第2章 防火墙基础

2.1 防火墙初始化命令行配置

用户名:admin
密码:Admin@123
初始化启动需要修改密码
图片[1]-第2章 防火墙基础-大赛人网
图片[2]-第2章 防火墙基础-大赛人网
1)配置接口地址
interface GigabitEthernet0/0/0
ip address 192.168.199.100 24
service-manage all permit

2)查看安全区域
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0

3)宿主机ping防火墙G0/0/0接口
C:\Users\HP>ping 192.168.199.100

正在 Ping 192.168.199.100 具有 32 字节的数据:
来自 192.168.199.100 的回复: 字节=32 时间=3ms TTL=255

4)防火墙ping宿主机
#配置安全策略
security-policy
 rule name l_t_t
  source-zone local
  destination-zone trust
  action permit
ping -vpn-instance default 192.168.199.1
  PING 192.168.199.1: 56  data bytes, press CTRL_C to break
    Reply from 192.168.199.1: bytes=56 Sequence=1 ttl=64 time=3 ms

2.2 防火墙初始化WEB登录

1.防火墙 WEB登录

图片[3]-第2章 防火墙基础-大赛人网
登录地址:https://192.168.199.100:8443
用户名:admin
密码:Admin@1234

2.3 防火墙初安全区域

1.防火墙安全区域

图片[4]-第2章 防火墙基础-大赛人网
1)配置接口地址
interface GigabitEthernet1/0/1
 ip address 192.168.1.254 255.255.255.0
service-manage all permit
2)防火墙将接口连接区域定义为trust
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/1


3)自定义安全区域,自定义优先级
#创建安全区域,定义优先级
firewall zone name dsrw 
 set priority 84
#删除安全区域
undo firewall zone name dsrw
 Warning: All related configurations including interzone will be deleted! Continue?[Y/N]:y

2.4 防火墙安全策略

1)查看默认安全策略
display security-policy rule all 
0        default                           enable     deny         38   

2)修改默认安全策略
security-policy
default action permit
display security-policy rule all
0        default                           enable     permit       38 

2.安全策略高级

图片[5]-第2章 防火墙基础-大赛人网
1)定义安全区域
firewall zone trust
  add interface GigabitEthernet1/0/2
firewall zone untrust
 add interface GigabitEthernet1/0/1

2)定义安全策略
security-policy
 rule name t_2_un
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
 rule name un_2_t
  source-zone untrust
  destination-zone trust
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit

3.防火墙状态检测,单向管控
undo rule name un_2_t
security-policy
 rule name t_2_un
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
1)PC机连通性测试服务器
PC>ping 192.168.2.1 -c 1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
From 192.168.2.1: bytes=32 seq=1 ttl=254 time=31 ms

2)查看会话表
display firewall session table
icmp  VPN: public --> public  192.168.1.1:23413 --> 192.168.2.1:2048
图片[6]-第2章 防火墙基础-大赛人网

被动模式PASV

图片[7]-第2章 防火墙基础-大赛人网
图片[8]-第2章 防火墙基础-大赛人网

主动模式PORT

图片[9]-第2章 防火墙基础-大赛人网
图片[10]-第2章 防火墙基础-大赛人网

防火墙ASPF

图片[11]-第2章 防火墙基础-大赛人网
1)防火墙接口配置
interface GigabitEthernet1/0/1
  ip address 192.168.1.254 255.255.255.0
service-manage all permit

interface GigabitEthernet1/0/2
  ip address 192.168.2.254 255.255.255.0
service-manage all permit

2)安全区域配置
firewall zone trust
  add interface GigabitEthernet1/0/1
firewall zone untrust
  add interface GigabitEthernet1/0/2

3)安全策略配置
security-policy
 rule name t_2_un
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
图片[12]-第2章 防火墙基础-大赛人网
图片[13]-第2章 防火墙基础-大赛人网
4)被动模式查看会话表
display firewall session table all
2023-07-23 10:12:29.900 
 Current Total Sessions : 2
 ftp  VPN: public --> public  192.168.1.1:2062 +-> 192.168.2.1:21
 ftp-data  VPN: public --> public  192.168.1.1:2063 --> 192.168.2.1:2054
图片[14]-第2章 防火墙基础-大赛人网
图片[15]-第2章 防火墙基础-大赛人网
5)防火墙默认开启ASPF,ASPF 创建 ASPF server-map表,优先级高于五元组
display current-configuration | include firewall detect ftp 
2023-07-23 10:41:21.450 
firewall detect ftp

