链接01|链接02
链接03

防火墙简单区域划分

  • admin 发布于 2025-06-05
  • 分类:ccna
  • 评论(0)
优质老薛主机推荐:15%终身付款折扣:xwseo15 25%首次付款折扣 : xwseo115 点击下图进入购买

防火墙简单区域划分

案例描述:
防火墙将网络隔离为三个安全区域,trust,untrust和om,其中om区域的优先级为95,现有需求如下:
允许防火墙接口GE1/0/0响应ping请求。
允许OM区域icmp的流量访问untrust区域。

配置步骤:
1.创建安全区域,添加安全接口。
2.配置接口ip
3.开启G1/0/0接口的ping
4.配置om到untrust区域的安全策略

备注:

pc4电脑ip:10.1.1.10

pc5电脑ip:10.1.2.10

pc6电脑ip: 10.1.3.10

防火墙配置如下:

[USG6000V1]dis cu
2025-06-05 13:14:46.490
!Software Version V500R005C10SPC300
#
sysname USG6000V1
#
undo telnet server enable
undo telnet ipv6 server enable
#
banner enable
#
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%u5vdW.V[D-C@+nL-I$gB-<Pa%ET””ZD-U&foL7Z;+`Z*<Pd-@%@%
service-type web terminal
level 15

manager-user api-admin
password cipher @%@%rHXM90{-0>>&d%AFK’1#!PS%_8>_Q@R(ZK`j~a@&:`3.PS(!@%@%
level 15

manager-user admin
password cipher @%@%&R:.W,&|<O|fvsO=pR!E”GbAd;)ZY2)xU(j@{K.;|,LBGbD”@%@%
service-type web terminal
level 15
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.3.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.1.2.1 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
#
firewall zone name om id 4
set priority 95
add interface GigabitEthernet1/0/1
#
firewall detect ftp
#
security-policy
rule name aa
source-zone om
destination-zone untrust
source-address 10.1.3.0 mask 255.255.255.0
destination-address 10.1.2.0 mask 255.255.255.0
service icmp
action permit
#

 

验证现象:

 

分享到:更多 ()
标签:

相关推荐