1、实验步骤:
1、将接口加入安全区域;
2、新建安全区域时(处trust,untrust,dmz以外的区域)需要设置与缺省优先级不同的优先级;
3、设置安全策略(由严格到宽松);
2、注意事项:
1、防火墙的g0/0/0接口不可当作业务接口,该接口应连接云;
2、在ping防火墙接口网关是,应在相对应接口下开放其服务;
3、在tracert经过防火墙是,会显示“* * *”,而不是防火墙IP地址;
4、在跨域通信是,会有一条缺省策略阻断所有通讯;
3、实验拓扑:
4、云端配置信息:
5、实验代码:
5.1 防火墙:
//配置端口IP
[fw1]int g0/0/0
[fw1-GigabitEthernet0/0/0]ip address 192.168.245.100 24
[fw1-GigabitEthernet0/0/0]service-manage https permit //为云端开启https服务
[fw1-GigabitEthernet0/0/0]int g1/0/0
[fw1-GigabitEthernet1/0/0]ip address 192.168.5.254 24
[fw1-GigabitEthernet1/0/0]int g1/0/1
[fw1-GigabitEthernet1/0/1]ip address 192.168.6.254 24
[fw1-GigabitEthernet1/0/1]int g1/0/2
[fw1-GigabitEthernet1/0/2]ip address 192.168.8.254 24
[fw1-GigabitEthernet1/0/2]int g1/0/3
[fw1-GigabitEthernet1/0/3]ip address 192.168.
[fw1-GigabitEthernet1/0/3]ip address 192.168.7.254 24
//配置安全区域
[fw1]firewall zone t
[fw1]firewall zone trust
[fw1-zone-trust]add interface g1/0/0
[fw1-zone-trust]add interface g1/0/1
[fw1]fire zone untrust
[fw1-zone-untrust]add interface g1/0/3
[fw1]firewall zone name pc8
[fw1-zone-pc8]add interface g1/0/2
[fw1-zone-pc8]set priority 66 //自定义安全区域要设置优先级
//配置安全策略:trust区域可以访问untrust区域,但是pc2不可访问untrust
[fw1]security-policy
[fw1-policy-security]rule name t->u
[fw1-policy-security-rule-t->u]source-zone trust
[fw1-policy-security-rule-t->u]destination-zone untrust
[fw1-policy-security-rule-t->u]action permit
[fw1-policy-security]rule name pc2
[fw1-policy-security-rule-pc2]source-zone trust
[fw1-policy-security-rule-pc2]destination-zone untrust
[fw1-policy-security-rule-pc2]source-address 192.168.2.1 32
[fw1-policy-security-rule-pc2]destination-address 192.168.3.1 32
[fw1-policy-security-rule-pc2]action deny
[fw1-policy-security]rule move pc2 top //将策略pc2移动至top防止冗余