在进行试验前,我们需要对需要的设备及拓扑的搭建及IP地址的规划,都要做个完整的规划。那么我们才能在接下来的配置中,做到心中有数。
实验用的设备,请参考拓扑如下。
至于拓扑图的桥接,请参看我前面的关于桥接的文章,里面有此拓扑的桥接逻辑示意图。
IP地址的规划:
本机管理PC---192.168.0.1 /24其网关192.168.0.254/24
DMZ中VPC---192.168.5.4/24,其网关192.168.5.254/24
ISP地址(Loopback0 172.16.2.0/24 loopback1 172.16.3.0/24 S0/1 172.16.1.1/30)
ROUTER地址(S1/1 172.16.1.2/30 F0/0 10.1.10.1/24)
防火墙PIX接口地址(E0 192.168.0.254/24 E1 192.168.1.254/24 E2 10.110.254 E3 192.168.5.254/24)
L3SW接口地址 F1/0 192.168.1.1/24 网关192.168.1.254/24
PC1,PC2,PC3及其所属VLAN的地址分配
PC1---192.168.11.1---F0/0---VLAN11--->L3SW F1/1
PC2---192.168.12.1---F0/0---VLAN12--->L3SW F1/2
PC3---192.168.13.1---F0/0---VLAN13--->L3SW F1/3
实验目的:
1、在Router上通过TFTP可以将其配置文件保存到DMZ中的VPC上
2,PC1,PC2,PC3可以分别访问VPC的TELNET,HTTP(80),RDP(3389)服务
3,PC1,PC2,PC3可以访问ISP,包括可以PING和TELNET ISP(JUST FOR LAB PURPOSE)
实验过程中用到的知识点:
1.默认路由的设置
2.在路由器上NAT的配置
3.三层交换机口的配置
4.防火墙的基本配置
5.VMWARE的虚拟机的使用及虚拟网卡的桥接
好了。到此我们的准备过程完成,接下来启动模拟器,进行一些必要的配置。
首先,我们看看L3SW上做任何配置:
L3SW#conf t
Enter configuration commands, one per line. End with CNTL/Z.
L3SW(config)#no ip domain-lookup
L3SW(config)#enable secret cisco
L3SW(config)#exit
L3SW#vlan
*Mar 1 00:01:52.355: %SYS-5-CONFIG_I: Configured from console by console
% Incomplete command.
L3SW#vlan database
L3SW(vlan)#vlan 11
VLAN 11 added:
Name: VLAN0011
L3SW(vlan)#vlan 12
VLAN 12 added:
Name: VLAN0012
L3SW(vlan)#vlan 13
VLAN 13 added:
Name: VLAN0013
L3SW(vlan)#exit
APPLY completed.
Exiting....
L3SW#conf t
Enter configuration commands, one per line. End with CNTL/Z.
L3SW(config)#int f1/0
L3SW(config-if)#no switchport
L3SW(config-if)#ip add 192.168.1.1 255.255.255.0
L3SW(config-if)#duplex full
L3SW(config-if)#speed 100
L3SW(config-if)#no shut
L3SW(config-if)#int f1/1
L3SW(config-if)#duplex full
L3SW(config-if)#speed 100
L3SW(config-if)#switchport acc vlan 11
L3SW(config-if)#int f1/2
L3SW(config-if)#duplex full
L3SW(config-if)#speed 100
L3SW(config-if)#switchport acc vlan 12
L3SW(config-if)#int f1/3
L3SW(config-if)#duplex full
L3SW(config-if)#speed 100
L3SW(config-if)#switchport acc vlan 13
L3SW(config-if)#exit
L3SW(config)#int vlan 11
L3SW(config-if)#ip add 192.168.11.254 255.255.255.0
L3SW(config-if)#no shut
L3SW(config-if)#int vlan 12
L3SW(config-if)#ip add 192.168.12.254 255.255.255.0
L3SW(config-if)#no shut
L3SW(config-if)#int vlan 13
L3SW(config-if)#ip add 192.168.13.254 255.255.255.0
L3SW(config-if)#no shut
L3SW(config-if)#exit
L3SW(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254
L3SW(config)#end
L3SW#wr
Building configuration...
*Mar 1 00:05:33.811: %SYS-5-CONFIG_I: Configured from console by console[OK]
L3SW#
PC1上的必要配置:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname PC1
PC1(config)#no ip domain-lookup
PC1(config)#enable secret cisco
PC1(config)#line vty 0 4
PC1(config-line)#password cisco
PC1(config-line)#login
PC1(config-line)#exit
PC1(config)#service password-encryption
PC1(config)#ip default
PC1(config)#ip route 0.0.0.0 0.0.0.0 192.168.11.254
PC1(config)#int f0/0
PC1(config-if)#duplex full
PC1(config-if)#speed 100
PC1(config-if)#ip add 192.168.11.1 255.255.255.0
PC1(config-if)#no shut
PC1(config-if)#end
PC1#wr
Building configuration...
00:05:10: %SYS-5-CONFIG_I: Configured from console by console
00:05:11: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
00:05:12: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up[OK]
PC1#ping 192.168.11.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/29/36 ms
PC1#wr
Building configuration...
