类型:包过滤、代理防火墙
部暑:路由模式、透明模式、混合模式
区域:inside(内网) outside(外网) DMZ
安全级别:
实验一:配置防火墙的telnet管理
(1)登录防火墙时只使用密码登录
配置outside区域优先级为90,outside区域优先级为30
[FW]display zone 查看默认区域
[SRG]firewall zone name inside 新建一个区域名为inside
[SRG-zone-inside]set priority 90 设置优先级为90
[SRG-zone-inside]add interface g0/0/0 将端口添加到区域
[SRG]firewall zone name outside
[SRG-zone-outside]set priority 30
[SRG-zone-outside]add interface g0/0/1
[Huawei]dhcp enable 开启DHCP
[Huawei]int GigabitEthernet 0/0/0
[Huawei-GigabitEthernet0/0/0]ip add dhcp-alloc 设置DHCP自动获取地址
[FW]user-interface vty 0 4
[SRG-ui-vty0-4]authentication-mode password cipher admin@123
[SRG-ui-vty0-4]user privilege level 3
[SRG]telnet server enable
[SRG]policy interzone inside local inbound
[SRG-policy-interzone-local-inside-inbound]policy 1
[SRG-policy-interzone-local-inside-inbound-1]policy service service-set telnet
[SRG-policy-interzone-local-inside-inbound-1]policy source 192.168.0.2 0
[SRG-policy-interzone-local-inside-inbound-1]action permit
[SRG]display policy all 查看所有策略
(2)登录防火墙时使用用户名和密码登录
实验二:Trust和Untrust域间:允许内网用户访问公网
[SRG]nat-policy interzone trust untrust outbound
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 0
[SRG-nat-policy-interzone-trust-untrust-outbound-0]policy source 192.168.0.0 0.0.0.255
[SRG-nat-policy-interzone-trust-untrust-outbound-0]action source-nat
[SRG-nat-policy-interzone-trust-untrust-outbound-0]easy-ip GigabitEthernet0/0/1
[USG-nat-policy-interzone-trust-untrust-outbound-0]quit
[USG-GigabitEthernet0/0/0]nat enable
实验三:DMZ和Untrust域间:从公网访问内部服务器
NAT:静态NAT,1-1,常用于发布内网服务器(最好使用端口转发)。
动态NAT,多对多,公司比较有钱,有多个公网地址时。
PAT(端口复用):多对1,用于公司内网对应一个公网地址上网。
[USG5300]?policy?interzone?untrust?dmz?inbound?
[USG5300-policy-interzone-dmz-untrust-inbound]?policy?2? [USG5300-policy-interzone-dmz-untrust-inbound-2]?policy?destination?10.10.11.3?0?
[USG5300-policy-interzone-dmz-untrust-inbound-2]?policy?service?service-set?ftp?
[USG5300-policy-interzone-dmz-untrust-inbound-2]?action?permit?
[USG5300-policy-interzone-dmz-untrust-inbound-2]?quit?
[USG5300-policy-interzone-dmz-untrust-inbound]?policy?3? [USG5300-policy-interzone-dmz-untrust-inbound-3]?policy?destination?10.10.11.2?0?
[USG5300-policy-interzone-dmz-untrust-inbound-3]?policy?service?service-set?http?
[USG5300-policy-interzone-dmz-untrust-inbound-3]?action?permit?
[USG5300-policy-interzone-dmz-untrust-inbound-3]?quit?
[USG5300-policy-interzone-dmz-untrust-inbound]?quit?
配置内部服务器:
<USG5300>system-view?
[USG5300]?natserver?protocol?tcp?global??8080?inside??www?
[USG5300]?natserver?protocol?tcp?global??ftp?inside??ftp??NAT??
如果需要更多课程资源,可以移步我们官网看看,上面有很多免费在线课程,各个方向的都有。「链接」