1.型号:USG2000,USG5000,USG6000,USG9000
2.安全区域
local 本地安全区域:安全级别100,防火墙本身为local区域。
trust 信任区域:安全级别85,一般定义为内网
untrust 非信任区域:安全级别5,一般定义为外网
dmz 隔离区域:安全基本50,一般定义为机房
[SRG]int g0/0/1
[SRG-GigabitEthernet0/0/1]ip add 192.168.10.1 24
[SRG-GigabitEthernet0/0/1]int g0/0/2
[SRG-GigabitEthernet0/0/2]ip add 192.168.20.1 24
[SRG-GigabitEthernet0/0/2]int g0/0/3
[SRG-GigabitEthernet0/0/3]ip add 1.1.1.1 24
[SRG-GigabitEthernet0/0/3]quit
[SRG]firewall zone trust
[SRG-zone-trust]add int g0/0/1
[SRG-zone-trust]firewall zone dmz
[SRG-zone-dmz]add int g0/0/2
[SRG-zone-dmz]firewall zone untrust
[SRG-zone-untrust]add int g0/0/3
[SRG-zone-untrust]quit
区域访问规则:
[SRG]firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz trust direction inbound
[SRG]firewall packet-filter default permit all
注意:写区域访问规则时,将安全级别高的区域写在前面。
策略访问规则:
[SRG]policy interzone trust dmz outbound
[SRG-policy-interzone-trust-dmz-outbound]policy 1
[SRG-policy-interzone-trust-dmz-outbound-1]policy source 192.168.10.10 0
[SRG-policy-interzone-trust-dmz-outbound-1]policy destination 192.168.20.2 0
[SRG-policy-interzone-trust-dmz-outbound-1]policy service service-set icmp
[SRG-policy-interzone-trust-dmz-outbound-1]policy service service-set http
[SRG-policy-interzone-trust-dmz-outbound-1]action permit
[SRG-policy-interzone-trust-dmz-outbound-1]quit
[SRG-policy-interzone-trust-dmz-outbound]policy 2
[SRG-policy-interzone-trust-dmz-outbound-2]policy source 192.168.10.20 0
[SRG-policy-interzone-trust-dmz-outbound-2]policy destination 192.168.20.2 0
[SRG-policy-interzone-trust-dmz-outbound-2]policy service service-set http
[SRG-policy-interzone-trust-dmz-outbound-2]action deny
[SRG-policy-interzone-trust-dmz-outbound-2]quit
4、6000V配置
第一次登陆时需要输入默认用户名和密码:
username:admin
password:Admin@123
提示必须修改密码:
The password needs to be changed. Change now? [Y/N]: y
Please enter old password: Admin@123
Please enter new password: 1234.com
Please confirm new password: 1234.com
接口访问权限配置:
[USG6000V1]int g0/0/0
[USG6000V1-GigabitEthernet0/0/0]service-manage all permit