00:07:10: %SYS-5-CONFIG_I: Configured from console by console[OK]
PC2上需要做的配置:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname PC2
PC2(config)#enable secret cisco
PC2(config)#no ip domain-lookup
PC2(config)#service password-encryption
PC2(config)#line vty 0 4
PC2(config-line)#password cisoc
PC2(config-line)#password cisco
PC2(config-line)#login
PC2(config-line)#exit
PC2(config)#int f0/0
PC2(config-if)#duplex full
PC2(config-if)#speed 100
PC2(config-if)#ip add 192.168.12.1 255.255.255.0
PC2(config-if)#no shut
PC2(config-if)#exit
PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.254
PC2(config)#end
PC2#wr
Building configuration...
00:02:48: %SYS-5-CONFIG_I: Configured from console by console[OK]
PC2#ping 192.168.12.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PC2#ping 192.168.12.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/25/36 ms
PC2#ping 192.168.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/47/80 ms
PC2#wr
Building configuration...
[OK]
PC2#
PC3上需要做的配置:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname PC3
PC3(config)#enable secret cisco
PC3(config)#enable p
PC3(config)#enable password encry
PC3(config)#passwo
PC3(config)#passwor
PC3(config)#service pass
PC3(config)#service password-encryption
PC3(config)#line vty 0 4
PC3(config-line)#password cisco
PC3(config-line)#login
PC3(config-line)#exit
PC3(config)#int f0/0
PC3(config-if)#duplex full
PC3(config-if)#speed 100
PC3(config-if)#ip add 192.168.13.1 255.255.255.0
PC3(config-if)#no shut
PC3(config-if)#exit
PC3(config)#ip route 0.0.0.0 0.0.0.0 192.168.13.254
PC3(config)#end
PC3#wr
Building configuration...
00:12:02: %SYS-5-CONFIG_I: Configured from console by console[OK]
PC3#ping 192.168.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/14/28 ms
PC3#ping 192.168.12.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/28/44 ms
PC3#ping 192.168.11.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.11.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/17/28 ms
PC3#
在OUTSIDE ROUTER上需要做的配置:
R3620#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3620(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1
R3620(config)#ip route 192.168.0.0 255.255.0.0 10.1.10.254
R3620(config)#int f0/0
R3620(config-if)#ip nat inside
R3620(config-if)#int s1/1
R3620(config-if)#ip add 172.16.1.2 255.255.255.252
R3620(config-if)#encapsulation ppp
R3620(config-if)#ip nat outside
R3620(config-if)#exit
R3620(config)#exit
R3620#
00:19:02: %SYS-5-CONFIG_I: Configured from console by console
R3620(config)#access-list 1 permit 192.168.0.0 0.0.255.255
R3620(config)#ip nat inside source list 1 interface s1/1 overload
R3620(config)#end
R3620#wr
Building configuration...
00:21:56: %SYS-5-CONFIG_I: Configured from console by console[OK]
模拟的ISP Router上需要做的配置:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname ISP
ISP(config)#enable secret cisco
ISP(config)#no ip domain-loo
ISP(config)#no ip domain-lookup
ISP(config)#service passw
ISP(config)#service password-encryption
ISP(config)#line vty 0 4
ISP(config-line)#password cisco
ISP(config-line)#login
ISP(config-line)#exit
ISP(config)#int s1/0
ISP(config-if)#ip add 172.16.1.1 255.255.255.252
ISP(config-if)#encapsulation ppp
ISP(config-if)#no shut
ISP(config-if)#
00:14:11: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
ISP(config-if)#int loopback 0
ISP(config-if)#ip add 172.16.2.1 255.255.255.0
ISP(config-if)#int loopback 1
ISP(config-if)#ip add 172.16.3.1 255.255.255.0
ISP(config-if)#no shut
ISP(config-if)#end
ISP#wr
Building configuration...
00:15:22: %SYS-5-CONFIG_I: Configured from console by console
00:15:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up[OK]
ISP#
DMZ中的VPC我采用的是用VMware虚拟的一台windows 2003 server standard english. 上面安装TFTP server(listen port 69),为了实验,我在服务中启用telnet service(port 23).vpc的网卡桥接到了tap3,如图所示.
至于在windows 2003 server上如何去安装TFTP或者配置TFTP,还是如果去启用默认停用的telnet服务,请参考相关资料。因为后面要用到http服务,所以,此vpc上还需要安装IIS(具体安装请参考相关讯息)。VPC网卡设置如下
最后我们需要做的,就是如何配置防火墙,以达到我们的实验目的。我们采用已经安装的ASDM去配置PIX。
如何安装ASDM,这里不做介绍,请参看我前面的文章。启动ASDM,登入PIX,并配置接口参数如图所示:
为了能够在全局方便的表示各设备,我讲各设备接口的IP地址与设备名称建立对应关系。如下
要实现本实验的目的,需要在防火墙上做哪些策略?如图所示:
在防火墙上需要指定的静态路由:
到现在为止,我们已经完成了所有的配置。可以验证一下是否达到我们的实验目的。
1.在router 上用copy run tftp 将配置文件上传到vpc上
2.PC1可以telnet ISP,PC1可以ping router
3.PC1上传文件到vpc上
4.PC2可以打开vpc的3389端口。需启用远程桌面,在命令提示符下用telnet 192.168.5.4 3389,看结果能否成功open
5.PC3可以打开vpc的80端口,即需要使用http服务,前提是需要在vpc上安装iis。同样用telnet 192.168.5.4 80 来测试