防火墻異構(gòu)整體實(shí)施方案

鏈路及描述規(guī) ASA5520配 4506交換機(jī)配 SSG550配 Secondary端配 Untrust至Trust策 Trust至Untust策 6.3.1配 SSG550配 4506交換機(jī)配 6.3.5策略配 一、文檔前言安全控制,需要對(duì)辦公網(wǎng)邊緣存在的JuniperSSG550進(jìn)行異構(gòu)部署。在此期間經(jīng)過與CMZZ方面的CMZZ此文檔作為中國移動(dòng)（XX）（簡稱CMZZ）ASA5520異構(gòu)的實(shí)施方案，適用于該實(shí)施項(xiàng)目的新增堆疊交換機(jī)解決HA高可用隱患問題，具體請(qǐng)參看“方案設(shè)計(jì)”章節(jié)。本文檔資料主要面向負(fù)責(zé)XX移動(dòng)ASA5520異構(gòu)方案設(shè)計(jì)和實(shí)施的網(wǎng)絡(luò)技術(shù)人員，管理人員，實(shí)施小組實(shí)施進(jìn)度計(jì)劃123456二、準(zhǔn)備工作設(shè)備加電測試打開供電開關(guān)；經(jīng)測試到達(dá)ASA5520供電設(shè)備電流、電壓均在設(shè)備均正常；加電后ASA5520的電源指示燈和風(fēng)扇都正常，使用超級(jí)終端通過Console連入查看設(shè)備是否能夠正常加載IOS及l(fā)og信息主ASA5520設(shè)備型號(hào)CiscoASA5520-項(xiàng)測試ASA5520是否通過硬件開機(jī)自我診斷測試,所有模塊被正確識(shí)別數(shù)日測試環(huán)境測試步驟(√)成功 )失敗 )其它，說明原因 測試人員HP三、網(wǎng)絡(luò)拓?fù)淇傮w網(wǎng)絡(luò)拓?fù)淇傮w網(wǎng)絡(luò)拓?fù)鋱D（圖總體網(wǎng)絡(luò)拓?fù)涿枋鯟MZZ整個(gè)網(wǎng)絡(luò)分為兩個(gè)區(qū)域組成，分別為辦公網(wǎng)和生產(chǎn)網(wǎng)。其中辦公網(wǎng)主要針對(duì)OA用戶辦公使用，生產(chǎn)網(wǎng)主要為業(yè)務(wù)系統(tǒng)服務(wù)，主要業(yè)務(wù)系統(tǒng)包括：三期系統(tǒng)、國漫系統(tǒng)、測試服務(wù)系統(tǒng)。辦公網(wǎng)用戶需要訪目前已經(jīng)完成異構(gòu)的區(qū)域，“黃色虛框”CMZZ平臺(tái)為本次ASA5520異構(gòu)實(shí)施區(qū)域。異構(gòu)區(qū)域拓?fù)鋮^(qū)域網(wǎng)絡(luò)拓?fù)鋱D區(qū)域網(wǎng)絡(luò)拓?fù)涿枋鋈鐖D（3-2）所示，當(dāng)前辦公網(wǎng)出口左側(cè)CMZZ出口平臺(tái)，只有兩臺(tái)JuniperSSG550進(jìn)行控制，本次實(shí)施需要在SSG550和辦公網(wǎng)4506交換機(jī)之間新增一套ASA5520，進(jìn)行異構(gòu)部署；右側(cè)Arch經(jīng)使用CheckPointUTM270和JuniperSSG550，完成了異構(gòu)部署。四、方案設(shè)計(jì)可靠性原則安全性原可擴(kuò)充性原則經(jīng)濟(jì)合理性原則可實(shí)施性設(shè)備命名規(guī)范鏈路及描述規(guī)與之連接的設(shè)備名和端口，如DescciptionLinktoXXXXXX。IP地址規(guī)范和劃分IP地址規(guī)劃是網(wǎng)絡(luò)整體規(guī)劃的一部分，要和網(wǎng)絡(luò)層次規(guī)劃、路由協(xié)議規(guī)劃、流量規(guī)劃等結(jié)合起來考慮。IP1Primary4/28Secondary23Primary44/28Secondary45678Primary/24Secondary網(wǎng)絡(luò)拓?fù)湓O(shè)計(jì)第一階段異構(gòu)網(wǎng)絡(luò)拓?fù)洌▓D如圖（4-1）左側(cè)，辦公網(wǎng)兩臺(tái)Catalyst4506交換機(jī)分別連接至兩臺(tái)JuniperSSG550進(jìn)行控制，通過F5-1進(jìn)行地址轉(zhuǎn)換后，與Internet通信；兩臺(tái)4506交換機(jī)啟用VLAN298，并配置HSRPGroup，Gi3/1兩個(gè)端口使用2層連接SSG550-1SSG550-2。ASA5520第一階段異構(gòu)實(shí)施后如圖（4-1）右側(cè)，辦公網(wǎng)兩臺(tái)4506交換機(jī)使用三層端口直連兩臺(tái)ASA5520（取消和SSG550-2，按照地址規(guī)劃，分配地址給ASA5520和SSG550。第一階段異構(gòu)隱患（圖異構(gòu)部署完成后，在正常情況下（如圖4-2左側(cè)），ASA5520和SSG550Active端都位于同一側(cè)，用戶流量經(jīng)過4506首先轉(zhuǎn)發(fā)至ASA5520，然后通過ASA5520轉(zhuǎn)發(fā)SSG550，最F5網(wǎng)地址轉(zhuǎn)換成公網(wǎng)如果SSG550-1上聯(lián)鏈路①處發(fā)生中斷時(shí)（如圖4-2右側(cè)），SSG550-1將轉(zhuǎn)變?yōu)镾tandby狀態(tài)，不會(huì)轉(zhuǎn)發(fā)任何流量，但是ASA5520-1卻不知道鏈路①處中斷，其狀態(tài)不會(huì)發(fā)生改變，此時(shí)流量通過4506到達(dá)ASA5520，再由ASA5520送至SSG550-1后，SSG550-1將不會(huì)轉(zhuǎn)發(fā)流量，因此業(yè)務(wù)會(huì)受到影響，需要手動(dòng)將ASA5520-2切換至Acitve狀態(tài)，才能恢復(fù)正常。第二階段異構(gòu)網(wǎng)絡(luò)拓?fù)洌▓D因此解決了HA高可用隱患問題。