Instance resolution firewall deployment and troubleshooting (1)

Security is no small matter! In recent times, the "Password Leak" incident had stirred up with fear. First, the leakage of CSDN user databases is a top priority for people engaged in computer technology. Most IT technicians have registered their accounts with CSDN, and almost all of them use the same user name and password to register other technical websites. After the "CSDN user database leakage" incident, I quickly changed the passwords of many technical websites I was using. But not long after the change, there were leaks such as Tianya and Sina Weibo. It's amazing!
Is there no security on the Internet? I think there are still some, otherwise there will not be so many people using the Internet. However, too many problems have been exposed in recent periods. However, if the problem is solved through various security measures, the security of the Internet can also be improved. This article involves deploying, installing, and configuring firewall devices in the enterprise network. Although the firewall cannot solve all security problems, it cannot be deployed in the network.



 
Figure 1 network architecture and firewall deployment
I. network architecture and firewall deployment
The network structure of the organization is shown in Figure 1. To ensure the stability and redundancy of important devices, the core layer switch uses two ipv9-e switches to connect through the Trunk line. Multiple Cisco 2960 switches are used in the access layer of the office area. The figure below shows only two switches for simplicity. On the core layer switch ipv9-e, there are important servers connected through the firewall, such as FTP, E-MAIL server and database. The deployment of the IP address of the organization uses the IP address of the class C private 192 CIDR block. The IP address of the DHCP server is 192.168.10.1, And the IP address of the FTP server is 192.168.5.2. Between Cisco ipv9-e and Cisco 3750, and between Cisco 3750 and Cisco 2960 are Trunk connections.
The orange line in Figure 1 represents a fiber connection, while the blue line represents a twisted pair connection. In addition, the two yellow lines, one vertical line and one horizontal line extended from the two 6509 servers are actually an extension of the two 6509 ports in the topology, instead of connecting the two lines to only one port on port 6509, multiple ports are connected. The topology of this layout is clearer in terms of structure.
The organization divides the computers of each department into different VLANs based on the nature of the department. All servers are located in VLAN 2 to VLAN 10, and the corresponding network number is 192.168.2.0 ~ 192.168.10.0. If the DHCP server is in VLAN 10, the FTP server is in VLAN 5. The IP address, default gateway, and DNS of the server are static configurations. VLAN 11 to VLAN 150 is used by the Office and the corresponding network number is 192.168.11.0 ~ 192.168.150.0. VLAN numbers correspond to network numbers. All the PCs in the VLAN are connected to the network through Cisco 2960, and all the 3750 are layer-2 configurations. All layer-3 configurations are on Cisco 6509, that is, the routes between VLANs are completed through 6509. The IP address, default gateway, and DNS of the PC are automatically obtained from the DHCP server without Manual Static configuration.



