FW-01
sysname FW-01
info-center disable //关闭消息提示
aaa
manager-user admin@123 //新建管理员
password cipher admin
service-type terminal telnet ssh
level 15
rsa local-key-pair create //SSH登陆配置
ssh user admin //新建SSH用户
ssh user admin authentication-type password //配置SSH用户的认证方式
ssh user admin authorization-cmd aaa //配置SSH用户按命令行授权
ssh user admin service-type all
stelnet server enable //配置stelnet服务可用状态
firewall packet-filter default permit interzone
interface GigabitEthernet 0/0/23 //接口配置
combo enable filter //启用光口
ip add 10.88.200.210 255.255.255.248
ervice-manage ping permit //接口允许Ping
interface GigabitEthernet 0/0/0
ip add 10.88.220.253 255.255.255.248
ervice-manage ping permit
interface GigabitEthernet 0/0/15 //配置心跳口
ip add 11.11.11.1 255.255.255.0
firwall zone trust //安全域配置
add interface GigabitEthernet 0/0/0
firewall zone untrust
add interface GigabitEthernet 0/0/23
firewall zone dmz
add interface GigabitEthernet 0/0/15
security-policy //进入安全策略配置
rule name outbond //创建名为outbond的策略规则
source-zone trust //策略中的源安全域
destination-zone untrust
action permit //策略允许
rule name wan_dmz
source-zone untrust
destination-zone dmz
action permit
rule name local //本地策略
destination-zone any
action permit
ip route-static 0.0.0.0 0.0.0.0 10.88.200.214 //配置静态路由
int gi 0/0/23 vrrp1配置
vrrp vrid 1 virtual-ip 10.88.200.209 active
int gi 0/0/0 vrrp2配置
vrrp vrid 2 virtual-p 10.88.220.254 active
hrp interface gi0/0/15 remote 11.11.11.2
hrp enable
user-interface vty 0 4
idle-timeout 5
FW-02
sysname FW-02
info-center disable
aaa
manager-user admin@123
password cipher admin
service-type terminal telnet ssh
level 15
rsa local-key-pair create
ssh user admin
ssh user admin authentication-type password
ssh user admin authorization-cmd aaa
ssh user admin service-type all
stelnet server enable
//firewall packet-filter default permit interzone
interface GigabitEthernet 0/0/23
combo enable filter
ip add 10.88.200.211 255.255.255.248
ervice-manage ping permit
interface GigabitEthernet 0/0/0
ip add 10.88.220.252 255.255.255.248
ervice-manage ping permit
interface GigabitEthernet 0/0/15
ip add 11.11.11.2 255.255.255.0
firwall zone trust
add interface GigabitEthernet 0/0/0
firewall zone untrust
add interface GigabitEthernet 0/0/23
firewall zone dmz
add interface GigabitEthernet 0/0/15
security-policy
rule name outbond
source-zone trust
destination-zone untrust
action permit
ip route-static 0.0.0.0 0.0.0.0 10.88.200.214
int gi 0/0/23
vrrp vrid 1 virtual-ip 10.88.200.209 Standby
int gi 0/0/0
vrrp vrid 2 virtual-p 10.88.220.254 Standby
hrp interface gi0/0/15 remote 11.11.11.1
hrp enable
user-interface vty 0 4
idle-timeout 5