司1的配置。
根据拓扑完成问题1-问题2。
问题2(13分):请将相关配置补充完整。
总部防火墙firewall1的部分配置如下。
<FIREWALL1> system-view
[FIREWALL1] interface GigabitEthernet 1/0/2
[FIREWALL1-GigabitEthernet1/0/2] ip address 192.168.1.1 24
[FIREWALL1-GigabitEthernet1/0/2] quit
[FIREWALL1] interface GigabitEthernet 1/0/1
[FIREWALL1-GigabitEthernet1/0/1] ip address 202.1.3.1 24
[FIREWALL1-GigabitEthernet1/0/1] quit
# 配置接口加入相应的安全区域。
[FIREWALL1] ( )
[FIREWALL1-zone-trust] ( )
[FIREWALL1-zone-trust] quit
[FIREWALL1] ( )
[FIREWALL1-zone-untrust] ( )
[FIREWALL1-zone-untrust] quit
# 配置Trust域与Untrust域的安全策略,允许封装前和解封后的报文能通过
[FIREWALL1] ( )
[FIREWALL1-policy-security] rule name 1
[FIREWALL1-policy-security-rule-1] source-zone trust
[FIREWALL1-policy-security-rule-1] destination-zone untrust
[FIREWALL1-policy-security-rule-1] source-address ( )
[FIREWALL1-policy-security-rule-1] destination-address( )
[FIREWALL1-policy-security-rule-1] ( )
[FIREWALL1-policy-security-rule-1] quit
…..
# 配置Local域与Untrust域的安全策略,允许IKE协商报文能正常通过FIREWALL1。
[FIREWALL1-policy-security] rule name 3
[FIREWALL1-policy-security-rule-3] source-zone local
[FIREWALL1-policy-security-rule-3] destination-zone untrust
[FIREWALL1-policy-security-rule-3] source-address 202.1.3.1 32
[FIREWALL1-policy-security-rule-3] destination-address 202.1.5.1 32
[FIREWALL1-policy-security-rule-3] action permit
[FIREWALL1-policy-security-rule-3] quit
[FIREWALL1-policy-security] rule name 4
[FIREWALL1-policy-security-rule-4] source-zone untrust
[FIREWALL1-policy-security-rule-4] destination-zone local
[FIREWALL1-policy-security-rule-4] source-address 202.1.5.1 32
[FIREWALL1-policy-security-rule-4] destination-address 202.1.3.1 32
[FIREWALL1-policy-security-rule-4] action permit
[FIREWALL1-policy-security-rule-4] quit
[FIREWALL1-policy-security] quit
# 配置访问控制列表,定义需要保护的数据流。
[FIREWALL1] acl 3000
[FIREWALL1-acl-adv-3000] rule ( )ip source 192.168.100.0 0.0.0.255 destination 192.168.200.0
0.0.0.255
[FIREWALL1-acl-adv-3000] quit
# 配置名称为tran1的IPSec安全提议。
[FIREWALL1] ( )
[FIREWALL1-ipsec-proposal-tran1] encapsulation-mode tunnel
[FIREWALL1-ipsec-proposal-tran1] transform esp
[FIREWALL1-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FIREWALL1-ipsec-proposal-tran1] esp encryption-algorithm aes
[FIREWALL1-ipsec-proposal-tran1] quit
# 配置序号为10的IKE安全提议。
[FIREWALL1] ike proposal 10
[FIREWALL1-ike-proposal-10] authentication-method pre-share
[FIREWALL1-ike-proposal-10] authentication-algorithm sha2-256
[FIREWALL1-ike-proposal-10] quit
# 配置IKE用户信息表。
[FIREWALL1] ike user-table 1
[FIREWALL1-ike-user-table-1] user id-type ip ( ) pre-shared-key Admin@gkys
[FIREWALL1-ike-user-table-1] quit
# 配置IKE Peer。
[FIREWALL1] ike peer b
[FIREWALL1-ike-peer-b] ike-proposal 10
[FIREWALL1-ike-peer-b] user-table 1
[FIREWALL1-ike-peer-b] quit
# 配置名称为map_temp序号为1的IPSec安全策略模板。
[FIREWALL1] ipsec policy-template map_temp 1
[FIREWALL1-ipsec-policy-template-map_temp-1] security acl ( )
[FIREWALL1-ipsec-policy-template-map_temp-1] proposal tran1
[FIREWALL1-ipsec-policy-template-map_temp-1] ike-peer b
[FIREWALL1-ipsec-policy-template-map_temp-1] reverse-route enable
[FIREWALL1-ipsec-policy-template-map_temp-1] quit
# 在IPSec安全策略map1中引用安全策略模板map_temp。
[FIREWALL1] ipsec policy map1 10 isakmp template map_temp
# 在接口GigabitEthernet 1/0/1上应用安全策略map1。
[FIREWALL1] interface GigabitEthernet 1/0/1
[FIREWALL1-GigabitEthernet1/0/1] ipsec policy map1
[FIREWALL1-GigabitEthernet1/0/1] quit
[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255 //允许172.16.105.0/24网段的所有用户在任意时间都可以访问FTP服务器
[Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range tr1 //限制172.16.107.0/24网段的所有用户只能在tr1时间段定义的时间范围内访问FTP服务器
[Switch-acl-basic-2001] rule deny source any //限制其他用户不可以访问FTP服务器
[Switch-acl-basic-2001] quit
试题三(共20分)
某全国连锁企业的总部和分布在全国各地的30家分公司之间经常需要传输各种内部数据,因此公司决定在总部和各分公司之间建立VPN技术。具体拓扑如下:
配置部分只显示了与总部与分公司1的配置。
根据拓扑完成问题1-问题2。
问题2(13分):请将相关配置补充完整。
总部防火墙firewall1的部分配置如下。
<FIREWALL1> system-view
[FIREWALL1] interface GigabitEthernet 1/0/2
[FIREWALL1-GigabitEthernet1/0/2] ip address 192.168.1.1 24
[FIREWALL1-GigabitEthernet1/0/2] quit
[FIREWALL1] interface GigabitEthernet 1/0/1
[FIREWALL1-GigabitEthernet1/0/1] ip address 202.1.3.1 24
[FIREWALL1-GigabitEthernet1/0/1] quit
# 配置接口加入相应的安全区域。
[FIREWALL1] ( )
[FIREWALL1-zone-trust] ( )
[FIREWALL1-zone-trust] quit
[FIREWALL1] ( )
[FIREWALL1-zone-untrust] ( )
[FIREWALL1-zone-untrust] quit
# 配置Trust域与Untrust域的安全策略,允许封装前和解封后的报文能通过
[FIREWALL1] ( )
[FIREWALL1-policy-security] rule name 1
[FIREWALL1-policy-security-rule-1] source-zone trust
[FIREWALL1-policy-security-rule-1] destination-zone untrust
[FIREWALL1-policy-security-rule-1] source-address ( )
[FIREWALL1-policy-security-rule-1] destination-address( )
[FIREWALL1-policy-security-rule-1] ( )
[FIREWALL1-policy-security-rule-1] quit
…..
