基本防火墙访问策略配置

admin

基本防火墙访问策略配置

                              

防火墙策略：

Trust公司内部可以访问Untrust广域网

但Untrust不能访问Trust

Trust公司内部可以访问DMZ服务器

Untrust广域网用户可以访问DMZ服务器

配置接口及相关地址、DHCP

<USG6000V1>system-view

[USG6000V1]sysname fw

[fw]dhcp enable  //开启DHCP功能

[fw]ip pool trust  //创建地址池

[fw-ip-pool-trust]gateway-list 192.168.10.1  //配置网关

[fw-ip-pool-trust]network 192.168.10.0 mask24  //配置网段掩码

[fw-ip-pool-trust]excluded-ip-address192.168.10.200 192.168.10.254  //配置不参与IP

[fw-ip-pool-trust]lease day 2 hour 0 minute0   //配置租约

[fw-ip-pool-trust]dns-list 114.114.114.1148.8.8.8  //配置DNS

[fw-ip-pool-trust]quit

[fw]interface gigabitethernet 1/0/0

[fw-GigabitEthernet1/0/0]ip address192.168.10.1 24

[fw-GigabitEthernet1/0/0]dhcp select global  //接口DHCP基于全局

[fw-GigabitEthernet1/0/0]quit

[fw]interface GigabitEthernet 1/0/2

[fw-GigabitEthernet1/0/2]ip address202.67.11.1 24

[fw-GigabitEthernet1/0/2]quit

[fw]interface gigabitethernet 1/0/1

[fw-GigabitEthernet1/0/1]ip address172.16.10.1 24

[fw-GigabitEthernet1/0/1]quit

添加端口到区域中

[fw]firewall zone trust  //进入trust区域

[fw-zone-trust]add interface gigabitethernet1/0/0  //加入端口

[fw-zone-trust]quit

[fw]firewall zone untrust

[fw-zone-untrust]add interfacegigabitethernet 1/0/2

[fw-zone-untrust]quit

[fw]firewall zone dmz

[fw-zone-dmz]add interface gigabitethernet1/0/1

[fw-zone-dmz]quit

[fw]display zone   //查看当前所有区域

2021-04-07 09:40:02.010

local

priority is 100

interface of the zone is (0):

#

trust

priority is 85

interface of the zone is (2):

   GigabitEthernet0/0/0

   GigabitEthernet1/0/0

#

untrust

priority is 5

interface of the zone is (1):

   GigabitEthernet1/0/2

#

dmz

priority is 50

interface of the zone is (1):

GigabitEthernet1/0/1

<span]

配置安全策略

[fw]security-policy  //打开安全策略视图

[fw-policy-security]rule name T2UD  //配置规则名称

[fw-policy-security-rule-T2UD]source-zonetrust  //配置源区域

[fw-policy-security-rule-T2UD]destination-zoneuntrust dmz  //配置目标区域

[fw-policy-security-rule-T2UD]source-address192.168.10.0 0.0.0.255  //配置源地址段（可不配）

[fw-policy-security-rule-T2UD]destination-address172.16.10.0 0.0.0.255  //配置目标地址段（可不配）

[fw-policy-security-rule-T2UD]destination-address202.67.11.0 0.0.0.255  //配置目标地址段（可不配）

[fw-policy-security-rule-T2UD]action permit  //配置为放行

[fw-policy-security-rule-T2UD]quit

[fw-policy-security]rule name U2D

[fw-policy-security-rule-U2D]source-zoneuntrust

[fw-policy-security-rule-U2D]destination-zonedmz

[fw-policy-security-rule-U2D]source-addressany

[fw-policy-security-rule-U2D]destination-address172.16.10.0 0.0.0.255

[fw-policy-security-rule-U2D]action permit

[fw-policy-security-rule-U2D]quit

[fw-policy-security]quit

[fw]display security-policy rule all

2021-04-07 09:52:58.170  

Total:3

RULE ID RULE NAME                        STATE      ACTION       HITS        

---------------------------------------------------------------------

1       T2UD                             enable     permit       0           

2       U2D                              enable     permit       0         

0        default                           enable     deny         0         

测试配置

PC1 ping PC2和Server1

PC>ping 202.67.11.100

Ping 202.67.11.100: 32 data bytes, PressCtrl_C to break

From 202.67.11.100: bytes=32 seq=1 ttl=127time<1 ms

From 202.67.11.100: bytes=32 seq=2 ttl=127time=16 ms

From 202.67.11.100: bytes=32 seq=3 ttl=127time<1 ms

From 202.67.11.100: bytes=32 seq=4 ttl=127time<1 ms

From 202.67.11.100: bytes=32 seq=5 ttl=127time=15 ms

--- 202.67.11.100 ping statistics ---

  5packet(s) transmitted

  5packet(s) received

0.00% packet loss

round-trip min/avg/max = 0/6/16 ms

PC>ping 172.16.10.100

Ping 172.16.10.100: 32 data bytes, PressCtrl_C to break

From 172.16.10.100: bytes=32 seq=1 ttl=254time<1 ms

From 172.16.10.100: bytes=32 seq=2 ttl=254time=16 ms

From 172.16.10.100: bytes=32 seq=3 ttl=254time<1 ms

From 172.16.10.100: bytes=32 seq=4 ttl=254time<1 ms

From 172.16.10.100: bytes=32 seq=5 ttl=254time=15 ms

--- 172.16.10.100 ping statistics ---

  5packet(s) transmitted

  5packet(s) received

0.00% packet loss

round-trip min/avg/max = 0/6/16 ms

PC2 ping PC1和Server1

PC>ping 192.168.10.145

Ping 192.168.10.145: 32 data bytes, PressCtrl_C to break

Request timeout!

Request timeout!

Request timeout!

Request timeout!

Request timeout!

--- 192.168.10.145 ping statistics ---

  5packet(s) transmitted

  0packet(s) received

100.00% packet loss

PC>ping 172.16.10.100

Ping 172.16.10.100: 32 data bytes, PressCtrl_C to break

From 172.16.10.100: bytes=32 seq=1 ttl=254time<1 ms

From 172.16.10.100: bytes=32 seq=2 ttl=254time<1 ms

From 172.16.10.100: bytes=32 seq=3 ttl=254time=16 ms

From 172.16.10.100: bytes=32 seq=4 ttl=254time<1 ms

From 172.16.10.100: bytes=32 seq=5 ttl=254time=16 ms

--- 172.16.10.100 ping statistics ---

  5packet(s) transmitted

  5packet(s) received

0.00% packet loss

round-trip min/avg/max = 0/6/16 ms

结果是trust区域电脑能够访问untrust；但反之untrust无法访问trust；

Trust和untrust同时能正常访问DMZ!

符合要求。