1-防火墙设备管理方式
一、console
user-interface con 0
authentication-mode password
set authentication password cipher 密码
idle-timeout 0 0
二、web
interface GigabitEthernet0/0/0
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
三、telnet
1.定义用户名
aaa
manager-user 用户名
password cipher 密码
service-type telnet
level 15
2.进入VTY
user-interface vty 0 4
authentication-mode aaa
protocol inbound telnet
3.将telnet服务开启
telnet server enable
4.互联接口下开启telnet服务
interface GigabitEthernet0/0/0
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage telnet permit
四、SSH
1.生成密钥对
rsa local-key-pair create
2.本地开启Stelnet服务
stelnet server enable
3.定义用户名密码
aaa
manager-user 用户名
password cipher 密码
service-type ssh
level 15
4.进入VTY
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
5.互联接口下开启stelnet服务
interface GigabitEthernet0/0/0
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage telnet permit
service-manage ssh permit
6.用户的关联
ssh user 用户
ssh user 用户 authentication-type password
ssh user 用户 service-type stelnet
2-防火墙安全域基本概念
1.创建安全域,将接口加入进安全域
firewall zone name 名字
set priority 10
add interface GigabitEthernet1/0/0
2.安全策略中定义规则
security-policy
rule name trust_untrust
source-zone trust
destination-zone untrust
source-address 100.1.1.0 mask 255.255.255.0
destination-address 200.1.1.0 mask 255.255.255.0
service icmp
action permit
3.查看会话表信息
display firewall session table //查看会话表信息
display firewall session table verbose //查看会话表详细信息
display firewall session table verbose protocol icmp //查看icmp协议形成的会话表的详细信息
4.查看安全策略
display security-policy rule all
3-防火墙NAT配置
[接口加入进安全域以及基础配置略]
1.静态路由
ip route-static 0.0.0.0 0.0.0.0 +下一跳地址
2.定义安全策略 [注意要和接下来的NAT-策略对应起来]
security-policy
rule name trust_untrust
source-zone trust
destination-zone untrust
source-address 100.1.1.0 mask 255.255.255.0
service icmp
action permit
3.定义NAT地址池
nat address-group 名字
mode pat //模式定义为Pat
section 0 100.1.1.1 100.1.1.1 //定义地址池范围
4.定义NAT策略
nat-policy
rule name 名字
source-zone trust
destination-zone untrust
source-address 100.1.1.0 mask 255.255.255.0
service icmp
action source-nat address-group 名字 //关联地址池名字
nat-policy
rule name easy_ip
source-zone trust
destination-zone untrust
source-address 100.1.1.0 mask 255.255.255.0
service icmp
action source-nat easy-ip
4-防火墙NAT服务器映射配置
[基本配置略]
1.定义NAT-映射
nat server 0 zone untrust protocol tcp global 1.1.1.1 www inside 1.1.2.1 www no-reverse //定义nat映射 并且不生成反向的server-map
2.定义安全策略
security-policy
rule name nat_server
source-zone trust
destination-zone dmz //定义nat映射后的即可
source-address 192.168.1.0 mask 255.255.255.0
action permit
5-防火墙双机热备配置
[基本的配置-略]
一、定义vrrp
[FW_1]
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.253 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.1.1 active
[FW_2]
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.1.1 standby
二、定义路由
ip route-static 0.0.0.0 0.0.0.0 下一跳地址
三、开启hrp功能
hrp enable
四、定义心跳接口
[FW_1]
hrp interface g1/0/6 remote 1.1.1.2 (对端设备IP)
[FW_2]
hrp interface g1/0/6 remote 1.1.1.1(对端设备IP)
五、备设备可以写命令
HRP_S[FW_2]hrp standby config enable