基本防火墙访问策略配置
基本防火墙访问策略配置 防火墙策略:Trust公司内部可以访问Untrust广域网但Untrust不能访问TrustTrust公司内部可以访问DMZ服务器Untrust广域网用户可以访问DMZ服务器配置接口及相关地址、DHCP<USG6000V1>system-viewsysname fwdhcp enable//开启DHCP功能ip pool trust//创建地址池gateway-list 192.168.10.1//配置网关network 192.168.10.0 mask24//配置网段掩码excluded-ip-address192.168.10.200 192.168.10.254//配置不参与IPlease day 2 hour 0 minute0 //配置租约dns-list 114.114.114.1148.8.8.8//配置DNSquitinterface gigabitethernet 1/0/0ip address192.168.10.1 24dhcp select global//接口DHCP基于全局quitinterface GigabitEthernet 1/0/2ip address202.67.11.1 24quitinterface gigabitethernet 1/0/1ip address172.16.10.1 24quit 添加端口到区域中firewall zone trust//进入trust区域add interface gigabitethernet1/0/0//加入端口quitfirewall zone untrustadd interfacegigabitethernet 1/0/2quitfirewall zone dmz add interface gigabitethernet1/0/1quitdisplay zone //查看当前所有区域2021-04-07 09:40:02.010 local priority is 100 interface of the zone is (0):#trust priority is 85 interface of the zone is (2): GigabitEthernet0/0/0 GigabitEthernet1/0/0#untrust priority is 5 interface of the zone is (1): GigabitEthernet1/0/2#dmz priority is 50 interface of the zone is (1):GigabitEthernet1/0/1<span] 配置安全策略security-policy//打开安全策略视图rule name T2UD//配置规则名称source-zonetrust//配置源区域destination-zoneuntrust dmz//配置目标区域source-address192.168.10.0 0.0.0.255//配置源地址段(可不配)destination-address172.16.10.0 0.0.0.255//配置目标地址段(可不配)destination-address202.67.11.0 0.0.0.255//配置目标地址段(可不配)action permit//配置为放行quitrule name U2Dsource-zoneuntrustdestination-zonedmzsource-addressanydestination-address172.16.10.0 0.0.0.255action permitquitquitdisplay security-policy rule all2021-04-07 09:52:58.170Total:3 RULE ID RULE NAME STATE ACTION HITS ---------------------------------------------------------------------1 T2UD enable permit 0 2 U2D enable permit 0 0 default enable deny 0
测试配置PC1 ping PC2和Server1PC>ping 202.67.11.100 Ping 202.67.11.100: 32 data bytes, PressCtrl_C to breakFrom 202.67.11.100: bytes=32 seq=1 ttl=127time<1 msFrom 202.67.11.100: bytes=32 seq=2 ttl=127time=16 msFrom 202.67.11.100: bytes=32 seq=3 ttl=127time<1 msFrom 202.67.11.100: bytes=32 seq=4 ttl=127time<1 msFrom 202.67.11.100: bytes=32 seq=5 ttl=127time=15 ms --- 202.67.11.100 ping statistics ---5packet(s) transmitted5packet(s) received 0.00% packet loss round-trip min/avg/max = 0/6/16 ms PC>ping 172.16.10.100 Ping 172.16.10.100: 32 data bytes, PressCtrl_C to breakFrom 172.16.10.100: bytes=32 seq=1 ttl=254time<1 msFrom 172.16.10.100: bytes=32 seq=2 ttl=254time=16 msFrom 172.16.10.100: bytes=32 seq=3 ttl=254time<1 msFrom 172.16.10.100: bytes=32 seq=4 ttl=254time<1 msFrom 172.16.10.100: bytes=32 seq=5 ttl=254time=15 ms --- 172.16.10.100 ping statistics ---5packet(s) transmitted5packet(s) received 0.00% packet loss round-trip min/avg/max = 0/6/16 ms PC2 ping PC1和Server1PC>ping 192.168.10.145 Ping 192.168.10.145: 32 data bytes, PressCtrl_C to breakRequest timeout!Request timeout!Request timeout!Request timeout!Request timeout! --- 192.168.10.145 ping statistics ---5packet(s) transmitted0packet(s) received 100.00% packet loss PC>ping 172.16.10.100 Ping 172.16.10.100: 32 data bytes, PressCtrl_C to breakFrom 172.16.10.100: bytes=32 seq=1 ttl=254time<1 msFrom 172.16.10.100: bytes=32 seq=2 ttl=254time<1 msFrom 172.16.10.100: bytes=32 seq=3 ttl=254time=16 msFrom 172.16.10.100: bytes=32 seq=4 ttl=254time<1 msFrom 172.16.10.100: bytes=32 seq=5 ttl=254time=16 ms --- 172.16.10.100 ping statistics ---5packet(s) transmitted5packet(s) received 0.00% packet loss round-trip min/avg/max = 0/6/16 ms结果是trust区域电脑能够访问untrust;但反之untrust无法访问trust;Trust和untrust同时能正常访问DMZ!符合要求。
页:
[1]