防火墙1
Posted tiamolj
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了防火墙1相关的知识,希望对你有一定的参考价值。
将g1/0/0口放入trust中
cmd 中192.168.12.1(通)
1)LSW1上配置4个vlan 100 10 20 30 并将端口放进vlan中且配地址
interface Vlanif10
ip address 203.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 204.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 205.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 202.1.1.2 255.255.255.0
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 100
2)给路由器,防火墙配地址
R1:
interface GigabitEthernet0/0/0
ip address 202.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 200.1.1.2 255.255.255.0
FW1:
以1/0/1为例:
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.1.254 255.255.255.0
service-manage enable
service-manage all permit
3)做i静态,使其能到防火墙
LSW1:
ip route-static 0.0.0.0 0.0.0.0 202.1.1.1
FW1:
ip route-static 202.1.1.0 255.255.255.0 200.1.1.2
ip route-static 203.1.1.0 255.255.255.0 200.1.1.2
ip route-static 204.1.1.0 255.255.255.0 200.1.1.2
ip route-static 205.1.1.0 255.255.255.0 200.1.1.2
AR1:
ip route-static 0.0.0.0 0.0.0.0 200.1.1.1
ip route-static 192.168.2.0 255.255.255.0 200.1.1.1
ip route-static 203.1.1.0 255.255.255.0 202.1.1.2
ip route-static 204.1.1.0 255.255.255.0 202.1.1.2
ip route-static 205.1.1.0 255.255.255.0 202.1.1.2
4)配置防火墙区域:
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/5
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/4
1.trust访问DMZ的http
security-policy
rule name permit_trust_dmz
source-zone trust
destination-zone dmz
service http
service icmp
action permit
结果:client1能ping通192.168.1.253
将server的服务启动既可访问:
2.untrust的client2访问DMZ的http client3不能
security-policy
rule name permit_untrust_dmz
source-zone untrust
destination-zone dmz
source-address 203.1.1.0 mask 255.255.255.0
destination-address 192.168.1.0 mask 255.255.255.0
service http
service icmp
action permit
结果:
3.DMZ的PC2能够和VLAN10通信
security-policy
rule name permit_client2_pc2
source-zone untrust
destination-zone dmz
source-address 203.1.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
service icmp
action permit
4.防火墙能ping通trust的中client1
security-policy
rule name permit_local_trust
source-zone local
destination-zone trust
service icmp
action permit
5.防火墙能够telnet到AR1
security-policy
rule name permit_local_untrust
source-zone local
destination-zone untrust
service icmp
service telnet
action permit
AR1:
[R1]telnet server enable
[R1-aaa]local-user lj password cipher 123
[R1-aaa]local-user lj privilege level 15
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa
[R1-ui-vty0-4]protocol inbound all
6.dmz区域内测试,不能ping通
security-policy
rule name deny_200_253
source-zone dmz
destination-zone dmz
source-address 192.168.2.200 mask 255.255.255.255
destination-address 192.168.1.253 mask 255.255.255.255
service icmp
action deny
7.trustclient1能够FTP到dmz的serve2
security-policy
rule name permit_trust_dmz
source-zone trust
destination-zone dmz
service ftp
service icmp
action permit
以上是关于防火墙1的主要内容,如果未能解决你的问题,请参考以下文章