五、項(xiàng)目實(shí)施步驟備份設(shè)備配置SSG550-1SSG550-Showrunning-configCopystartup-configtftpcopyflashtftpShowvlanbriefShowversionshowinterfaceshowprocessescpushowprocessesmemoryshowtech-supportinterfaceGi0/0descriptionLinkto41MG2-C4506BGi3/1nameifinsidenoshutdowninterfaceGi0/1descriptionLinktoSSG550Gi0/0nameifoutsidenonameifmanagementsecurity-level100ipaddress待定noshutdown4506交換機(jī)配置SSHinterfaceGiDescriptionLinkto41MG6-C5520BGiSSHinterfaceGiDescriptionLinkto41MG6-C5520BGiSSG550配置業(yè)務(wù)端口地址：原地址7/28更換為41/28物理線纜連接1234567ASA5520outsideanyanyIP流量，以便進(jìn)行通信測試，完成路由配置后，再進(jìn)行細(xì)化配置，access-listtestpermitipanyanyaccess-grouptestininterfaceoutside通信驗(yàn)證測試890414243靜態(tài)路由配置4506靜態(tài)路由配置SSHnoiproutenoiprouteiprouteSSHnoiproutenoiprouteiprouteASA5520靜態(tài)路由配置routeoutsideSSG550靜態(tài)路由配通信驗(yàn)證測試4441SSH至JuniperSSG55042，以下地址99917218.100.9700999999AAA配aaa-serverasa5550protocoltacacs+aaa-serverasa5550host0keyCMZZ10086在ACS服務(wù)器配置ASA5520 SSHASDMcryptokeygeneratersasshinsidehttpserverenablehttpaaaaccountingcommandprivilege15ACS2370aaaaccountingsshconsoleACS2370Logging配loggingenableloggingbuffer-size204800loggingmonitorinformationalloggingtrapwarningslogginghistorydebuggingloggingasdminformationalFailoverPrimary端配failoverlanunitfailoverlaninterfaceCMZZFLfailoverinterfaceipCMZZFLstandbyfailoverkeyCMZZ10086failoverlinkCMZZe0/3interfacee0/3noSecondary端配failoverlanunitfailoverlaninterfaceCMZZFLfailoverinterfaceipCMZZFLstandbyfailoverkeyCMZZ10086noshutFailover同檢查Failover狀態(tài)showfailover策略配置Untrust至Trust策略object-groupnetworkF5_Clusterobject-groupservicetcp-servicetcpport-objecteqhttpport-objecteqhttpsport-objecteqpop3port-objecteqIMAPaccess-listUntrustpermittcpanyhost7object-grouptcp-serviceaccess-listUntrustpermittcpanyhost8object-grouptcp-serviceaccess-listUntrustpermittcpanyhost7eqftpaccess-listUntrustpermittcpanyhost7eq6666access-listUntrustpermittcpanyhost5eqaccess-listUntrustpermittcpanyhosteqhttpaccess-listUntrustpermittcpanyhosteqhttpsobject-groupnetworkarchwebnetwork-objecthost29network-objecthost30object-groupservicearchweb-tcptcpport-objecteq13724port-objecteqaccess-listUntrustpermittcpobject-grouparchwebhost3objec-grouparchweb-tcpaccess-listUntrustpermittcpobject-grouparchwebhost7eq7080access-listUntrustpermitudpanyhosteq53access-listUntrustpermitudpanyhosteqobject-groupnetworkCMZZ-spamclusternetwork-objecthost3object-groupnetworkCMZZ-spamcluster-dstnetwork-objecthost0object-groupnetworkCMZZ-spamcluster-dst2network-objecthostaccess-listUntrustpermittcpobject-grouparchwebhost6eqftpaccess-listUntrustpermittcpobject-grouparchwebhost8eqftpaccess-listUntrustpermittcpobject-grouparchwebhost9eqftpaccess-listUntrustpermittcpobject-grouparchwebhost1eqftpaccess-listUntrustpermittcpobject-grouparchwebhost6eqftpaccess-listUntrustpermittcpobject-grouparchwebhost8eqftpobject-groupservicearchweb-tcp2tcpport-objecteq1525port-objecteqaccess-listUntrustpermittcpobject-grouparchwebhost3objec-grouparchweb-tcp2access-listUntrustpermittcpobject-grouparchwebhost4objec-grouparchweb-tcp2access-listUntrustpermittcpobject-grouparchwebhost6objec-grouparchweb-tcp2access-listUntrustpermittcpobject-grouparchwebhost7objec-grouparchweb-tcp2access-listUntrustpermittcpobject-grouparchwebhost8objec-grouparchweb-tcp2access-listUntrustpermittcpobject-grouparchwebhost0objec-grouparchweb-tcp2access-listUntrustpermittcpobject-grouparchwebhost2objec-grouparchweb-tcp2access-listUntrustpermittcpobject-grouparchwebhost5objec-grouparchweb-tcp2object-groupservicearchweb-tcp3tcpport-objecteq11080port-objecteqFTPport-objecteqHTTPaccess-listUntrustpermittcpobject-grouparchwebhost0eqsmtpaccess-listUntrustpermittcpobject-grouparchwebhost2eqsmtpaccess-listUntrustpermittcpobject-grouparchwebhost30eqaccess-listUntrustpermittcpobject-grouparchwebhost30eqobject-groupserviceSQLtcpport-objecteq8080port-objecteqport-objecteqaccess-listUntrustpermittcphost7host4object-groupSQLaccess-listUntrustpermittcphost7host5object-groupSQLaccess-listUntrustpermitudphost7host4eq1434access-listUntrustpermitudphost7host5eqaccess-listUntrustpermittcpobject-grouptms-thost02object-grouparchweb-tcp2access-listUntrustpermittcpobject-grouptms-thost13object-grouparchweb-tcp2access-listUntrustpermittcpobject-grouptms-thost9object-grouparchweb-tcp2access-listUntrustpermittcpobject-grouptms-thost0object-grouparchweb-tcp2access-listUntrustpermittcphost6host4object-grouparchweb-tcp2access-listUntrustpermittcphost6host5object-grouparchweb-tcp2access-listUntrustpermittcpanyhost9eqaccess-listUntrustpermittcpanyhost7eqaccess-listUntrustpermittcpobject-grouparchwebhost35eqaccess-listUntrustpermittcphost8host38eqhttpaccess-listUntrustpermittcphost8host38eqhttpsaccess-listUntrustpermittcpanyhosteqTrust至Untust策略access-listTrustpermitipanyobject-groupaccess-listTrustpermittcpanyhost02eq2222access-listTrustpermittcpanyhost02eqaccess-listTrustpermittcpanyanyeq7050access-listTrustpermittcpanyanyeq2121access-listTrustpermitudpanyanyeq7050access-listTrustpermitudpanyanyeqaccess-listaccess-listTrustpermittcpanyanyeqaccess-listTrustpermittcpanyanyeq3101access-listTrustpermittcpanyanyeq8084access-listTrustpermittcpanyanyeq8084access-listTrustpermittcpanyanyrange1315213153access-listTrustpermittcpanyanyeq5566access-listTrustpermitudpanyanyeqdnsaccess-listTrustpermittcpanyanyeq8080access-listTrustpermittcpanyanyeq7002access-listTrustpermittcpanyanyeq7888access-listTrustpermittcpanyanyeqftpaccess-listTrustpermittcpanyanyeq995access-listTrustpermittcpanyanyeq465access-listTrustpermittcpanyanyeqhttpaccess-listTrustpermittcpanyanyeq8088access-listTrustpermittcpanyanyeq8099access-listTrustpermittcpanyanyeq2000access-listTrustpermittcpanyanyeqhttpsaccess-listTrustpermitudpanyanyeq500access-listTrustpermittcpanyanyeq143access-listTrustpermittcpanyanyeq25access-listTrustpermittcpanyanyeq8000access-listTrustpermittcpanyanyeq3743access-listTrustpermittcpanyanyeq5700access-listTrustpermittcpanyanyeqaccess-listTrustpermittcpanyanyrange3001access-listTrustpermittcpanyanyeq36088access-listTrustpermittcpanyanyeq1863access-listTrustpermittcpanyanyeq1863access-listTrustpermittcpanyanyeq123access-listTrustpermitudpanyanyeq123access-listTrustpermitudpanyanyeq8886access-listTrustpermitudpanyanyeq8889access-listTrustpermittcpanyanyeq2967access-listTrustpermittcpanyanyeq9012access-listTrustpermittcpanyanyeq8081access-listTrustpermittcpanyanyeq16688access-listTrustpermittcpanyanyeq8666access-listTrustpermittcpanyanyeq9888access-listTrustpermiticmpanyanyaccess-listTrustpermittcpanyanyeq110access-listTrustpermitudpanyanyeq8000access-listTrustpermittcpanyanyeq25access-listTrustpermittcpanyanyeq1525access-listaccess-listTrustpermittcpanyanyeqaccess-listTrustpermittcpanyanyeq17991access-listTrustpermittcpanyanyeq22000access-listTrustpermittcpanyanyeq22223access-listTrustpermittcpanyanyeq7005access-listTrustpermittcpanyanyeq7711access-listTrustpermittcpanyanyeq8001access-listTrustpermittcpanyanyeq8002access-listTrustpermittcpanyanyeq8003access-listTrustpermittcpanyanyeq8117access-listTrustpermittcpanyanyeq8601access-listTrustpermittcpanyanyeq9002access-listTrustpermittcpanyanyeq9500access-listTrustpermitudpanyanyeq7001access-listTrustpermittcpanyanyeq6666access-listTrustpermittcpanyanyeq7777access-listTrustpermittcpanyanyeq2998access-listTrustpermittcpanyanyeq20access-listTrustpermitudpanyanyeq161access-listTrustpermittcpanyanyeq7709access-listTrustpermittcpanyanyeq7708access-listTrustpermittcpanyanyeq7001access-listTrustpermittcpanyanyeq23access-listTrustpermittcpanyanyeq4043access-listTrustpermittcpanyanyeq9999access-listTrustpermittcpanyanyrange8082-access-listTrustpermitudpanyanyeq33400access-listTrustpermitudpanyanyeq4500access-listTrustpermittcpanyanyeq20080access-listTrustpermittcpanyanyeq177access-listTrustpermittcpanyanyeq5050access-listTrustpermittcpanyanyrange50005001access-listTrustpermittcpanyanyeq5100access-listTrustpermitudpanyanyrange50005010access-listTrustpermittcpanyanyeq6080access-listTrustpermittcpanyanyeq8008access-listTrustpermittcpanyanyeq9093access-listTrustpermittcpanyanyeq8080access-listTrustpermittcpanyanyeq8081port-objectport-objecteqport-objecteqport-objecteqport-objecteqport-objecteqport-objecteqport-objecteqport-objecteqport-objecteqport-objecteqport-objecteqaccess-listTrustpermittcpanyhost29object-grouparchweb_connectionaccess-listTrustpermittcpanyhost30object-grouparchweb_connectionobject-groupserviceCMZZ-spamcluster_connectiontcpport-objecteq80port-objecteqport-objecteqport-objecteqport-objecteqport-objecteqport-objecteqport-objecteqaccess-listTrustpermittcpanyhost3object-groupCMZZ-spamcluster_connectionaccess-listTrustpermittcpanyhost4object-groupCMZZ-spamcluster_connectionaccess-listTrustpermittcpanyhost29eq9001access-listTrustpermittcpanyhost30eq9001access-listTrustpermittcpanyhost95eq9001access-listTrustpermittcpanyhost3eq9001access-listTrustpermittcpanyhost4eq9001access-listTrustpermittcpanyhost6eq9001access-listTrustpermittcpanyhost6eqhttpaccess-listTrustpermittcpanyhost6eq3389access-listTrustpermiticmp