链接01|链接02
链接03

防火墙综合需求演练

  • admin 发布于 2025-06-06
  • 分类:ccna
  • 评论(0)
优质老薛主机推荐:15%终身付款折扣:xwseo15 25%首次付款折扣 : xwseo115 点击下图进入购买

防火墙综合需求演练

1.trust区域10.1.1.0/24能访问untrust区域的所有流量
trust区域10.1.2.0/24只能访问untrust区域的ftp
2.trust区域能访问OM区域,但是OM区域不能访问trust区域
3.trust区域用户访问untrust的ftp,主动模式也可以访问
4.通过命令行观察防火墙的安全策略,会话表,server-map表

配置步骤:
1.创建vlan,加接口,配置vlan间路由
2.防火墙上创建安全区域,加接口
3.配置防火墙接口ip
4.配置全网路由
5.配置防火墙安全策略

sw2交换机配置如下:

<sw2>dis cu
#
sysname sw2
#
vlan batch 10 20 99
#
interface Vlanif10
ip address 10.1.1.254 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.254 255.255.255.0
#
interface Vlanif99
ip address 10.1.99.254 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 99
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.99.0 0.0.0.255

防火墙firewall usg6000v配置如下:

<USG6000V1>dis cu
2025-06-06 14:20:10.440
!Software Version V500R005C10SPC300
#
sysname USG6000V1
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.99.1 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 11.1.1.1 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
#
firewall zone name om id 4
set priority 11
add interface GigabitEthernet1/0/1
#
ospf 1
default-route-advertise always
area 0.0.0.0
network 10.1.99.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
firewall detect ftp
#
security-policy
rule name to-isp
source-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
action permit
rule name to-ftp
source-zone trust
destination-zone untrust
source-address 10.1.2.0 mask 255.255.255.0
service ftp
action permit
rule name to-om
source-zone trust
destination-zone om
action permit

[USG6000V1]display current-configuration | in detect ftp
2025-06-06 14:05:07.710
firewall detect ftp

[USG6000V1]display security-policy rule all
[USG6000V1]display firewall session table
2025-06-06 14:08:41.810
Current Total Sessions : 2
icmp VPN: public –> public 10.1.2.10:256 –> 172.16.1.10:2048
icmp VPN: public –> public 10.1.1.10:256 –> 172.16.1.10:2048

[USG6000V1]display firewall session table verbose
[USG6000V1]display firewall server-map

验证现象:

1.trust区域10.1.1.0/24能访问untrust区域的所有流量

trust区域10.1.2.0/24只能访问untrust区域的ftp

2.trust区域能访问OM区域,但是OM区域不能访问trust区域

被动模式

3.trust区域用户访问untrust的ftp,主动模式也可以访问

 

4.通过命令行观察防火墙的安全策略,会话表,server-map表绘画

分享到:更多 ()
标签:

相关推荐