1.配置防火墙接口1/0/1
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 192.168.1.254 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
//接口允许ping2.配置防火墙接口1/0/2
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ip address 10.1.1.254 24
[FW1-GigabitEthernet1/0/2]service-manage ping permit3.配置防火墙接口1/0/3
[FW1]interface GigabitEthernet 1/0/3
[FW1-GigabitEthernet1/0/3]ip address 172.16.1.254 24
[FW1-GigabitEthernet1/0/3]service-manage ping permit4.定义untrust、trust、dmz区
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface GigabitEthernet 1/0/3
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/1
[FW1]fire zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/25.检查各区域优先级
[FW1]display zone
2023-02-13 16:46:33.140
local
priority is 100
interface of the zone is (0):
#
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/1
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/2
#
dmz
priority is 50
interface of the zone is (1):
GigabitEthernet1/0/36.定义安全策略
1)信任区访问非信任区
[FW1]security-policy
[FW1-policy-security]rule name ttout
[FW1-policy-security-rule-ttout]source-zone trust
[FW1-policy-security-rule-ttout]destination-zone untrust
[FW1-policy-security-rule-ttout]source-address 192.168.1.0 24
[FW1-policy-security-rule-ttout]destination-address 10.1.1.1 24
[FW1-policy-security-rule-ttout]service http
[FW1-policy-security-rule-ttout]service icmp
[FW1-policy-security-rule-ttout]action permit![图片[1]-14.2 防火墙基本配置-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/03/图片36-4-1024x709.png)
2)非信任区访问dmz可使用telnet ftp icmp访问
[FW1-policy-security]rule name utod
[FW1-policy-security-rule-utod]source-zone untrust
[FW1-policy-security-rule-utod]destination-zone dmz
[FW1-policy-security-rule-utod]source-address 10.1.1.0 24
[FW1-policy-security-rule-utod]destination-address 172.16.1.1 24
[FW1-policy-security-rule-utod]service icmp
[FW1-policy-security-rule-utod]action permit3)信任区访问dmz
[FW1-policy-security]rule name ttod
[FW1-policy-security-rule-ttod]source-zone trust
[FW1-policy-security-rule-ttod]destination-zone dmz
[FW1-policy-security-rule-ttod]source-address 192.168.1.0 24
[FW1-policy-security-rule-ttod]destination-address 172.16.1.1 24
[FW1-policy-security-rule-ttod]service icmp
[FW1-policy-security-rule-ttod]service ftp
[FW1-policy-security-rule-ttod]action permit![图片[2]-14.2 防火墙基本配置-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/03/图片37-4-1024x710.png)
4)dmz访问信任区
[FW1-policy-security]rule name dtot
[FW1-policy-security-rule-dtot]source-zone dmz
[FW1-policy-security-rule-dtot]destination-zone trust
[FW1-policy-security-rule-dtot]source-address 172.16.1.0 24
[FW1-policy-security-rule-dtot]destination-address 192.168.1.0 24
[FW1-policy-security-rule-dtot]service icmp
[FW1-policy-security-rule-dtot]action permit 4)本地访问非信任区
[FW1-policy-security]rule name ltou
[FW1-policy-security-rule-ltou]source-zone local
[FW1-policy-security-rule-ltou]destination-zone untrust
[FW1-policy-security-rule-ltou]source-address 192.168.10.0 24
[FW1-policy-security-rule-ltou]destination-address 10.1.1.0 24
[FW1-policy-security-rule-ltou]service http
[FW1-policy-security-rule-ltou]service icmp© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容