ensp安全策略实验
一、拓扑图和要求
二、接口设置
g1/0/0
新增子接口
g1/0/1.1
g1/0/1.2
命令行
[USG6000V1]int g 1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 10.0.0.254 255.255.255.0
[USG6000V1-GigabitEthernet1/0/0]firewall zone dmz
[USG6000V1-zone-dmz]add interface GigabitEthernet 1/0/0[USG6000V1]int gi 1/0/1.1
[USG6000V1-GigabitEthernet1/0/1.1]vlan-type dot1q 2
[USG6000V1-GigabitEthernet1/0/1.1]ip address 192.168.1.126 255.255.255.128
[USG6000V1-GigabitEthernet1/0/1.1]alias g1/0/1.1
[USG6000V1-GigabitEthernet1/0/1.1]service-manage ping permit [USG6000V1]int gi1/0/1.2
[USG6000V1-GigabitEthernet1/0/1.2]vlan-type dot1q 3
[USG6000V1-GigabitEthernet1/0/1.2]alias gi1/0/1.2
[USG6000V1-GigabitEthernet1/0/1.2]service-manage ping permit [USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface gi1/0/1.1
[USG6000V1-zone-trust]add interface gi1/0/1.2
测试
安全策略
2、办公区pc在工作日时间(周一至周五,早8到晚6)可以正常访问OA Server,其他时间不允许
建立新安全策略并添加源/目的地址
命令行
[USG6000V1]ip address-set BG type object
[USG6000V1-object-address-set-BG]address 192.168.1.0 mask 25
[USG6000V1]ip address-set OA type object
[USG6000V1-object-address-set-OA]address 10.0.0.1 mask 32[USG6000V1]time-range working-time
[USG6000V1-time-range-working-time]period-range 08:00:00 to 18:00:00 working-day 创建安全策略
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy_1
[USG6000V1-policy-security-rule-policy_1]description BG to OA
[USG6000V1-policy-security-rule-policy_1]source-zone trust
[USG6000V1-policy-security-rule-policy_1]destination-zone dmz
[USG6000V1-policy-security-rule-policy_1]source-address address-set BG
[USG6000V1-policy-security-rule-policy_1]destination-address address-set OA
[USG6000V1-policy-security-rule-policy_1]time-range working-time
[USG6000V1-policy-security-rule-policy_1]action permit
测试
-
时间为2025/7/31 15:30(周四)
-
时间为2025/7/31 20:30(周四)
3、办公区pc可以在任意时刻访问Web Server
安全策略
命令行
[USG6000V1]ip address-set Web type object
[USG6000V1-object-address-set-Web]address 10.0.0.2 mask 32[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy_2
[USG6000V1-policy-security-rule-policy_2]description BG to Web
[USG6000V1-policy-security-rule-policy_2]source-zone trust
[USG6000V1-policy-security-rule-policy_2]destination-zone dmz
[USG6000V1-policy-security-rule-policy_2]source-address address-set BG
[USG6000V1-policy-security-rule-policy_2]destination-address address-set Web
[USG6000V1-policy-security-rule-policy_2]action permit
测试
-
时间为2025/7/31 15:30(周四)
-
时间为2025/7/31 20:30(周四)
4、生产区pc 可以在任意时刻访问OA Server,但是不能访问Web Server
安全策略
命令行
[USG6000V1]ip address-set SC type object
[USG6000V1-object-address-set-Web]address 192.168.1.128 mask 25[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy_3
[USG6000V1-policy-security-rule-policy_2]description SC to OA
[USG6000V1-policy-security-rule-policy_2]source-zone trust
[USG6000V1-policy-security-rule-policy_2]destination-zone dmz
[USG6000V1-policy-security-rule-policy_2]source-address address-set SC
[USG6000V1-policy-security-rule-policy_2]destination-address address-set OA
[USG6000V1-policy-security-rule-policy_2]action permit
测试
-
ping OA
-
ping Web
5、特例:生产区pc3可以在每周一早10到早11访问Web Server,用来更新企业最新产品信息
安全策略
命令行
[USG6000V1]time-range update_time
[USG6000V1-time-range-update_time]period-range 10:00:00 to 11:00:00 Mon
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy_4
[USG6000V1-policy-security-rule-policy_4]description SC_update
[USG6000V1-policy-security-rule-policy_4]source-zone trust
[USG6000V1-policy-security-rule-policy_4]destination-zone dmz
[USG6000V1-policy-security-rule-policy_4]source-address 192.168.1.130 32
[USG6000V1-policy-security-rule-policy_4]destination-address address-set Web
[USG6000V1-policy-security-rule-policy_4]time-range update_time
[USG6000V1-policy-security-rule-policy_4]action permit
测试
-
时间为2025/7/31 15:30(周四)
-
时间为2025/8/4 10:15 (周一)
