[fw]firewall packet-filter default permitall
13:51:19 2014/07/08
warning:setting the default packetfiltering to permit poses security risks. you
are advised to configure the securitypolicy based on the actual data flows. are
you sure you want to continue?[y/n]y
[fw]ping -c 1 10.0.10.1
13:51:56 2014/07/08
ping 10.0.10.1: 56 data bytes,press ctrl_c to break
reply from 10.0.10.1: bytes=56 sequence=1 ttl=255 time=90 ms
---10.0.10.1 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 90/90/90 ms
[fw]ping -c 1 10.0.20.2
13:52:08 2014/07/08
ping 10.0.20.2: 56 data bytes,press ctrl_c to break
reply from 10.0.20.2: bytes=56 sequence=1 ttl=255 time=400 ms
---10.0.20.2 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 400/400/400 ms
[fw]ping -c 1 10.0.30.3
13:52:18 2014/07/08
ping 10.0.30.3: 56 data bytes,press ctrl_c to break
reply from 10.0.30.3: bytes=56 sequence=1 ttl=255 time=410 ms
---10.0.30.3 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 410/410/410 ms
步骤三.配置静态路由,实现网络的连通性
在r2和r3上配置缺省路由,在fw上配置明确的静态路由,实现三个loopback0接口之间的通信。r1无需定义缺省路由,原因是其作为internet设备,他不需要知道内部和dmz区域的私有网络信息。
[r2]ip route-static 0.0.0.0 0 10.0.20.254
[r3]ip route-static 0.0.0.0 0 10.0.30.254
[fw]ip route-static 10.0.1.0 24 10.0.10.1
13:58:26 2014/07/08
[fw]ip route-static 10.0.2.0 24 10.0.20.2
13:58:40 2014/07/08
[fw]ip route-static 10.0.3.0 24 10.0.30.3
13:58:52 2014/07/08
在防火墙上测试与10.0.1.0、10.0.2.0、10.0.3.0之间的连通性。
[fw]ping -c 1 10.0.1.1
14:00:18 2014/07/08
ping 10.0.1.1: 56 data bytes,press ctrl_c to break
reply from 10.0.1.1: bytes=56 sequence=1 ttl=255 time=80 ms
---10.0.1.1 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/80/80 ms
[fw]ping -c 1 10.0.2.2
14:00:25 2014/07/08
ping 10.0.2.2: 56 data bytes,press ctrl_c to break
reply from 10.0.2.2: bytes=56 sequence=1 ttl=255 time=170 ms
---10.0.2.2 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 170/170/170 ms
[fw]ping -c 1 10.0.3.3
14:00:29 2014/07/08
ping 10.0.3.3: 56 data bytes,press ctrl_c to break
reply from 10.0.3.3: bytes=56 sequence=1 ttl=255 time=110 ms
---10.0.3.3 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 110/110/110 ms
目前配置下,所有区域之间可以通讯,不被检查。但是由于当前尚未定义nat,外部区域不能与内部和dmz区域相互访问。
步骤四.配置区域间的安全过滤
配置从trust区域的部分网段10.0.2.3发往untrust区域的数据包被放行。从untrust区域发往dmz目标服务器10.0.3.3的telnet请求被放行。
[fw]firewall session link-state check
[fw]policy interzone trust untrust outbound
[fw-policy-interzone-trust-untrust-outbound]policy0
14:06:57 2014/07/08
[fw-policy-interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.255
14:07:18 2014/07/08
[fw-policy-interzone-trust-untrust-outbound-0]actionpermit
14:07:31 2014/07/08
[fw-policy-interzone-trust-untrust-outbound-0]q
14:07:40 2014/07/08
[fw-policy-interzone-trust-untrust-outbound]q
14:07:40 2014/07/08
]policy interzone dmz untrust inbound
14:09:01 2014/07/08
[fw-policy-interzone-dmz-untrust-inbound]policy0
14:09:08 2014/07/08
[fw-policy-interzone-dmz-untrust-inbound-0]policydestination 10.0.3.3 0
14:09:37 2014/07/08
[fw-policy-interzone-dmz-untrust-inbound-0]policyservice service-set telnet
[fw-policy-interzone-dmz-untrust-inbound-0]actionpermit
14:09:55 2014/07/08
[fw-policy-interzone-dmz-untrust-inbound-0]q
14:09:55 2014/07/08
步骤五.配置easy-ip,实现trust区域到untrust区域的访问。
配置使用easy-ip,进行nat源地址转换。并且将nat与接口进行绑定。
[fw-nat-policy-interzone-trust-untrust-outbound]policy0
如您对本文有疑问或者有任何想说的,请点击进行留言回复,万千网友为您解惑!
网友评论