Vous êtes sur la page 1sur 32

Eudemon Basic Function and Configuration

T
www.huawei.com

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

This course will introduce work mode of firewall, security area concept, ACL, NAT such basic function and configuration.

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 2

Upon completion of this course, you will be able to: Master the concept of security area Master work mode of firewall Master the function and configuration of ACL Master the function and configuration of NAT

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 3

Chapter 1 Work Mode


Chapter 2 Security Zone

Chapter 3 ACL
Chapter 4 NAT

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 4

Route Mode

10.110.1.254 PC Trust Zone

202.10.0.1 PC PC Untrust Zone

Eudemon Server Internal network 10.110.1.0/24 Server External network 202.10.0.0/24

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 5

Transparent Mode

Trust

PC

PC

PC Untrust

Eudemon Server Internal network 202.10.0.0/24 Server External network

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 6

Composite Mode
Eudemonactive

Trust

PC VRRP

PC

PC Untrust

Server Internal network 202.10.0.0/24 Eudemonstandby

Server External network 202.10.0.0/24

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 7

Configure Work Mode


[Eudemon]firewall mode [Eudemon]quit <Eudemon>reboot composite

[Eudemon]display firewall mode firewall mode composite

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 8

Chapter 1 Work Mode


Chapter 2 Security Zone

Chapter 3 ACL
Chapter 4 NAT

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 9

Security Zone of Firewall

Interface 2
Local Zone 100 Zone defined by user DMZ Zone 50 UnTrust Zone 5 Interface 4 Interface 3

Trust Zone 85

Interface 1

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 10

Among Security Zones of Firewall---InterZone


Internal network inbound

outbound Eudemon Local E1/0/2 E1/0/0 Eth1/0/1 outbound inbound Server Server DMZ outbound inbound

Trust

External network

Untrust

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 11

Configure Security Zone


[Eudemon] firewall zone name userzone
[Eudemon-zone-userzone] set priority 60 [Eudemon-zone-userzone] add interface Ethernet 0/0/1

[Eudemon]display zone username username priority is 60 interface of the zone is (1): Ethernet0/0/1

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 12

Configure InterZone policy


[Eudemon]acl 3000 [Eudemon-acl-adv-3000] rule permit ip [Eudemon]firewall interzone trust untrust [Eudemon-interzone-trust-untrust]packet-filter 3000 inbound

PC Trust Zone

PC

PC

Untrust Zone

Eudemon Server Internal network HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved Server External network

Page 13

Chapter 1 Work Mode


Chapter 2 Security Zone

Chapter 3 ACL
Chapter 4 NAT

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 14

ACL Application
Packet filtering

Determine to discard or forward packet according to ACL rule


NAT

Determine to implement NAT to which packet According to ACL


IPSec

Determine to protect which packet according to ACL


Qos

Classify flow according to ACL


Routing policy

What is ACL? Permit Deny

Filter routes according to ACL

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 15

ACL Classification
Basic ACL range: 20002999

Use source address to define data flow


Advanced ACL range: 30003999

Use source address,destination address,source port number,destination port number ,up-level protocol number and so on combination to define data flow
Firewall ACL range:50005499

Use source address,destination address, destination port number to define data flow

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 16

ACL Classification
acl [ number ] acl-number rule [ rule-id ] { permit | deny } [ source { sour-address sourwildcard | any } ] [ time-range time-name ]

rule [ rule-id ] { permit | deny } protocol [ source { souraddress sour-wildcard | any } ] [ destination { dest-address dest-mask | any } ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type { icmp-type icmp-code | icmp-message } ] [ precedence precedence ] [ tos tos ] [ time-range time-name ]

Firewall ACL

Advanced ACL
Match priorly the route with Acl-number

Basic ACL

Match priorly the route with small Rule-id HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved

Page 17

ACL Application Example


FTP Server Telnet Server www Server 129.38.1.1 129.38.1.2 129.38.1.3

E0/0/0 Special PC in internal network 129.38.1.4 E1/0/0

129.38.1.5 Eudemon 202.38.160.1 Special PC in external network 202.39.2.3

WAN

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 18

ACL Application ExampleConfiguration


[Eudemon] acl number 3101 [Eudemon-acl-adv-3101] rule permit ip source 129.38.1.4 0 [Eudemon-acl-adv-3101] rule permit ip source 129.38.1.1 0 [Eudemon-acl-adv-3101] rule permit ip source 129.38.1.2 0 [Eudemon-acl-adv-3101] rule permit ip source 129.38.1.3 0 [Eudemon-acl-adv-3101] rule deny ip [Eudemon-acl-adv-3101] quit [Eudemon] acl number 3102 [Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.1 0 [Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.2 0 [Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.3 0 [Eudemon-Interzone-trust-untrust] packet-filter 3101 outbound

[Eudemon-Interzone-trust-untrust] packet-filter 3102 inbound

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 19

Chapter 1 Work Mode


Chapter 2 Security Zone

Chapter 3 ACL
Chapter 4 NAT

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 20

NAT (Network Address Translation)


NAT is used to translate IP address in IP data packet header

into another IP address.


