1.实现pc2和pc3互相访问
根防火墙
#
vsys enable //使能防火墙虚拟系统
#
resource-class test //配置name为test的资源类
resource-item-limit session reserved-number 100 //限制会话保留条目最大为100
resource-item-limit policy reserved-number 100 //限制策略保留条目最大为100
resource-item-limit user reserved-number 10 //限制用户保留条目为10
#
#
vsys name vfw1 //配置虚拟系统名为vfw1
assign interface GigabitEthernet1/0/0 //绑定g1/0/0口
assign resource-class test //绑定资源类test
#
vsys name vfw2
assign interface GigabitEthernet1/0/2
assign resource-class test
#
interface GigabitEthernet1/0/1 //配置pc1的网关地址
ip address 1.1.1.254 255.255.255.0
#
firewall zone untrust
add interface GigabitEthernet1/0/1
#
#
firewall zone dmz
set priority 50
add interface Virtual-if0 //配置虚拟接口0加入dmz区域
#
#
ip route-static 2.2.2.0 255.255.255.0 vpn-instance vfw1 //配置静态路由目的为2.2.2.0网段的路由下一跳为虚拟系统vfw1
ip route-static 3.3.3.0 255.255.255.0 vpn-instance vfw2
#
vfw1
在防火墙上进入虚拟系统vfw1
#
switch vsys vfw1
#
interface GigabitEthernet1/0/0 //配置
ip address 2.2.2.254 255.255.255.0
#
#
ip route-static 3.3.3.0 255.255.255.0 public //配置静态路由目的地址为pc3的网段 下一跳为根系统
#
#
security-policy //配置安全策略
rule name 2-3 //pc2访问pc3
source-zone dmz //双向访问业务
source-zone trust
destination-zone dmz
destination-zone trust
service icmp
action permit
#
#
firewall zone trust //物理接口加入trust
add interface GigabitEthernet1/0/0
#
#
firewall zone dmz //虚拟接口加入dmz和根虚拟系统保持一致
add interface Virtual-if1
#
vfw2
在防火墙上进入虚拟系统vfw2
#
switch vsys vfw2
#
ip route-static 2.2.2.0 255.255.255.0 public //配置静态路由目的地址为pc2的网段 下一跳为根系统
#
#
security-policy
rule name 3-2
source-zone dmz
source-zone trust
destination-zone dmz
destination-zone trust
service icmp
action permit
#
#
firewall zone dmz
add interface Virtual-if2
#
#
firewall zone trust
add interface GigabitEthernet1/0/2
#
#
interface GigabitEthernet1/0/2
ip address 3.3.3.254 255.255.255.0
#
2.实现pc2和pc1互相访问
在根防火墙上配置能互相访问的安全策略1-2
#
rule name 1-2
source-zone dmz
source-zone untrust
destination-zone dmz
destination-zone untrust
service icmp
action permit
#
在vfw1上配置pc2和pc1互相访问的安全策略
#
ip route-static 1.1.1.0 255.255.255.0 public //配置到达pc1的静态路由下一跳到根系统
#
security-policy //配置安全策略从pc2到pc1
rule name 2-1
source-zone dmz
source-zone trust
destination-zone dmz
destination-zone trust
service icmp
action permit
#
EX:真实环境安全策略均需要精确到ip地址