ENSP:防火墙的基本应用

Cheng兮

已于 2022-11-18 21:28:24 修改

阅读量704

点赞数 2

分类专栏：防火墙文章标签：网络

于 2022-11-18 21:22:14 首次发布

本文链接：https://blog.csdn.net/weixin_45921302/article/details/127928638

版权

防火墙专栏收录该内容

4 篇文章 1 订阅

订阅专栏

要求：trust能访问DMZ、untrust。

untrust能访问DMZ的WEB服务。

PC1

SERVER1

ISP

<Huawei>SYS
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname ISP
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip ad	
[ISP-GigabitEthernet0/0/0]ip address 100.1.1.2 24

先配置防火墙的各接口IP地址

[USG6000V1]undo info-center enable 
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]undo shutdown 
Info: Interface GigabitEthernet1/0/0 is not shutdown.	
[USG6000V1-GigabitEthernet1/0/0]ip address 192.168.1.254 24	
[USG6000V1-GigabitEthernet1/0/0]service-manage ping permit 
[USG6000V1-GigabitEthernet1/0/0]q
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]undo shutdown 
Info: Interface GigabitEthernet1/0/1 is not shutdown.
[USG6000V1-GigabitEthernet1/0/1]ip address 192.168.2.254 24	
[USG6000V1-GigabitEthernet1/0/1]service-manage ping permit 
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]int g1/0/2
[USG6000V1-GigabitEthernet1/0/2]undo shutdown 
Info: Interface GigabitEthernet1/0/2 is not shutdown.
[USG6000V1-GigabitEthernet1/0/2]ip ad	
[USG6000V1-GigabitEthernet1/0/2]ip address 100.1.1.254 24
[USG6000V1-GigabitEthernet1/0/2]q

把防火墙的各接口加入相对应的区域


[USG6000V1]firewall zone trust 	
[USG6000V1-zone-trust]add interface g1/0/0
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust 	
[USG6000V1-zone-untrust]add interface g1/0/2
[USG6000V1-zone-untrust]q	
[USG6000V1]firewall zone dmz 	
[USG6000V1-zone-dmz]add interface g1/0/1

配置NAT、安全策略，让trust能访问外网ISP运营商

[USG6000V1]security-policy 	
[USG6000V1-policy-security]rule name trust_untrust	
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust 	
[USG6000V1-policy-security-rule-trust_untrust]source-address 192.168.1.0 24	
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust 	
[USG6000V1-policy-security-rule-trust_untrust]action permit 
[USG6000V1-policy-security-rule-trust_untrust]q
[USG6000V1-policy-security]q
[USG6000V1]nat address-group 1
[USG6000V1-address-group-1]section 0 100.1.1.10 100.1.1.20
[USG6000V1-address-group-1]mode pat
[USG6000V1-address-group-1]q
[USG6000V1]nat-policy 
[USG6000V1-policy-nat]rule name nat	
[USG6000V1-policy-nat-rule-nat]source-zone trust 
[USG6000V1-policy-nat-rule-nat]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-nat]destination-zone untrust 
[USG6000V1-policy-nat-rule-nat]destination-address any
	
[USG6000V1-policy-nat-rule-nat]action s	
[USG6000V1-policy-nat-rule-nat]action source-nat ?
  address-group   Indicate that the NAT mode is the NAT address group
  easy-ip         Indicate the action is easy-ip
  static-mapping  Indicate the action is static mapping

[USG6000V1-policy-nat-rule-nat]action source-nat address-group 1
[USG6000V1-policy-nat-rule-nat]q
[USG6000V1-policy-nat]q
[USG6000V1]

验证trust访问untrust

trust访问dmz

[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name trust_dmz	
[USG6000V1-policy-security-rule-trust_dmz]source-zone trust 
[USG6000V1-policy-security-rule-trust_dmz]source-address 192.168.1.0 24	
[USG6000V1-policy-security-rule-trust_dmz]destination-zone dmz 
[USG6000V1-policy-security-rule-trust_dmz]destination-address 192.168.2.0 24
[USG6000V1-policy-security-rule-trust_dmz]action permit

验证trust 访问 dmz

启动SEVER1的HTTP服务

untrust 访问DMZ的WEB服务

[USG6000V1-policy-security]rule name untrust_dmz
[USG6000V1-policy-security-rule-untrust_dmz]source-zone untrust 
[USG6000V1-policy-security-rule-untrust_dmz]destination-zone dmz 
[USG6000V1-policy-security-rule-untrust_dmz]destination-address 192.168.2.0 24	
[USG6000V1-policy-security-rule-untrust_dmz]action permit 
[USG6000V1-policy-security-rule-untrust_dmz]q
[USG6000V1-policy-security]q
[USG6000V1]nat server p_web protocol  tcp global 100.1.1.100 80 inside 192.168.2
.1 80

ISP telnet 100.1.1.100 80

查看SERVER1

完

[USG6000V1]dis cu
2022-11-18 13:33:33.510 
!Software Version V500R005C10SPC300
#
sysname USG6000V1

interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.0.1 255.255.255.0
 alias GE0/METH
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 192.168.1.254 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.2.254 255.255.255.0
 service-manage ping permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 100.1.1.254 255.255.255.0
 service-manage ping permit

#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/2
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/1

#
 nat server 0 protocol tcp global 100.1.1.100 www inside 192.168.2.1 www

#
nat address-group 1 0
 mode pat
 section 0 100.1.1.10 100.1.1.20

#
security-policy
 rule name trust_untrust
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action permit
 rule name untrust_dmz
  source-zone untrust
  destination-zone dmz
  destination-address 192.168.2.0 mask 255.255.255.0
  action permit
 rule name trust_dmz
  source-zone trust
  destination-zone dmz
  action permit

#
nat-policy
 rule name nat
  source-zone trust
  destination-zone untrust
  source-address 192.168.1.0 mask 255.255.255.0
  action source-nat address-group 1

[USG6000V1]