防火墙2
Posted tiamolj
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了防火墙2相关的知识,希望对你有一定的参考价值。
1.
interface GigabitEthernet1/0/1
undo shutdown
ip address 200.1.1.1 255.255.255.0
interface GigabitEthernet1/0/4
undo shutdown
ip address 169.254.43.1 255.255.255.0
service-manage enable #进入到管理模式
service-manage all permit #允许所有
(service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit)
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/4
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
security-policy
rule name permit_trust_dmz
source-zone trust
destination-zone dmz
service http
service icmp
action permit
2.
[FW1]security-policy #安全策略
[FW1-policy-security]rule name permit_telnet #安全策略名字
[FW1-policy-security-rule-permit_telnet]source-zone trust #配置安全策略源区域trust
[FW1-policy-security-rule-permit_telnet]destination-zone local
[FW1-policy-security-rule-permit_telnet]action permit #允许trust区域访问防火墙本地区域local
[FW1]user-interface vty 0 4 #配置vty,允许5个终端使用telnet功能
[FW1-ui-vty0-4]authentication-mode aaa 配置telnet使用aaa身份验证
[FW1-ui-vty0-4]protocol inbound telnet 允许aaa验证telnet
[FW1]aaa 进入aaa验证
[FW1-aaa]manager-user benet
[FW1-aaa-manager-user-lj]password cipher lj@12345
[FW1-aaa-manager-user-lj]service-type telnet aaa给telnet提供验证功能
[FW1-aaa-manager-user-lj]level 15 设置telnet账户li为管理员权限
#“0”是参观级别,啥都做不了;“1”是监控级别,可以查看相关配置;“2”为配置级别,可以配置部分参数;“3-15”是管理级别,拥有最大的权限
ssh:
[FW1]security-policy
[FW1-policy-security]rule name permit_ssh
[FW1-policy-security-rule-permit_ssh]source-zone trust
[FW1-policy-security-rule-permit_ssh]destination-zone local
[FW1-policy-security-rule-permit_ssh]action permit
[FW1]rsa local-key-pair create #设置ssh密钥对,最长2048
The key name will be: FW1_Host
The range of public key size is (2048 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
.+++++
........................++
....++++
...........++
[FW1]user-interface vty 0 4
[FW1-ui-vty0-4]authentication-mode aaa
[FW1-ui-vty0-4]protocol inbound ssh
[FW1]ssh user ljssh
[FW1]ssh user ljssh authentication-type password #使用密码验证
[FW1]ssh user ljssh service-type stelnet
[FW1]aaa
[FW1-aaa]manager-user ljssh #AAA验证用户名
[FW1-aaa-manager-user-ljssh]password cipher lj@12345
Info: You are advised to config on man-machine mode.
[FW1-aaa-manager-user-ljssh]service-type ssh#AAA给ssh提供验证
[FW1-aaa-manager-user-ljssh]level 15 #设置ssh验证账户为管理员
[FW1]stelnet server enable #开启ssh
web:
[FW1]security-policy
[FW1-policy-security]rule name permit_web
[FW1-policy-security-rule-permit_web]source-zone trust
[FW1-policy-security-rule-permit_web]destination-zone local
[FW1-policy-security-rule-permit_web]action permit
[FW1]web-manager enable
[FW1]aaa
[FW1-aaa]manager-user web #配置验证账户名为web
[FW1-aaa-manager-user-ljweb]password
Enter Password: 输入密码
Confirm Password: 重新输入
[FW1-aaa-manager-user-ljweb]service-type web
[FW1-aaa-manager-user-ljweb]level 15
以上是关于防火墙2的主要内容,如果未能解决你的问题,请参考以下文章