回环接口
[R1]int loopback1
[R1-LoopBack1]ip add 3.3.3.3 32
[R1-LoopBack1]q
[R1]int loopback2
[R1-LoopBack2]ip add 6.6.6.6 32
[R1-LoopBack2]q
[R1]int loopback3
[R1-LoopBack3]ip add 8.8.8.8 32
[R1-LoopBack3]q
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 200.1.1.1 24
[FW1]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 11.1.1.254 24
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 22.1.1.254 24
[FW1-GigabitEthernet1/0/2]int g1/0/3
[FW1-GigabitEthernet1/0/3]ip add 200.1.1.2 24
[FW1-GigabitEthernet1/0/3]display ip interface brief
配置安全区域
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/1
[FW1-zone-trust]add int g1/0/2
[FW1-zone-trust]q
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/3
[FW1-zone-untrust]dis zone
local
priority is 100
interface of the zone is (0):
#
trust
priority is 85
interface of the zone is (3):
GigabitEthernet0/0/0
GigabitEthernet1/0/1
GigabitEthernet1/0/2
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/3
#
dmz
priority is 50
interface of the zone is (0):
#
配置安全策略
[FW1]security-policy
[FW1-policy-security]rule name 1
[FW1-policy-security-rule-1]source-zone trust
[FW1-policy-security-rule-1]destination-zone untrust
[FW1-policy-security-rule-1]destination-address 6.6.6.6 32
[FW1-policy-security-rule-1]action deny
[FW1-policy-security-rule-1]dis this
#
rule name 1
source-zone trust
destination-zone untrust
destination-address 6.6.6.6 32
action deny
#
return
[FW1-policy-security]rule name 2
[FW1-policy-security-rule-2]source-zone trust
[FW1-policy-security-rule-2]destination-zone untrust
[FW1-policy-security-rule-2]destination-address 8.8.8.8 32
[FW1-policy-security-rule-2]destination-address 3.3.3.3 32
[FW1-policy-security-rule-2]action permit
[FW1-policy-security-rule-2]dis this
#
rule name 2
source-zone trust
destination-zone untrust
destination-address 3.3.3.3 32
destination-address 8.8.8.8 32
action permit
#
return
[FW1-policy-security-rule-2]rule name 3
[FW1-policy-security-rule-3]source-zone untrust
[FW1-policy-security-rule-3]destination-zone trust
[FW1-policy-security-rule-3]destination-address 11.1.1.0 24
[FW1-policy-security-rule-3]action permit
[FW1-policy-security-rule-3]dis this
#
rule name 3
source-zone untrust
destination-zone trust
destination-address 11.1.1.0 24
action permit
#
return
配置默认的静态路由
[R1]ip route-static 0.0.0.0 0 200.1.1.2
[FW1]ip route-static 0.0.0.0 0 200.1.1.1