防火墙
1.配置防火墙:
int g1/0/3
ip add 192.168.3.2
service-manage enable
service-manage all permit
把接口画进zone区域:
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface gig1/0/3
此时防火墙起来:
6.dmz区域内测试,不能ping通
g1/0/0和g1/0/1接口划入dmz区域 并开启功能
[USG6000V1-GigabitEthernet1/0/0]dis this
2019-08-28 12:37:32.860
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 19.16.1.1 255.255.255.0
service-manage enable
service-manage all permit
interface GigabitEthernet1/0/1
undo shutdown
ip address 20.16.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]dis this
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
此时pc1和 service 1 2 是通的
做策略:
[USG6000V1-policy-security-rule-permit_dmz_dmz]dis this
2019-08-28 12:46:46.920
#
rule name permit_dmz_dmz
source-zone dmz
destination-zone dmz
source-address 19.16.1.0 mask 255.255.255.0
destination-address 20.16.1.0 mask 255.255.255.0
service icmp
action deny
此时pc1和 service 1 2 是不通的
1.trust访问DMZ的http
[USG6000V1-GigabitEthernet1/0/2]dis this
2019-08-28 12:56:56.860
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 23.1.1.1 255.255.255.0
[USG6000V1-zone-trust]dis this
2019-08-28 12:57:23.740
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
#
return
[USG6000V1-policy-security-rule-permit_trust_dmz]dis this
2019-08-28 12:56:21.860
#
rule name permit_trust_dmz
source-zone trust
destination-zone dmz
source-address 23.1.1.0 mask 255.255.255.0
destination-address 19.16.1.0 mask 255.255.255.0
destination-address 20.16.1.0 mask 255.255.255.0
service http
service icmp
action permit
2.untrust访问DMZ的http
配置静态,配置策略,防火墙 口的配置
交换机1:
interface Vlanif10
ip address 101.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 202.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 203.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 33.1.1.1 255.255.255.0
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 100
ip route-static 0.0.0.0 0.0.0.0 33.1.1.2
ip route-static 19.16.1.0 255.255.255.0 33.1.1.2
ip route-static 20.16.1.0 255.255.255.0 33.1.1.2
ip route-static 22.1.1.0 255.255.255.0 33.1.1.2
#
user-interface con 0
user-interface vty 0 4
R1:
interface GigabitEthernet0/0/0
ip address 33.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 22.1.1.3 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 19.16.1.0 255.255.255.0 22.1.1.2
ip route-static 20.16.1.0 255.255.255.0 22.1.1.2
ip route-static 101.1.1.0 255.255.255.0 33.1.1.1
ip route-static 202.1.1.0 255.255.255.0 33.1.1.1
ip route-static 203.1.1.0 255.255.255.0 33.1.1.1
FW:
ip route-static 0.0.0.0 0.0.0.0 22.1.1.3
ip route-static 33.1.1.0 255.255.255.0 22.1.1.3
ip route-static 101.1.1.0 255.255.255.0 22.1.1.3
ip route-static 202.1.1.0 255.255.255.0 22.1.1.3
ip route-static 203.1.1.0 255.255.255.0 22.1.1.3
rule name permit_untrust_dmz
source-zone untrust
destination-zone dmz
source-address 101.1.1.100 mask 255.255.255.255
destination-address 19.16.1.2 mask 255.255.255.255
destination-address 20.16.1.0 mask 255.255.255.0
service http
service icmp
action permit
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
注意zone口的划分。
3.DMZ的PC2能够和VLAN10通信
rule name permit_dmz_untrust
source-zone dmz
destination-zone untrust
source-address 19.16.1.0 mask 255.255.255.0
destination-address 101.1.1.0 mask 255.255.255.0
service http
service icmp
action permit
策略不可以双向通;
要想防火墙通别人,写策略
4.防火墙能ping通trust的中client1
[USG6000V1-policy-security-rule-permit_local_trust]dis this
2019-08-29 08:45:08.510
#
rule name permit_local_trust
source-zone local
destination-zone trust
source-address 23.1.1.0 mask 255.255.255.0
destination-address 23.1.1.0 mask 255.255.255.0
service http
service icmp
action permit
#
return
源zone区域为local
5.防火墙能够telnet到AR1
AR1:
做个aaa认证:
aaa
local-user qqq password cipher %$%$&LR6E7OJzVkDhT&/8=5UEmdJ%$%$
local-user qqq privilege level 15
local-user qqq service-type telnet
调用:
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
.防火墙:
rule name permit_local_untrust
source-zone local
destination-zone untrust
service icmp
service telnet
action permit
7.trust client1能够FTP到dmz的serve2
开启ftp服务:
[USG6000V1-policy-security-rule-permit_trust_dmz]dis thi
2019-08-29 09:37:08.820
#
rule name permit_trust_dmz
source-zone trust
destination-zone dmz
source-address 23.1.1.0 mask 255.255.255.0
destination-address 19.16.1.0 mask 255.255.255.0
destination-address 20.16.1.0 mask 255.255.255.0
service ftp
service http
service icmp
action permit
#
return
注意:
交换机和路由器之间不用做trunk
只有交换机和交换机之间做trunk
交换机的g0/0/0是untrust区域
---恢复内容结束---