Hcip-security1.1 multi outlet routing 1 (ISP routing)

Time:2022-6-16

1、 Network topology

2、 Planning description

2.1 IP address planning

equipment Interface Safe area IP address
FW1 GE0/0/0 Local 192.168.0.10/24
GE1/0/0 Local 202.100.2.10/24
GE1/0/1 Local 202.100.1.10/24
GE1/0/2 Local 10.1.1.10/24
GE1/0/3 Local 10.1.2.10/24
GE1/0/4 Local 10.1.3.10/24
GE1/0/5 Local 192.168.34.10/24
ISP1 GE0/0/0 untrust 11.1.1.20/24
GE0/0/1 untrust 202.100.1.20/24
Loopback0 untrust 1.1.1.1/32
Loopback1 untrust 2.2.2.2/32
ISP2 GE0/0/0 untrust 12.1.1.20/24
GE0/0/1 untrust 202.100.2.20/24
Loopback0 untrust 3.3.3.3/32
Loopback1 untrust 4.4.4/32
Internet GE0/0/0  untrust 11.1.1.30/24 
GE0/0/1 untrust 12.1.1.30/24
GE0/0/2 untrust  120.1.1.30/24
http_server Ethernet0/0/0 untrust 120.1.1.2/24
DMZ_Server Ethernet0/0/0 dmz 192.168.34.1/24
kali_linux Ethernet0/0/0 trust 10.1.1.1/24
PC1 Ethernet0/0/0 trust 10.1.2.1/24
PC2 Ethernet0/0/0 trust 10.1.3.1/24
MGMT_PC Ethernet0/0/0 trust 192.168.0.1/24

2.2 experimental requirements

Configure the ISP address file to select the optimal path isp1 when accessing 1.1.1.1/32 and 2.2.2.2/32, and the optimal path ISP2 when accessing 3.3.3.3/32 and 4.4.4.4/32. In case of link failure, the access to these four addresses can still be unaffected.

3、 Configuration section

3.1 configuration beyond firewall

3.1.1 isp1 router

system-view 
[Huawei]sysname ISP1
[ISP1]user-interface  con 0
[ISP1-ui-console0]idle-timeout 0 0
[ISP1]interface GigabitEthernet 0/0/0
[ISP1-GigabitEthernet0/0/0]ip address 11.1.1.20 24
[ISP1-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[ISP1-GigabitEthernet0/0/1]ip address 202.100.1.20 24
[ISP1-GigabitEthernet0/0/1]interface Loopback 0
[ISP1-LoopBack0]ip address 1.1.1.1 32
[ISP1-LoopBack0]interface Loopback 1
[ISP1-LoopBack1]ip address 2.2.2.2 32
[ISP1-LoopBack1]ip route-static 0.0.0.0 0 11.1.1.30

3.1.2isp2 router

system-view 
[Huawei]sysname ISP2
[ISP2]user-interface  con 0
[ISP2-ui-console0]idle-timeout 0 0
[ISP2-ui-console0]interface GigabitEthernet 0/0/0
[ISP2-GigabitEthernet0/0/0]ip address 12.1.1.20 24
[ISP2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[ISP2-GigabitEthernet0/0/1]ip address 202.100.2.20 24
[ISP2-GigabitEthernet0/0/1]interface Loopback 0
[ISP2-LoopBack0]ip address 3.3.3.3 32
[ISP2-LoopBack0]interface Loopback 1
[ISP2-LoopBack1]ip address 4.4.4.4 32
[ISP2-LoopBack1]ip route-static 0.0.0.0 0 12.1.1.30

3.1.3internet router

system-view 
[Huawei]sysname Internet
[Internet]user-interface  con 0
[Internet-ui-console0]idle-timeout 0 0
[Internet-ui-console0]interface GigabitEthernet 0/0/0
[Internet-GigabitEthernet0/0/0]ip address 11.1.1.30 24
[Internet-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[Internet-GigabitEthernet0/0/1]ip address 12.1.1.30 24
[Internet-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24
[Internet-GigabitEthernet0/0/2]ip address 120.1.1.30 24
[Internet-GigabitEthernet0/0/2]ip route-static 202.100.1.0 24 11.1.1.20
[Internet]ip route-static 1.1.1.1 32 11.1.1.20
[Internet]ip route-static 2.2.2.2 32 11.1.1.20
[Internet]ip route-static 202.100.2.0 24 12.1.1.20
[Internet]ip route-static 3.3.3.3 32 12.1.1.20
[Internet]ip route-static 4.4.4.4 32 12.1.1.20

3.1.4 Http Server

HTTP server is a virtual machine of a VMware Workstation bridged by ENSP. HTTP is simply configured.

 

 

 3.1.5MGMT_PC

MGPT_ PC is a physical machine bridged by ENSP to my local computer. Fw1 can be managed graphically through the browser.

