简单的ZBF(Zone-Based Firewall)实验

简单的ZBF(Zone-Based Firewall)实验
实验拓扑如下：
需求：
路由器R1为防火墙，R2属于安全区域A，R3属于安全区域B，R4属于安全区域C，区域A中的设备可以正常访问区域B和区域C中的设备；区域B中的设备可以正常访问区域C 中的设备所有访问均为单向访问，即：区域B中的设备不能访问区域A中的设备，区域C 中的设备不能访问区域A和区域B中的设备。

本实验中用telnet和ping作为访问方式。

实验配置如下：
（1）各路由器初始配置：
路由器R1：
interface Serial1/0
ip address 10.1.13.1 255.255.255.0
no shutdown
interface Serial1/1
ip address 10.1.12.1 255.255.255.0
no shutdown
interface Serial1/2
ip address 10.1.14.1 255.255.255.0
no shutdown
line vty 0 4
password cisco
login
路由器R2：
interface Serial1/1
ip address 10.1.12.2 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 Serial1/1
line vty 0 4
password cisco
login
路由器R3：
interface Serial1/0
ip address 10.1.13.3 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 Serial1/0
line vty 0 4
password cisco
login
路由器R4：
interface Serial1/2
ip address 10.1.14.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 Serial1/2
line vty 0 4
password cisco
login
下面测试各路由器之间的ping和telnet的连通性：
在路由器R2上：
R2#ping 10.1.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/60/140 ms R2#ping 10.1.14.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.14.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/72/168 ms R2#telnet 10.1.13.3
Trying 10.1.13.3 ... Open
User Access Verification
Password:
R3>exit
[Connection to 10.1.13.3 closed by foreign host] R2#telnet 10.1.14.4
Trying 10.1.14.4 ... Open
User Access Verification
Password:
R4>exit
[Connection to 10.1.14.4 closed by foreign host] R2#
在其他路由器上的测试同样，这里不再进行（2）防火墙的配置：
//配置三个安全区域，分别为A、B、C zone security A
zone security B
zone security C
//将三个接口分别划到相应的安全区域interface Serial1/0
zone-member security B
interface Serial1/1
zone-member security A
interface Serial1/2
zone-member security C
//用ACL匹配感兴趣流量
access-list 100 permit ip any any
//用class-map调用ACL
class-map type inspect match-all XtoY
match access-group 100
//用policy-map调用class-map
policy-map type inspect firewall
class type inspect XtoY
inspect
class class-default //默认的，不用敲
//最后，用zone-pair调用policy-map
zone-pair security AtoB source A destination B
service-policy type inspect firewall
zone-pair security AtoC source A destination C
service-policy type inspect firewall
zone-pair security BtoC source B destination C
service-policy type inspect firewall
测试效果：
在路由器R2上：
R2#ping 10.1.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/62/148 ms R2#ping 10.1.14.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.14.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/75/152 ms R2#telnet 10.1.13.3
Trying 10.1.13.3 ... Open
User Access Verification
Password:
R3>exit
[Connection to 10.1.13.3 closed by foreign host]
R2#telnet 10.1.14.4
Trying 10.1.14.4 ... Open
User Access Verification
Password:
R4>exit
[Connection to 10.1.14.4 closed by foreign host]
R2#
//从以上结果可以看出，一切正常
在路由器R3上：
R3#ping 10.1.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
..... //由于防火墙的限制，R3无法ping通R2
Success rate is 0 percent (0/5)
R3#ping 10.1.14.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.14.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/71/148 ms
R3#telnet 10.1.12.2
Trying 10.1.12.2 ... //由于防火墙的限制，R3无法telnetR2，但是可以正常访问R4 % Connection timed out; remote host not responding
R3#telnet 10.1.14.4
Trying 10.1.14.4 ... Open
User Access Verification
Password:
R4>exit
[Connection to 10.1.14.4 closed by foreign host]
R3#
在路由器R4上：
//可以看到，R4无法访问R2和R3，无论是ping还是telnet
R4#ping 10.1.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#ping 10.1.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#telnet 10.1.12.2
Trying 10.1.12.2 ...
% Connection timed out; remote host not responding
R4#telnet 10.1.13.3
Trying 10.1.13.3 ...
% Connection timed out; remote host not responding R4#
ZBF的基本实验就到这里。