本次实验使用PC:1
服务器:2
client:1
交换机:1 为s3700
防火墙:1 为USG6000V beta版本 (使用该设备需要虚拟镜像)
1. 访问防火墙接口
当配置好了IP地址后发现访问不了防火墙的网关地址,这时候要在防火墙的接口中配置命令:
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.1.254 255.255.255.0
service-manage ping permit //为允许接口ping
interface GigabitEthernet1/0/2
undo shutdown
ip address 59.39.77.1 255.255.255.0
service-manage ping permit
interface GigabitEthernet1/0/3
undo shutdown
ip address 172.16.1.254 255.255.255.0
service-manage ping permit
2.定义trust、untrust、dmz区
firewall zone trust//第一步
set priority 85
add interface GigabitEthernet1/0/1//第二步,此为trust区
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/3
受信区(Trust):较高级别的安全区域,其安全优先级为85。
非军事化区(DMZ):中度级别的安全区域,其安全优先级为50。
非受信区(Untrust):低级的安全区域,其安全优先级为5。
3.定义安全策略
security-policy
rule name trutountru
destination-zone untrust
source-address 192.168.1.0 24
action permit//信任区访问非信任区
rule name lototru
source-zone local
destination-zone trust
source-address 192.168.1.0 24
action permit//本地访问信任区
rule name untrutodmz
source-zone untrust
destination-zone dmz
destination-address 172.16.1.1 32
service telnet
service ftp
service icmp
action permit//非信任区访问dmz可使用telnet ftp icmp访问
rule name trutodmz
source-zone trust
destination-zone dmz
destination-address 172.16.1.1 32
action permit//信任区访问dmz
rule name dmztotru
source-zone dmz
destination-zone trust
source-address 192.168.1.0 24
action permit//dmz访问信任区