防火墙1

Posted tiamolj

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了防火墙1相关的知识,希望对你有一定的参考价值。

技术图片

 

 

 

技术图片

 

 

 

 将g1/0/0口放入trust中

cmd 中192.168.12.1(通)

技术图片

1)LSW1上配置4个vlan 100 10 20 30 并将端口放进vlan中且配地址

interface Vlanif10
ip address 203.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 204.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 205.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 202.1.1.2 255.255.255.0

 

interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 100

2)给路由器,防火墙配地址

R1:

interface GigabitEthernet0/0/0
ip address 202.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 200.1.1.2 255.255.255.0

FW1:

以1/0/1为例:

interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.1.254 255.255.255.0

service-manage enable

service-manage all permit

3)做i静态,使其能到防火墙

 LSW1:

ip route-static 0.0.0.0 0.0.0.0 202.1.1.1

FW1:

ip route-static 202.1.1.0 255.255.255.0 200.1.1.2
ip route-static 203.1.1.0 255.255.255.0 200.1.1.2
ip route-static 204.1.1.0 255.255.255.0 200.1.1.2
ip route-static 205.1.1.0 255.255.255.0 200.1.1.2

AR1:

ip route-static 0.0.0.0 0.0.0.0 200.1.1.1
ip route-static 192.168.2.0 255.255.255.0 200.1.1.1
ip route-static 203.1.1.0 255.255.255.0 202.1.1.2
ip route-static 204.1.1.0 255.255.255.0 202.1.1.2
ip route-static 205.1.1.0 255.255.255.0 202.1.1.2

 

4)配置防火墙区域:

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/5
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/4

1.trust访问DMZ的http

security-policy
 rule name permit_trust_dmz
 source-zone trust
 destination-zone dmz
 service http
 service icmp
 action permit

结果:client1能ping通192.168.1.253

技术图片

 

 

 

将server的服务启动既可访问: 

技术图片

 

 

 


2.untrust的client2访问DMZ的http client3不能

security-policy

  rule name permit_untrust_dmz
  source-zone untrust
  destination-zone dmz
  source-address 203.1.1.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  service http
  service icmp
  action permit

结果:

技术图片

  

技术图片

3.DMZ的PC2能够和VLAN10通信

security-policy

  rule name permit_client2_pc2
  source-zone untrust
  destination-zone dmz
  source-address 203.1.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  service icmp
  action permit

技术图片


4.防火墙能ping通trust的中client1

security-policy 

  rule name permit_local_trust
  source-zone local
  destination-zone trust
  service icmp
  action permit

技术图片

 

 


5.防火墙能够telnet到AR1

security-policy

  rule name permit_local_untrust

  source-zone local
  destination-zone untrust
  service icmp
  service telnet
  action permit

AR1:

[R1]telnet server  enable

[R1-aaa]local-user lj password cipher 123

[R1-aaa]local-user lj privilege level 15

[R1]user-interface vty 0 4

[R1-ui-vty0-4]authentication-mode aaa

[R1-ui-vty0-4]protocol inbound all

技术图片

 

 

6.dmz区域内测试,不能ping通

security-policy

  rule name deny_200_253
  source-zone dmz
  destination-zone dmz
  source-address 192.168.2.200 mask 255.255.255.255
  destination-address 192.168.1.253 mask 255.255.255.255
  service icmp
  action deny

技术图片


7.trustclient1能够FTP到dmz的serve2

security-policy
  rule name permit_trust_dmz
  source-zone trust
  destination-zone dmz
  service ftp
  service icmp
  action permit

技术图片

 

以上是关于防火墙1的主要内容,如果未能解决你的问题,请参考以下文章

iptables 防火墙

JUNIPER防火墙学习笔记

Linux----------防火墙

iptables防火墙

Linux中的防火墙netfilter/iptables 简介

win7系统下彩影arp防火墙错误代码:1/0