2.1 防火墙初始化命令行配置
用户名:admin
密码:Admin@123
初始化启动需要修改密码
1)配置接口地址
interface GigabitEthernet0/0/0
ip address 192.168.199.100 24
service-manage all permit
2)查看安全区域
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
3)宿主机ping防火墙G0/0/0接口
C:\Users\HP>ping 192.168.199.100
正在 Ping 192.168.199.100 具有 32 字节的数据:
来自 192.168.199.100 的回复: 字节=32 时间=3ms TTL=255
4)防火墙ping宿主机
#配置安全策略
security-policy
rule name l_t_t
source-zone local
destination-zone trust
action permit
ping -vpn-instance default 192.168.199.1
PING 192.168.199.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.199.1: bytes=56 Sequence=1 ttl=64 time=3 ms
2.2 防火墙初始化WEB登录
1.防火墙 WEB登录
登录地址:https://192.168.199.100:8443
用户名:admin
密码:Admin@1234
2.3 防火墙初安全区域
1.防火墙安全区域
1)配置接口地址
interface GigabitEthernet1/0/1
ip address 192.168.1.254 255.255.255.0
service-manage all permit
2)防火墙将接口连接区域定义为trust
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
3)自定义安全区域,自定义优先级
#创建安全区域,定义优先级
firewall zone name dsrw
set priority 84
#删除安全区域
undo firewall zone name dsrw
Warning: All related configurations including interzone will be deleted! Continue?[Y/N]:y
2.4 防火墙安全策略
1)查看默认安全策略
display security-policy rule all
0 default enable deny 38
2)修改默认安全策略
security-policy
default action permit
display security-policy rule all
0 default enable permit 38
2.安全策略高级
1)定义安全区域
firewall zone trust
add interface GigabitEthernet1/0/2
firewall zone untrust
add interface GigabitEthernet1/0/1
2)定义安全策略
security-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
rule name un_2_t
source-zone untrust
destination-zone trust
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
3.防火墙状态检测,单向管控
undo rule name un_2_t
security-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
1)PC机连通性测试服务器
PC>ping 192.168.2.1 -c 1
Ping 192.168.2.1: 32 data bytes, Press Ctrl_C to break
From 192.168.2.1: bytes=32 seq=1 ttl=254 time=31 ms
2)查看会话表
display firewall session table
icmp VPN: public --> public 192.168.1.1:23413 --> 192.168.2.1:2048
被动模式PASV
主动模式PORT
防火墙ASPF
1)防火墙接口配置
interface GigabitEthernet1/0/1
ip address 192.168.1.254 255.255.255.0
service-manage all permit
interface GigabitEthernet1/0/2
ip address 192.168.2.254 255.255.255.0
service-manage all permit
2)安全区域配置
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/2
3)安全策略配置
security-policy
rule name t_2_un
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
4)被动模式查看会话表
display firewall session table all
2023-07-23 10:12:29.900
Current Total Sessions : 2
ftp VPN: public --> public 192.168.1.1:2062 +-> 192.168.2.1:21
ftp-data VPN: public --> public 192.168.1.1:2063 --> 192.168.2.1:2054
5)防火墙默认开启ASPF,ASPF 创建 ASPF server-map表,优先级高于五元组
display current-configuration | include firewall detect ftp
2023-07-23 10:41:21.450
firewall detect ftp
6)主动模式查看会话表
display firewall session table all
ftp VPN: public --> public 192.168.1.1:2064 +-> 192.168.2.1:21
ftp-data VPN: public --> public 192.168.2.1:20 --> 192.168.1.1:2065
7)主动模式查看ASPF server-map表
display firewall server-map
2023-07-23 10:45:28.240
Current Total Server-map : 1
Type: ASPF, 192.168.2.1 -> 192.168.1.1:2065, Zone:---
Protocol: tcp(Appro: ftp-data), Left-Time:00:00:13
Vpn: public -> public
8)进入区域模式下开启ASPF
firewall interzone trust untrust
detect ftp
9)系统视图模式开启ASPF
firewall detect ftp
2.5 防火墙扩展
1)接口配置IP地址
interface GigabitEthernet1/0/1
ip address 192.168.1.254 255.255.255.0
service-manage all permit
interface GigabitEthernet1/0/2
ip address 192.168.2.254 255.255.255.0
service-manage all permit
2)配置安全区域
firewall zone trust
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
#防火墙相同安全区域不同接口之间流量默认放行
3)PC连通性测试
PC1>ping 192.168.2.1
From 192.168.2.1: bytes=32 seq=1 ttl=255 time=16 ms
PC2>ping 192.168.1.1
From 192.168.1.1: bytes=32 seq=1 ttl=127 time=63 ms
4)配置安全策略
#防火墙相同安全区域不同接口之间可以被安全策略管控
security-policy
rule name t_2_t
source-zone trust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action deny
5)PC连通性测试
PC>ping 192.168.2.1
Request timeout!
6)修改安全策略
rule name t_2_t
source-zone trust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
7)连通性测试
PC>ping 192.168.2.1
From 192.168.2.1: bytes=32 seq=2 ttl=127 time=62 ms
8)查看会话表
session table all
2023-07-24 11:04:14.170
Current Total Sessions : 3
icmp VPN: public --> public 192.168.1.1:62037 --> 192.168.2.1:2048
2.安全策略基本操作
1)安全策略基本命令
rule ?
copy Indicate copy a rule #拷贝
move Indicate move a rule #移动
name Indicate configure rule name #命名
rename Indicate rename a rule #重命名
2)查看安全策略
display this
security-policy
rule name t_2_t
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
rule name t_2_t_01
source-zone trust
destination-zone trust
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
3)复制安全策略
rule copy t_2_t_01 t_2_t_02
display this
security-policy
rule name t_2_t
source-zone trust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
rule name t_2_t_01
source-zone trust
destination-zone trust
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name t_2_t_02
source-zone trust
destination-zone trust
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
4)重命名安全策略
rule rename t_2_t_02 t_2_t_03
security-policy
rule name t_2_t
source-zone trust
destination-zone trust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
action permit
rule name t_2_t_01
source-zone trust
destination-zone trust
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
action permit
rule name t_2_t_03
source-zone trust
destination-zone trust
source-address 192.168.2.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
5)移动安全策略
rule move t_2_t_03 ?
after Indicate move after a rule#移动到XX之后
before Indicate move before a rule#移动到XX之前
bottom Indicate move a rule to the bottom#置底
down Indicate move down a rule#向下一级
top Indicate move a rule to the top#置顶
up Indicate move up a rule#向上一级
3.管理接口
1)查看管理接口
interface GigabitEthernet0/0/0
#管理接口
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
2)查看业务接口路由表
display ip routing-table
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.254 GigabitEthernet1/0/1
192.168.1.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/1
192.168.2.0/24 Direct 0 0 D 192.168.2.254 GigabitEthernet1/0/2
192.168.2.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/2
3)查看管理接口路由表
display ip routing-table vpn-instance default
192.168.199.0/24 Direct 0 0 D 192.168.199.100 GigabitEthernet0/0/0
192.168.199.100/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
4)关闭管理接口
undo ip binding vpn-instance default
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容