防火墙安全策略实验

一、拓扑图

需求

Cloud云：

二、防火墙配置

初始化防火墙

Username:admin
Password:*****
The password needs to be changed. Change now? [Y/N]: y
Please enter old password: Admin@123
Please enter new password: admin@123
Please confirm new password: admin@123

命名防火墙

[FW] sysname FW

开启web服务

[FW] interface GigabitEthernet 0/0/0
[FW-GigabitEthernet0/0/0] service-manage all permit 

LSW1

[sw1]vlan batch 2 3                
[sw1]int g0/0/2
[sw1-GigabitEthernet0/0/2]port link-type access
[sw1-GigabitEthernet0/0/2]port default  vlan 2
[sw1-GigabitEthernet0/0/2]int g0/0/3
[sw1-GigabitEthernet0/0/3]port link-type access
[sw1-GigabitEthernet0/0/3]port default vlan 3
[sw1-GigabitEthernet0/0/3]int g0/0/4
[sw1-GigabitEthernet0/0/4]port link-type access
[sw1-GigabitEthernet0/0/4]port default vlan 3
[sw1-GigabitEthernet0/0/4]q
[LSW1]int g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
[LSW1]dis vlan
The total number of vlans is : 3
--------------------------------------------------------------------------------
U: Up;         D: Down;         TG: Tagged;         UT: Untagged;
MP: Vlan-mapping;               ST: Vlan-stacking;
#: ProtocolTransparent-vlan;    *: Management-vlan;
--------------------------------------------------------------------------------VID  Type    Ports                                                          
--------------------------------------------------------------------------------
1    common  UT:GE0/0/1(U)      GE0/0/5(D)      GE0/0/6(D)      GE0/0/7(D)      GE0/0/8(D)      GE0/0/9(D)      GE0/0/10(D)     GE0/0/11(D)     GE0/0/12(D)     GE0/0/13(D)     GE0/0/14(D)     GE0/0/15(D)     GE0/0/16(D)     GE0/0/17(D)     GE0/0/18(D)     GE0/0/19(D)     GE0/0/20(D)     GE0/0/21(D)     GE0/0/22(D)     GE0/0/23(D)     GE0/0/24(D)                                                     2    common  UT:GE0/0/2(U)                                                      TG:GE0/0/1(U)                                                      3    common  UT:GE0/0/3(U)      GE0/0/4(U)                                      TG:GE0/0/1(U)                                                      VID  Status  Property      MAC-LRN Statistics Description      
--------------------------------------------------------------------------------1    enable  default       enable  disable    VLAN 0001                         
2    enable  default       enable  disable    VLAN 0002                         
3    enable  default       enable  disable    VLAN 0003    子接口允许ping服务
[FW]interface GigabitEthernet 1/0/1.1	
[FW-GigabitEthernet1/0/1.1]service-manage  all permit
[FW]interface GigabitEthernet 1/0/1.2
[FW-GigabitEthernet1/0/1.2]service-manage all permit 
[FW]interface GigabitEthernet 1/0/0	
[FW-GigabitEthernet1/0/0]service-manage all permit

安全策略

图形界面创建

命令行创建

[FW]ip address-set BG
[FW-object-address-set-BG]address 192.168.1.0 mask 25[FW]time-range working-time
[FW-time-range-working-time]period-range 08:00:00 to 18:00:00 working-day[FW]security-policy 	
[FW-policy-security]rule name policy_1
[FW-policy-security-rule-policy_1]description BG_to_OA
[FW-policy-security-rule-policy_1]source-zone trust 
[FW-policy-security-rule-policy_1]destination-zone dmz
[FW-policy-security-rule-policy_1]source-address address-set BG
[FW-policy-security-rule-policy_1]destination-zone
[FW-policy-security-rule-policy_1]destination-address address-set "OA Server"
[FW-policy-security-rule-policy_1]time-range working-time
[FW-policy-security-rule-policy_1]action permit ------------动作	

[FW]security-policy
[FW-policy-security]rule name policy_3
[FW-policy-security-rule-policy_3]description OF_to_Web
[FW-policy-security-rule-policy_3]source-zone trust 
[FW-policy-security-rule-policy_3]destination-zone dmz
[FW-policy-security-rule-policy_3]source-address 192.168.1.128 25
[FW-policy-security-rule-policy_3]destination-address 10.0.0.1 32
[FW-policy-security-rule-policy_3]action permit 

测试