華為 SecPath防火牆 aspf典型配置

一、 組網需求

在防火牆 上配置 一ASPF政策 ， 檢測通過防火牆的FTP流量。實作：内部網絡使用者發起的FTP連接配接的傳回封包，則允許其通過防火牆進入内部網絡，其他封包被禁止。

二、組網圖

三、配置步驟

[DOWN] dis cur                                                                 

#                                                                              

  sysname DOWN                                                                  

#                                                                              

  firewall packet-filter enable                                                 

  firewall packet-filter default permit                                         

#                                                                               

  undo connection-limit enable                                                  

  connection-limit default deny                                                 

  connection-limit default amount upper-limit 50 lower-limit 20                 

#                                                                              

  firewall statistic system enable                                              

#                                                                               

radius scheme system                                                           

#                                                                              

domain system                                                                   

#                                                                              

local-user admin                                                               

  password cipher .]@USE=B,53Q=^Q`MAF4<1!!                                       

  service-type telnet terminal                                                  

  level 3                                                                       

  service-type ftp                                                               

#                                                                              

// 建立 ASPF 政策，政策号為 1 ，該政策檢測應用層的 FTP 協定，并定義沒有任何行為的情況下， FTP 協定的逾時時間為 3000 秒。

aspf-policy 1                           

  detect ftp aging-time 3000                                                    

  detect udp                                                                    

  detect tcp                                                                    

#  

// 配置通路控制清單 3111 ，以拒絕所有 TCP 和 UDP 流量進入内部網絡， ASPF 會為允許通過的流量建立臨時的通路控制 清單。

acl number 3000                                                                 

  rule 0 deny tcp                                                               

  rule 1 deny udp

  rule 2 deny ip                                                               

#                                                                              

interface Ethernet1/0                                                          

  ip address 10.0.0.254 255.255.0.0                                             

  // 在接口上應用通路控制清單 3000

firewall packet-filter 3000 outbound                                          

  // 在接口上應用 ASPF 政策

firewall aspf 1 inbound                                                       

#                                                                              

interface Ethernet2/0                                                           

  speed 10                                                                      

  duplex full                                                                   

  ip address 11.0.0.254 255.255.255.0                                            

#                                                                              

interface NULL0                                                                

#                                                                               

firewall zone local                                                            

  set priority 100                                                              

#                                                                               

firewall zone trust                                                            

  add interface Ethernet2/0                                                     

  set priority 85                                                                

#                                                                              

firewall zone untrust                                                          

  add interface Ethernet1/0                                                     

  set priority 5                                                                

#                                                                              

firewall zone DMZ                                                              

  set priority 50                                                                

#                                                                              

firewall interzone local trust                                                 

#                                                                              

firewall interzone local untrust                                               

#                                                                              

firewall interzone local DMZ                                                   

#                                                                              

firewall interzone trust untrust                                               

#                                                                               

firewall interzone trust DMZ                                                   

#                                                                              

firewall interzone DMZ untrust                                                  

#                                                                              

  FTP server enable                                                             

#                                                                               

user-interface con 0                                                           

user-interface vty 0 4                                                         

  authentication-mode scheme                                                     

#                                                                              

return                                                                              

四、 配 置關鍵點

1． 配置通路控制清單；

2． 建立 aspf 政策；

3． 在接口上應用 aspf 政策。

五、 驗 證結果

在内網 10.0.0.1 上 ping FTP 伺服器，發現無法 ping 通；在 10.0.0.1 上 ftp 11.0.0.1 ，正常。在 SecPath10F 上檢視 aspf session ，如下：

[DOWN]dis aspf session                                                                                                                               

There is 1 ASPF session:                                                                                                     

[Established Sessions]                                                         

Session       Initiator          Responder       Application          Status     

---------------------------------------------------------------------------------------------------   

2A836E4     10.0.0.1:1065       11.0.0.1:21           ftp         FTP_CONXN_UP

無憂網客聯盟專業讨論網絡技術，CCNA CCNP CCIE CCSP

文章轉載至http://bbs.net527.cn   無憂網客聯盟

無憂linux時代