# 配置Local域与Untrust域的安全策略,允许IKE协商报文能正常通过FIREWALL1。
[FIREWALL1-policy-security] rule name 3
[FIREWALL1-policy-security-rule-3] source-zone local
[FIREWALL1-policy-security-rule-3] destination-zone untrust
[FIREWALL1-policy-security-rule-3] source-address 202.1.3.1 32
[FIREWALL1-policy-security-rule-3] destination-address 202.1.5.1 32
[FIREWALL1-policy-security-rule-3] action permit
[FIREWALL1-policy-security-rule-3] quit
[FIREWALL1-policy-security] rule name 4
[FIREWALL1-policy-security-rule-4] source-zone untrust
[FIREWALL1-policy-security-rule-4] destination-zone local
[FIREWALL1-policy-security-rule-4] source-address 202.1.5.1 32
[FIREWALL1-policy-security-rule-4] destination-address 202.1.3.1 32
[FIREWALL1-policy-security-rule-4] action permit
[FIREWALL1-policy-security-rule-4] quit
[FIREWALL1-policy-security] quit
# 配置访问控制列表,定义需要保护的数据流。
[FIREWALL1] acl 3000
[FIREWALL1-acl-adv-3000] rule ( )ip source 192.168.100.0 0.0.0.255 destination 192.168.200.0
0.0.0.255
[FIREWALL1-acl-adv-3000] quit
# 配置名称为tran1的IPSec安全提议。
[FIREWALL1] ( )
[FIREWALL1-ipsec-proposal-tran1] encapsulation-mode tunnel
[FIREWALL1-ipsec-proposal-tran1] transform esp
[FIREWALL1-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[FIREWALL1-ipsec-proposal-tran1] esp encryption-algorithm aes
[FIREWALL1-ipsec-proposal-tran1] quit
# 配置序号为10的IKE安全提议。
[FIREWALL1] ike proposal 10
[FIREWALL1-ike-proposal-10] authentication-method pre-share
[FIREWALL1-ike-proposal-10] authentication-algorithm sha2-256
[FIREWALL1-ike-proposal-10] quit
# 配置IKE用户信息表。
[FIREWALL1] ike user-table 1
[FIREWALL1-ike-user-table-1] user id-type ip ( ) pre-shared-key Admin@gkys
[FIREWALL1-ike-user-table-1] quit
# 配置IKE Peer。
[FIREWALL1] ike peer b
[FIREWALL1-ike-peer-b] ike-proposal 10
[FIREWALL1-ike-peer-b] user-table 1
[FIREWALL1-ike-peer-b] quit
# 配置名称为map_temp序号为1的IPSec安全策略模板。
[FIREWALL1] ipsec policy-template map_temp 1
[FIREWALL1-ipsec-policy-template-map_temp-1] security acl ( )
[FIREWALL1-ipsec-policy-template-map_temp-1] proposal tran1
[FIREWALL1-ipsec-policy-template-map_temp-1] ike-peer b
[FIREWALL1-ipsec-policy-template-map_temp-1] reverse-route enable
[FIREWALL1-ipsec-policy-template-map_temp-1] quit
# 在IPSec安全策略map1中引用安全策略模板map_temp。
[FIREWALL1] ipsec policy map1 10 isakmp template map_temp
# 在接口GigabitEthernet 1/0/1上应用安全策略map1。
[FIREWALL1] interface GigabitEthernet 1/0/1
[FIREWALL1-GigabitEthernet1/0/1] ipsec policy map1
[FIREWALL1-GigabitEthernet1/0/1] quit
[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255 //允许172.16.105.0/24网段的所有用户在任意时间都可以访问FTP服务器
[Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range tr1 //限制172.16.107.0/24网段的所有用户只能在tr1时间段定义的时间范围内访问FTP服务器
[Switch-acl-basic-2001] rule deny source any //限制其他用户不可以访问FTP服务器
[Switch-acl-basic-2001] quit
扫描二维码
进入小程序
扫描二维码
关注公众号