区域和地址规划:
默认的区域:
trust、untrust、DMZ,local;
实验topo:
262、分别将接口划分至trust 、untrust、DMZ;
命令行操作:
trust :
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
untrust :
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/1
#
DMZ:
#
dmz
priority is 50
interface of the zone is (1):
GigabitEthernet1/0/2
#
263、web界面操作:
web 界面划分区域以及配置IP地址:
264、开启接口服务:
允许接口被ping :
#
interface GigabitEthernet1/0/0
service-manage ping permit
#
查看结果:
由于默认的安全策略是全部禁止的,所以需要配置安全策略打通local到ANY的网络才能在防火墙上ping
配置安全策略:
允许local 去访问any ;
#
security-policy
rule name local_any
source-zone local
action permit
#
web界面配置:
查看结果: