防火墙策略

防火墙策略首先规划和配置IP地址在防火墙开启DHCP服务,创建地址池,并关联到防火墙的内部端口[SRG]dhcpserverip-pool188[SRG-dhcp-188]network192.168.1.0mask24[SRG-dhcp-188]gateway-list192.168.

大家好,欢迎来到IT知识分享网。

防火墙策略

 

 

 

首先规划和配置IP地址

在防火墙开启DHCP服务,创建地址池,并关联到防火墙的内部端口

  [SRG]dhcp server ip-pool 188
  [SRG-dhcp-188]network 192.168.1.0 mask 24
  [SRG-dhcp-188]gateway-list 192.168.1.1
  [SRG-dhcp-188]qu

  然后在pc1上ipconfig,已经可以自动获得IP地址

  防火墙策略

 

 

 在AR1上配置telnet服务器

  [Huawei]ip route-static 0.0.0.0 0.0.0.0 192.168.1.1
  [Huawei]user-interface vty 0 4
  [Huawei-ui-vty0-4]authentication-mode password 
  Please configure the login password (maximum length 16):tel123
  [Huawei-ui-vty0-4]qu

 AR3配置

  [Huawei]ip route-static 0.0.0.0 0.0.0.0 202.101.10.1

 AR4配置

  [Huawei]ip route-static 0.0.0.0 0.0.0.0 192.168.2.1

 AR2配置

  [Huawei]rip
  [Huawei-rip-1]version 2
  [Huawei-rip-1]network 202.101.12.0
  [Huawei-rip-1]network 202.101.10.0
  [Huawei-rip-1]network 202.101.15.0

 防火墙配置 

[SRG]ip route-static 0.0.0.0 0.0.0.0 202.101.12.2
[SRG]firewall zone trust 
[SRG-zone-trust]add in g0/0/1
[SRG-zone-trust]qu
[SRG]firewall zone untrust 
[SRG-zone-untrust]add in g0/0/0
[SRG-zone-untrust]qu

[SRG]policy interzone local untrust inbound 
[SRG-policy-interzone-local-untrust-inbound]policy 1
[SRG-policy-interzone-local-untrust-inbound-1]action permit 
[SRG-policy-interzone-local-untrust-inbound-1]policy service service-set icmp
[SRG-policy-interzone-local-untrust-inbound-1]policy service service-set telnet
[SRG-policy-interzone-local-untrust-inbound-1]policy service service-set ftp
[SRG-policy-interzone-local-untrust-inbound-1]policy service service-set http
[SRG-policy-interzone-local-untrust-inbound-1]qu
[SRG-policy-interzone-local-untrust-inbound]qu
[SRG]firewall packet-filter default permit interzone trust untrust direction out bound   ##开启trust到untrust的默认行为为允许
Warning:Setting the default packet filtering to permit poses security risks. You
are advised to configure the security policy based on the actual data flows. Ar
e you sure you want to continue?[Y/N]y

 

[SRG]nat address-group 1 202.101.12.1 202.101.12.1
[SRG]nat-policy interzone trust untrust outbound 
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1
[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat 
[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.1.0 mask 24
[SRG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1
[SRG-nat-policy-interzone-trust-untrust-outbound-1]qu
[SRG-nat-policy-interzone-trust-untrust-outbound]qu

 

[SRG]nat server 0 protocol tcp global interface GigabitEthernet 0/0/0 2323 inside 192.168.1.23 telnet
[SRG]nat server 1 protocol tcp global interface GigabitEthernet 0/0/1 ftp inside 192.168.1.21 ftp
[SRG]nat server 2 protocol tcp global 202.101.12.1 www inside 192.168.1.80 www
[SRG]policy interzone trust untrust inbound 
[SRG-policy-interzone-trust-untrust-inbound]policy 1
[SRG-policy-interzone-trust-untrust-inbound-1]action permit 
[SRG-policy-interzone-trust-untrust-inbound-1]policy service service-set telnet
[SRG-policy-interzone-trust-untrust-inbound-1]policy service service-set ftp
[SRG-policy-interzone-trust-untrust-inbound-1]policy service service-set http
[SRG-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.1.23 0
[SRG-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.1.21 0
[SRG-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.1.80 0
[SRG-policy-interzone-trust-untrust-inbound-1]qu
[SRG-policy-interzone-trust-untrust-inbound]qu

 AR3配置

[Huawei]acl 2001
[Huawei-acl-basic-2001]rule 5 permit source 192.168.2.0 0.0.0.255
[Huawei-acl-basic-2001]qu
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]nat outbound 2001

AR5配置

[Huawei]ip route-static 0.0.0.0 0.0.0.0 202.101.15.1

 防火墙配置 

[SRG]policy interzone trust untrust inbound 
[SRG-policy-interzone-trust-untrust-inbound]policy 1
[SRG-policy-interzone-trust-untrust-inbound-1]policy source 202.101.10.2 0
[SRG-policy-interzone-trust-untrust-inbound-1]qu
[SRG-policy-interzone-trust-untrust-inbound]qu

 

免责声明:本站所有文章内容,图片,视频等均是来源于用户投稿和互联网及文摘转载整编而成,不代表本站观点,不承担相关法律责任。其著作权各归其原作者或其出版社所有。如发现本站有涉嫌抄袭侵权/违法违规的内容,侵犯到您的权益,请在线联系站长,一经查实,本站将立刻删除。 本文来自网络,若有侵权,请联系删除,如若转载,请注明出处:https://yundeesoft.com/32043.html

(0)

相关推荐

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

关注微信