一、拓扑图
要求:
1、根据拓扑图划分相关区域;
2、允许trust区域访问isp;
3、客户端client1访问server1;
二、防火墙的配置
1、创建trust、untrust、dmz区域,并添加相关接口
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
add interface GigabitEthernet0/0/0
#
ip route-static 0.0.0.0 0.0.0.0 200.1.1.2
2、配置区域间安全策略
security-policy
rule name trust-untrust
source-zone trust
destination-zone untrust
source-address 172.16.2.0 mask 255.255.255.0
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
3、配置nat策略
nat-policy
rule name trust-untrust
source-zone trust
destination-zone untrust
source-address 172.16.2.0 mask 255.255.255.0
action source-nat easy-ip
4、验证网络通断(如果不通,检查下fw1的g1/0/1的接口是否开启了ping,使用service-manage ping permit开启)
5、配置server1
6、配置区域间安全策略,允许untrust访问dmz区域的http服务器并做内网映射
rule name untrust-dmz
source-zone untrust
destination-zone dmz
destination-address 172.16.1.0 mask 255.255.255.0
service http
action permit
nat server http protocol tcp global 200.1.1.1 80 inside 172.16.1.2 80
7、client1访问server1的http服务
至此结束