前言:
今天同学们对“centosftp热备”大致比较着重,各位老铁们都需要学习一些“centosftp热备”的相关内容。那么小编在网摘上网罗了一些对于“centosftp热备””的相关资讯,希望我们能喜欢,同学们快快来了解一下吧!1. 本实验中的防火墙为华为USG6000防火墙;
2. 设备的接口编号及IP编址如图所示;
3. PC1及Server使用的都是私有IP地址空间;
4. PC2模拟Internet的一台PC。
2 实验需求
1. PC1、Server模拟内网设备,位于防火墙的Trust区域;
2. PC2模拟Internet,位于防火墙的Untrust区域;
3. 防火墙部署双机热备,工作方式为主备,正常情况下FW1为主,FW2为备;
4. 要求PC1能够访问位于外网的PC2,并且访问时需进行NAT源地址转换,使用的地址池区间是200.1.1.10至200.1.1.20;PC2能够以200.1.1.29为目的地址访问Server的FTP服务。
一、eNSP实际操作视频:
视频加载中...
二、IP设置:
PC1:192.168.1.1/24
Server1:192.168.1.100/24
PC2:200.1.1.30/24
FW1:192.168.1.253/24,200.1.1.1/24,vrrp vrid 1 virtual-ip:192.168.1.254/24 active ,vrrp vrid 3 virtual-ip:200.1.1.3/24 active
FW2:192.168.1.252/24,200.1.1.2/24,vrrp vrid 1 virtual-ip:192.168.1.254/24 standby ,vrrp vrid 3 virtual-ip:200.1.1.1/24 standby
三、FW1的主要配置文件:
#
sysname FW1
#
hrp enable #启用双机热备功能
hrp interface GigabitEthernet1/0/6 remote 1.1.1.2
#
interface GigabitEthernet1/0/0 #该接口创建vrrp 1
undo shutdown
ip address 192.168.1.253 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.1.254 active
service-manage ping permit
#
interface GigabitEthernet1/0/5 #该接口创建vrrp 3
undo shutdown
ip address 200.1.1.3 255.255.255.0
vrrp vrid 3 virtual-ip 200.1.1.1 active
#
interface GigabitEthernet1/0/6
undo shutdown
ip address 1.1.1.1 255.255.255.0
service-manage ping permit
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/5
#
firewall zone dmz
set priority 50
#
firewall zone name ha id 4 #自定义ha域
set priority 99
add interface GigabitEthernet1/0/6
#
firewall detect ftp #防火墙启用ftp转发功能
#
nat server 0 zone untrust protocol tcp global 200.1.1.29 ftp inside 192.168.1.100 ftp #nat将2001.1.29 ftp映射到内网192.168.1.100 ftp
#
nat address-group pool1 0 #创建地址池
mode pat
section 0 200.1.1.10 200.1.1.20
#
security-policy #开启域间策略
rule name HtoH #开启双机热备两个接口间的安全策略
action permit
rule name test1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action permit
rule name for_FTP
source-zone untrust
destination-zone trust
destination-address 192.168.1.0 mask 255.255.255.0
action permit
#
nat-policy #做nat地址转换
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group pool1
#
return
四、FW2的主要配置文件:
#
sysname FW2
#
#
hrp enable
hrp interface GigabitEthernet1/0/6 remote 1.1.1.1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.252 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.1.254 standby
service-manage ping permit
#
interface GigabitEthernet1/0/5
undo shutdown
ip address 200.1.1.2 255.255.255.0
vrrp vrid 3 virtual-ip 200.1.1.1 standby
#
interface GigabitEthernet1/0/6
undo shutdown
ip address 1.1.1.2 255.255.255.0
service-manage ping permit
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/5
#
firewall zone dmz
set priority 50
#
firewall zone name ha id 4
set priority 99
add interface GigabitEthernet1/0/6
#
firewall detect ftp
#
nat server 0 zone untrust protocol tcp global 200.1.1.29 ftp inside 192.168.1.1
00 ftp
#
nat address-group pool1 0
mode pat
section 0 200.1.1.10 200.1.1.20
#
security-policy
rule name HtoH
action permit
rule name test1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action permit
rule name for_FTP
source-zone untrust
destination-zone trust
destination-address 192.168.1.0 mask 255.255.255.0
action permit
#
nat-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group pool1
#
return
五、验证结果
1、在FW1上使用display hrp state命令查看双机热备情况
HRP_M<FW1> dis hrp state verbose
2021-01-11 11:02:20.840
Role: active, peer: standby
Running priority: 45000, peer: 45000
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 49 minutes
Last state change information: 2021-01-11 10:12:52 HRP core state changed, old_
state = abnormal(standby), new_state = normal, local_priority = 45000, peer_prio
rity = 45000.
Configuration:
hello interval: 1000ms
preempt: 60s
mirror configuration: off
mirror session: off
track trunk member: on
auto-sync configuration: on
auto-sync connection-status: on
adjust ospf-cost: on
adjust ospfv3-cost: on
adjust bgp-cost: on
nat resource: off
Detail information:
GigabitEthernet1/0/0 vrrp vrid 1: active
GigabitEthernet1/0/5 vrrp vrid 3: active
ospf-cost: +0
ospfv3-cost: +0
bgp-cost: +0
2、PC1可以ping通PC2。
PC>ping 200.1.1.30
Ping 200.1.1.30: 32 data bytes, Press Ctrl_C to break
From 200.1.1.30: bytes=32 seq=1 ttl=127 time=63 ms
From 200.1.1.30: bytes=32 seq=2 ttl=127 time=78 ms
From 200.1.1.30: bytes=32 seq=3 ttl=127 time=63 ms
From 200.1.1.30: bytes=32 seq=4 ttl=127 time=63 ms
From 200.1.1.30: bytes=32 seq=5 ttl=127 time=63 ms
--- 200.1.1.30 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 63/66/78 ms
3、PC1 ping 200.1.1.30时,查看防火墙会话表。
HRP_M<FW1>display firewall session table
2021-01-11 11:06:36.600
Current Total Sessions : 9
icmp VPN: public --> public 192.168.1.1:17457[200.1.1.20:2059] --> 200.1.1.30
:2048
udp VPN: public --> public 1.1.1.1:49152 --> 1.1.1.2:18514
icmp VPN: public --> public 192.168.1.1:18225[200.1.1.20:2062] --> 200.1.1.30
:2048
udp VPN: public --> public 1.1.1.2:16384 --> 1.1.1.1:18514
udp VPN: public --> public 1.1.1.2:49152 --> 1.1.1.1:18514
icmp VPN: public --> public 192.168.1.1:17201[200.1.1.20:2058] --> 200.1.1.30
:2048
icmp VPN: public --> public 192.168.1.1:17969[200.1.1.20:2061] --> 200.1.1.30
:2048
icmp VPN: public --> public 192.168.1.1:17713[200.1.1.20:2060] --> 200.1.1.30
:2048
4、PC2可以通过ftp 200.1.1.29访问server服务器。
本实验是通过华为模拟器eNSP1.3.00.100版(最新版)完成。该软件还包含CE、CX、NE40E、NE5000E、NE9000E、USG6000V的设备IOS,可完成复杂网络测试,需要该模拟器的朋友,可以转发此文关注小编,私信小编【666】即可获得。
标签: #centosftp热备
