《华为安全认证HCIE》学习笔记 | 域间转发策略设置
Posted COCOgsta
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了《华为安全认证HCIE》学习笔记 | 域间转发策略设置相关的知识,希望对你有一定的参考价值。
学习视频来源:华为安全认证HCIE
个人在学习的同时,也验证了视频中的实验部分,现将授课笔记和实验笔记整理下来。
网络拓扑
关键配置及验证
OKLABFW删除原有trust区域的接口,并将其放入untrust和dmz区域中
firewall zone trust
undo add interface GigabitEthernet 0/0/1.2
undo add interface GigabitEthernet 0/0/1.4
firewall zone untrust
add interface GigabitEthernet 0/0/1.2
firewall zone dmz
add interface GigabitEthernet 0/0/1.4测试验证Inside无法ping通Outside
[Inside]ping 202.100.1.1
PING 202.100.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 202.100.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[Inside]OKLABFW修改域间策略
firewall packet-filter default permit interzone trust untrust directio
n outbound查看域间策略规则修改情况
[OKLAB-FW]dis firewall packet-filter default all
20:07:22 2021/06/28
Firewall default packet-filter action is:
----------------------------------------------------------------------
packet-filter in public:
local -> trust :
inbound : default: permit; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
local -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
local -> dmz :
inbound : default: deny; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
trust -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
trust -> dmz :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
dmz -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
packet-filter between VFW:
[OKLAB-FW]验证Inside可以ping通Outside
[Inside]ping 202.100.1.1
PING 202.100.1.1: 56 data bytes, press CTRL_C to break
Reply from 202.100.1.1: bytes=56 Sequence=1 ttl=254 time=80 ms
Reply from 202.100.1.1: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 202.100.1.1: bytes=56 Sequence=3 ttl=254 time=90 ms
Reply from 202.100.1.1: bytes=56 Sequence=4 ttl=254 time=100 ms
Reply from 202.100.1.1: bytes=56 Sequence=5 ttl=254 time=130 ms
--- 202.100.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/96/130 ms
[Inside]恢复域间策略规则
firewall packet-filter default deny interzone trust untrust direction
outbound OKLABFW配置域间详细转发策略
policy interzone trust untrust outbound
policy create-mode auto-sort enable
policy 5
action permit
policy service service-set icmp
policy source 10.1.1.0 mask 24
policy destination 202.100.1.0 mask 24再次验证Inside可以ping通Outside
<Inside>ping 202.100.1.1
PING 202.100.1.1: 56 data bytes, press CTRL_C to break
Reply from 202.100.1.1: bytes=56 Sequence=1 ttl=254 time=110 ms
Reply from 202.100.1.1: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 202.100.1.1: bytes=56 Sequence=3 ttl=254 time=110 ms
Reply from 202.100.1.1: bytes=56 Sequence=4 ttl=254 time=90 ms
Reply from 202.100.1.1: bytes=56 Sequence=5 ttl=254 time=110 ms
--- 202.100.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/100/110 ms
<Inside>以上是关于《华为安全认证HCIE》学习笔记 | 域间转发策略设置的主要内容,如果未能解决你的问题,请参考以下文章