 

3.1.6 intranet test host

 

 

 

3.2 firewall configuration

3.2.1 interface address and safety area

system-view 
[USG6000V1]sysname FW1
[FW1]user-interface  con 0
[FW1-ui-console0]idle-timeout 0 0
[FW1-ui-console0]interface GigabitEthernet 0/0/0
[FW1-GigabitEthernet0/0/0]ip address 192.168.0.10 24
[FW1-GigabitEthernet0/0/0]service-manage http permit
[FW1-GigabitEthernet0/0/0]service-manage https permit
[FW1-GigabitEthernet0/0/0]service-manage ping permit
[FW1-GigabitEthernet0/0/0]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]ip address  202.100.2.10 24
[FW1-GigabitEthernet1/0/0]service-manage ping permit
[FW1-GigabitEthernet1/0/0]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 202.100.1.10 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW1-GigabitEthernet1/0/1]interface GigabitEthernet  1/0/2
[FW1-GigabitEthernet1/0/2]ip address  10.1.1.10 24
[FW1-GigabitEthernet1/0/2]service-manage ping permit
[FW1-GigabitEthernet1/0/2]interface GigabitEthernet   1/0/3
[FW1-GigabitEthernet1/0/3]ip address 10.1.2.10  24
[FW1-GigabitEthernet1/0/3]service-manage ping permit
[FW1-GigabitEthernet1/0/3]interface GigabitEthernet   1/0/4
[FW1-GigabitEthernet1/0/4]ip address 10.1.3.10 24
[FW1-GigabitEthernet1/0/4]service-manage ping permit
[FW1-GigabitEthernet1/0/4]interface GigabitEthernet   1/0/5
[FW1-GigabitEthernet1/0/5]ip address 192.168.34.10 24
[FW1-GigabitEthernet1/0/5]service-manage ping permit
[FW1-GigabitEthernet1/0/5]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 0/0/0
[FW1-zone-trust]add interface GigabitEthernet 1/0/2
[FW1-zone-trust]add interface GigabitEthernet 1/0/3
[FW1-zone-trust]add interface GigabitEthernet 1/0/4
[FW1-zone-trust]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet 1/0/5
[FW1-zone-dmz]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/0
[FW1-zone-untrust]add interface GigabitEthernet 1/0/1
[FW1-zone-untrust]add interface GigabitEthernet 1/0/1

3.2.2 ISP routing configuration

1. edit ISP file

 

 

2. import the ISP file, select to enter the network interface, select intelligent routing in routing, click the operator address library, and click Import. First name and select the address library and file. If you don’t know how to edit it, you can download the address library file template. You can also go to https://isecurity.huawei.com/ 。

 

 

3. enable and configure health check

[FW1]healthcheck  enable
[FW1]healthcheck name isp1
[FW1-healthcheck-isp1]destination 202.100.1.20  interface  GigabitEthernet  1/0/1 protocol  icmp  
[FW1-healthcheck-isp1]tx-interval  3
[FW1-healthcheck-isp1]times 2
[FW1]healthcheck  name isp2
[FW1-healthcheck-isp2]destination 202.100.2.20 interface GigabitEthernet 1/0/0 protocol icmp 
[FW1-healthcheck-isp2]tx-interval  3
[FW1-healthcheck-isp2]times 2

4. call the operator library and health check on the link interface, specify the next hop and configure the default route

[FW1]link-interface 0 name isp1
[FW1-linkif-0]interface  GigabitEthernet  1/0/1 next-hop  202.100.1.20 
[FW1-linkif-0]healthcheck  isp1
[FW1-linkif-0]isp isp1 route enable 
[FW1-linkif-0]link-interface 1 name isp2
[FW1-linkif-1] interface GigabitEthernet1/0/0 next-hop 202.100.2.20
[FW1-linkif-1] healthcheck isp2
[FW1-linkif-1] isp isp1 route enable

3.2.3 security strategy

[FW1]ip address-set  pc type  object  
[FW1-object-address-set-pc]address 10.1.1.0 mask 24
[FW1-object-address-set-pc]address 10.1.2.0 mask 24
[FW1-object-address-set-pc]address 10.1.3.0 mask 24
[FW1]security-policy
[FW1-policy-security]rule name trust_untrust
[FW1-policy-security-rule-trust_untrust]source-zone trust
[FW1-policy-security-rule-trust_untrust]destination-zone untrust
[FW1-policy-security-rule-trust_untrust]source-address address-set  pc 
[FW1-policy-security-rule-trust_untrust]action  permit

3.2.4 source nat

[FW1]nat-policy 
[FW1-policy-nat]rule name easy-ip
[FW1-policy-nat-rule-easy-ip]source-zone trust
[FW1-policy-nat-rule-easy-ip]destination-zone  untrust
[FW1-policy-nat-rule-easy-ip]source-address address-set pc 
[FW1-policy-nat-rule-easy-ip]action   source-nat  easy-ip 

4、 Effect test

① View health check status

[FW1]display  healthcheck 
2022-04-14 08:00:41.020 
Current Total Healthcheck Number : 2
Name                              Member   State   Up/Down/Init
isp1                              1        up      1  0    0   
isp2                              1        up      1  0    0   

② View the routing table and generate the unr route

 

 

③ Ping isp1 and ISP2 respectively, and view the session table. The next hop of isp1 address library from ge1/0/1 is 202.100.1.20, and the next hop of ISP2 address library from ge1/0/0 is 202.100.2.20.

 

 

 

 

④ The detection message for security check does not need to be released after the new version. The feature is policyname:—

 

 

⑤ If the link connected to isp1 fails, shut down the ge1/0/1 interface of FW.

 

 

 

 

 

⑥ Switch to ISP2 now