6)主动模式查看会话表
display firewall session table all
ftp  VPN: public --> public  192.168.1.1:2064 +-> 192.168.2.1:21
 ftp-data  VPN: public --> public  192.168.2.1:20 --> 192.168.1.1:2065

7)主动模式查看ASPF server-map表
display firewall server-map
2023-07-23 10:45:28.240 
 Current Total Server-map : 1
 Type: ASPF,  192.168.2.1 -> 192.168.1.1:2065,  Zone:---
 Protocol: tcp(Appro: ftp-data),  Left-Time:00:00:13
 Vpn: public -> public

8)进入区域模式下开启ASPF
firewall interzone trust untrust
 detect ftp

9)系统视图模式开启ASPF
firewall detect ftp 

2.5 防火墙扩展

1)接口配置IP地址
interface GigabitEthernet1/0/1
 ip address 192.168.1.254 255.255.255.0
service-manage all permit

interface GigabitEthernet1/0/2
  ip address 192.168.2.254 255.255.255.0
service-manage all permit

2)配置安全区域
firewall zone trust
  add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
#防火墙相同安全区域不同接口之间流量默认放行
3)PC连通性测试
PC1>ping 192.168.2.1
From 192.168.2.1: bytes=32 seq=1 ttl=255 time=16 ms

PC2>ping 192.168.1.1
From 192.168.1.1: bytes=32 seq=1 ttl=127 time=63 ms

4)配置安全策略
#防火墙相同安全区域不同接口之间可以被安全策略管控
security-policy
 rule name t_2_t
  source-zone trust
  destination-zone trust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action deny

5)PC连通性测试
PC>ping 192.168.2.1
Request timeout!

6)修改安全策略
 rule name t_2_t
  source-zone trust
  destination-zone trust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit

7)连通性测试
PC>ping 192.168.2.1
From 192.168.2.1: bytes=32 seq=2 ttl=127 time=62 ms

8)查看会话表
session table all
2023-07-24 11:04:14.170 
 Current Total Sessions : 3
 icmp  VPN: public --> public  192.168.1.1:62037 --> 192.168.2.1:2048
2.安全策略基本操作
1)安全策略基本命令
rule ?
  copy    Indicate copy a rule #拷贝
  move    Indicate move a rule #移动
  name    Indicate configure rule name #命名
  rename  Indicate rename a rule #重命名

2)查看安全策略
display this
security-policy
 rule name t_2_t
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
 rule name t_2_t_01
  source-zone trust
  destination-zone trust
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit

3)复制安全策略
rule copy t_2_t_01 t_2_t_02
display this 
security-policy
 rule name t_2_t
  source-zone trust
  destination-zone trust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
 rule name t_2_t_01
  source-zone trust
  destination-zone trust
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
 rule name t_2_t_02
  source-zone trust
  destination-zone trust
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit

4)重命名安全策略
rule rename t_2_t_02 t_2_t_03
security-policy
 rule name t_2_t
  source-zone trust
  destination-zone trust
  source-address 192.168.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
 rule name t_2_t_01
  source-zone trust
  destination-zone trust
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  action permit
 rule name t_2_t_03
  source-zone trust
  destination-zone trust
  source-address 192.168.2.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0

5)移动安全策略
rule move t_2_t_03 ?
  after   Indicate move after a rule#移动到XX之后
  before  Indicate move before a rule#移动到XX之前
  bottom  Indicate move a rule to the bottom#置底
  down    Indicate move down a rule#向下一级
  top     Indicate move a rule to the top#置顶
  up      Indicate move up a rule#向上一级
3.管理接口
1)查看管理接口
interface GigabitEthernet0/0/0
  #管理接口
ip binding vpn-instance default
 ip address 192.168.0.1 255.255.255.0
 alias GE0/METH

2)查看业务接口路由表
display ip routing-table 
127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    192.168.1.0/24  Direct  0    0           D   192.168.1.254   GigabitEthernet1/0/1
  192.168.1.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/1
    192.168.2.0/24  Direct  0    0           D   192.168.2.254   GigabitEthernet1/0/2
  192.168.2.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/2

3)查看管理接口路由表
display ip routing-table  vpn-instance default
 192.168.199.0/24  Direct  0    0           D   192.168.199.100 GigabitEthernet0/0/0
192.168.199.100/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0

4)关闭管理接口
undo ip binding vpn-instance default
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
© 版权声明
THE END
喜欢就支持一下吧
点赞15 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容