NAT can solve the following problems:

IP address shortage Save public IP address Security element Shield private network Enterprise combination Easy to combine networks

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 21

Private Address and Public Address


192.168.0.2 192.168.0.1
LAN2
LAN1

Internet

Private address range:

192.168.0.1
LAN3

10.0.0.0-10.255.255.255
172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 22

Eudemon NAT
Data packet 1 Source 192.168.1.3 destination 202.120.10.2 PC A 192.168.1.3 Trust

Data packet 1 source 202.169.10.1 Destination 202.120.10.2 Untrust Internet

Server B 202.120.10.2

Eudemon E0/0/0 E0/0/0

192.168.1.1 Data packet 2 Source 202.120.10.2 destination192.168.1.3 192.168.1.2 PC B

202.169.10.1 Data packet 2 source 202.120.10.2 destination 202.169.10.1 PC C 202.130.10.3

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 23

Eudemon NAPT
Data packet 1 source 192.168.1.3 Source port 1357 Data packet 2 PC A source 192.168.1.3 192.168.1.3 Source port 2468 Trust Data packet 1 source 202.169.10.1 Source port 1357 Data packet2 source 202.169.10.1 Source port 2468 Untrust Internet

Server B
202.120.10.2

Eudemon E0/0/0 E0/0/0

192.168.1.1 Data packet3 source 192.168.1.1 Source port 11111 Data packet4 source 192.168.1.2 Source port 11111

202.169.10.1 Data packet3 source 202.169.10.1 Source port 11111 Data packet4 source 202.169.10.1 Source port 22222 PC C 202.130.10.3

PC B 192.168.1.2

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 24

Eudemon Internal Server NAT


Internet

Untrust
E0/0/1 202.168.0.1/26

Data packet 1 source 202.168.0,2 Destination 202.168.0.11 Data packet 1 source 202.168.0,2 destination 192.168.0.101

Data packet 2 source 202.168.0.11 destination 202.168.0.2

E1/0/0 192.168.1.1/24 ALG function 202.168.0.11-192.168.1.101 DMZ

Data packet 2 source 192.168.0.101 destination 202.168.0.2

Mail Server 192.168.1.100/24

Web Server 192.168.1.101/24

FTP Server 192.168.1.102/24

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 25

Eudemon NAT Implementation

Eudemon

Private address

ACL

Public address

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 26

Internal Server NAT Network


Internet
Untrust 202.168.0.1/24 E0/0/1 Internal network 192.168.0.0/24 Trust E0/0/0 192.168.0.1/24 192.168.1.1/24 E1/0/0

202.168.0.10-192.168.1.100 202.168.0.11:80-192.168.1.101:8080 202.168.0.12:1021-192.168.1.102:ftp

DMZ

Mail Server 192.168.1.100/24

Web Server 192.168.1.101/24

FTP Server 192.168.1.102/24

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 27

Egress Network NAT Typical Configuration


[Eudemon] acl 2000 [Eudemon-acl-basic-2000]rule permit [Eudemon-acl-basic-2000]quit [Eudemon] nat address-group 1 202.168.0.10 202.168.0.20 [Eudemon] acl 3000 [Eudemon-acl-adv-3000] rule permit ip source-address 192.168.0.0 0.0.0.255 [Eudemon] firewall interzone trust untrust [Eudemon-interzone-trust-untrust] packet-filter 2000 outbound [Eudemon-interzone-trust-untrust] nat outbound 3000 address-group 1
Configure address pool

Enable NAT function, bind address pool and ACL


HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved

Page 28

NAT Server Typical Configuration


[Eudemon] nat server global 202.168.0.10 inside 192.168.1.100 [Eudemon] nat server protocol tcp global 202.168.0.11 80 inside 192.168.1.101 8080 [Eudemon] nat server protocol tcp global 202.168.0.12 1021 inside 192.168.1.102 ftp Configure mapping information between global address and internal server address [Eudemon] acl 3000 [Eudemon] rule permit ip destination-address 192.168.1.0 0.0.0.255 [Eudemon] firewall interzone DMZ untrust

[Eudemon-interzone-DMZ-untrust] packet-filter 3000 inbound


[Eudemon-interzone-DMZ-untrust] detect ftp

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 29

NAT Configuration Verification


[Eudemon] display nat all NAT address-group information: 1: from Total 202.168.0.10 1 address-groups to 202.168.0.20, reference 1 times

NAT outbound information:

If address pool is imported, it can not be deleted directly.

interzone-trust-untrust: acl(2000) --- NAT address-group( 1) Total 1 nat outbounds

Server in private network information: zone ---------Total GlobalAddr GlobalPort ---8080 1021 InsideAddr InsidePort ---8080 21(ftp) Pro --VPN public

202.168.0.10 202.168.0.11 202.168.0.12 3 NAT servers

192.168.1.100 192.168.1.101 192.168.1.102

6(tcp) public 6(tcp) public

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 30

Summary

Which work mode does Eudemon include?

What is the default security Zone of Eudemon?


What is the difference between basic ACL and

advanced ACL?
Which kind of NAT does Eudemon support?

HUAWEI TECHNOLOGIES CO., LTD..

All rights reserved

Page 31

Thank you
www.huawei.com
T