As shown in figure 1, both firewalls are Lenovo Power V firewalls. They run in transparent mode and run in Bridge Mode. You only need to configure one management IP address, you do not need to occupy any other IP resources or change the user's topological environment. The operation of devices is "Transparent" to users. When you configure various commands on network devices, if these two firewalls do not exist, they are in transparent mode. They only perform security checks on packets on the line and impose security policy restrictions, without affecting the overall architecture and configuration of the network. When installing and maintaining a firewall, this mode is much simpler than the routing mode of the firewall.
Cisco Route 9-e is not connected to the core Cisco 2960 in Trunk mode, but is connected in access mode, that is, two Gi3/2 of Cisco Route 9-e are located in VLAN 5, the two Cisco 2960 Gi0/1 in the core area are also located in VLAN 5. The connection between two machines 6509 and two 3750, as well as the network equipment in the office area is as follows:
Cisco Route 9-e1 GigabitEthernet 3/1 <----> Cisco3750A GigabitEthernet 1/0/25
Cisco ipv9-e2 GigabitEthernet 3/1 <----> Cisco3750B GigabitEthernet 1/0/25
Cisco 3750A GigabitEthernet 1/0/1 <-----> Cisco 2960A GigabitEthernet 0/1
Cisco 3750B GigabitEthernet 1/0/1 <-----> Cisco 2960B GigabitEthernet 0/1
The connection between the two firewalls and the network devices in the core area is as follows:
Cisco Route 9-e1 GigabitEthernet 3/2 <-----> FW-A GigabitEthernet 1
Cisco ipv9-e2 GigabitEthernet 3/2 <-----> FW-B GigabitEthernet 1
FW-A GigabitEthernet 2 <-----> Cisco 2960A GigabitEthernet 0/1
FW-B GigabitEthernet 2 <-----> Cisco 2960B GigabitEthernet 0/1
Ii. configuration of main network devices
1. configuration of the two core switches. The main configurations on Cisco Route 9-e1 are as follows:
Hostname Cisco Route 9-e1
!
Interface GigabitEthernet3/1
Description Link3750A_1/0/25
Switchport trunk encapsulation dot1q
Switchport trunk allowed vlan 5,115
Switchport mode trunk
!
Interface GigabitEthernet3/2
Description Link_FW-A_Gi1
Switchport access vlan 5
Switchport mode access
!
Interface Vlan5
Ip address 192.168.5.252 255.255.255.0
Standby 5 ip address 192.168.5.254
Standby 5 priority 120
Standby 5 preempt
!
Interface Vlan115
Ip address 192.168.115.252 255.255.255.0
Standby 115 ip 192.168.115.254
Standby 115 priority 120
Standby 115 preempt
The command "ip address 192.168.5.252 255.255.255.0" configures an ip address for the specified VLAN.
In the "standby 5 priority 120" command, "priority" indicates the priority of HSRP configuration. 5 indicates the group number, and its value range is 0 ~ 255,120 indicates the priority value. The value ranges from 0 ~ 255. The greater the value, the higher the priority.
Priority will determine the status of a router in the HSRP backup group. The router with the highest priority will become an active router, and the router with the lowest priority will become a Standby Router. When the active router fails, the Standby Router replaces it with the active router. When both the active and standby vrouters fail, other vrouters will participate in the election of the active and standby vrouters. When the priorities are the same, the high IP address of the interface will become the active router.
"Preempt" indicates that HSRP is configured as the preemption mode. Configure this command if you want a high-priority router to take the initiative to become an active router. After preempt is configured, the router with a higher priority can always become an active router after it is restored. When the active router fails, the Standby Router with the highest priority will be active. If the preempt technology is not used, the active router can only be in the standby status after it is restored, the role of the Standby Router is active.
The "standby 5 ip 192.168.5.254" command is used to start HSRP. If the virtual ip address is not specified, the router will not participate in the backup. The virtual IP address should be the address in the network segment of the interface, and cannot be configured as the IP address on the interface.
The main configurations on Cisco ipv9-e2 are as follows:
Hostname Cisco Route 9-e2
!
Interface GigabitEthernet3/1
Description Link3750B_1/0/25
Switchport trunk encapsulation dot1q
Switchport trunk allowed vlan 5,115
Switchport mode trunk
!
Interface GigabitEthernet3/2
Description Link_FW-B_Gi1
Switchport access vlan 5
Switchport mode access
!
Interface Vlan5
Ip address 192.168.5.253 255.255.255.0
Standby 2 ip 192.168.5.254
Standby 2 priority 120
Standby 2 preempt
!
Interface Vlan115
Ip address 192.168.115.253 255.255.255.0
Standby 2 ip 192.168.115.254
Standby 2 priority 120
Standby 2 preempt
2. configuration of two Cisco 3750 and two Cisco 2960 in the office area. Configuration on Cisco 3750A:
Hostname Cisco3750A
!
Interface GigabitEthernet1/0/25
Description Link6509-E1 3/1
Switchport trunk encapsulation dot1q
Switchport trunk allowed vlan 5,115
Switchport mode trunk
!
Interface GigabitEthernet1/0/1
Description Link2960A 0/1
Switchport trunk encapsulation dot1q
Switchport trunk allowed vlan 5,115
Switchport mode trunk
Configuration on Cisco 3750B:
Hostname Cisco3750B
!
Interface GigabitEthernet1/0/25
Description Link6509-E2 3/1
Switchport trunk encapsulation dot1q
Switchport trunk allowed vlan 5,115
Switchport mode trunk
!
Interface GigabitEthernet1/0/1
Description Link2960B 0/1
Switchport trunk encapsulation dot1q
Switchport trunk allowed vlan 5,115
Switchport mode trunk
Configuration on Cisco 2960A:
Hostname Cisco2960A
!
Interface GigabitEthernet0/1
Description Link3750A 1/0/1
Switchport trunk encapsulation dot1q
Switchport trunk allowed vlan 5,115
Switchport mode trunk
Configuration on Cisco 2960B:
Hostname Cisco2960B
!
Interface GigabitEthernet0/1
Description Link3750B 1/0/1
Switchport trunk encapsulation dot1q
Switchport trunk allowed vlan 5,115
Switchport mode trunk
3. The main configurations of the two Cisco 2960 instances in the core area are as follows. Configuration on Cisco 2960A:
Hostname Cisco2960A
!
Interface GigabitEthernet0/1
Description Link3750A 1/0/1
Switchport access vlan 5
Switchport mode access
Configuration on Cisco 2960B:
Hostname Cisco2960B
!
Interface GigabitEthernet0/1
Description Link3750B 1/0/1
Switchport access vlan 5
Switchport mode access
Note that the configuration on the Cisco 2960 switch is different in the office area and core area. The former is configured in the Trunk mode, while the latter is in the Access mode.