[FW]firewall packet-filter default permitall

13:51:19 2014/07/08

Warning:Setting the default packetfiltering to permit poses security risks. You

are advised to configure the securitypolicy based on the actual data flows. Are

you sure you want to continue?[Y/N]y

[FW]ping -c 1 10.0.10.1

13:51:56 2014/07/08

 PING 10.0.10.1: 56  data bytes,press CTRL_C to break

   Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=90 ms

  ---10.0.10.1 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 90/90/90 ms

[FW]ping -c 1 10.0.20.2

13:52:08 2014/07/08

 PING 10.0.20.2: 56  data bytes,press CTRL_C to break

   Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=400 ms

  ---10.0.20.2 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 400/400/400 ms

[FW]ping -c 1 10.0.30.3

13:52:18 2014/07/08

 PING 10.0.30.3: 56  data bytes,press CTRL_C to break

   Reply from 10.0.30.3: bytes=56 Sequence=1 ttl=255 time=410 ms

  ---10.0.30.3 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 410/410/410 ms

步驟三.配置靜態(tài)路由，實(shí)現(xiàn)網(wǎng)絡(luò)的連通性 

        在R2和R3上配置缺省路由，在FW上配置明確的靜態(tài)路由，實(shí)現(xiàn)三個(gè)loopback0接口之間的通信。R1無需定義缺省路由，原因是其作為internet設(shè)備，他不需要知道內(nèi)部和DMZ區(qū)域的私有網(wǎng)絡(luò)信息。

[R2]ip route-static 0.0.0.0 0 10.0.20.254

[R3]ip route-static 0.0.0.0 0 10.0.30.254

[FW]ip route-static 10.0.1.0 24 10.0.10.1

13:58:26 2014/07/08

[FW]ip route-static 10.0.2.0 24 10.0.20.2

13:58:40 2014/07/08

[FW]ip route-static 10.0.3.0 24 10.0.30.3

13:58:52 2014/07/08

        在防火墻上測(cè)試與10.0.1.0、10.0.2.0、10.0.3.0之間的連通性。

[FW]ping -c 1 10.0.1.1

14:00:18 2014/07/08

 PING 10.0.1.1: 56  data bytes,press CTRL_C to break

   Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms

  ---10.0.1.1 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 80/80/80 ms

[FW]ping -c 1 10.0.2.2

14:00:25 2014/07/08

 PING 10.0.2.2: 56  data bytes,press CTRL_C to break

   Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=170 ms

  ---10.0.2.2 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 170/170/170 ms

[FW]ping -c 1 10.0.3.3

14:00:29 2014/07/08

 PING 10.0.3.3: 56  data bytes,press CTRL_C to break

   Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=110 ms

  ---10.0.3.3 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 110/110/110 ms

        目前配置下，所有區(qū)域之間可以通訊，不被檢查。但是由于當(dāng)前尚未定義NAT，外部區(qū)域不能與內(nèi)部和DMZ區(qū)域相互訪問。 

步驟四.配置區(qū)域間的安全過濾 

         配置從Trust區(qū)域的部分網(wǎng)段10.0.2.3發(fā)往Untrust區(qū)域的數(shù)據(jù)包被放行。從Untrust區(qū)域發(fā)往DMZ目標(biāo)服務(wù)器10.0.3.3的telnet請(qǐng)求被放行。

[FW]firewall session link-state check

[FW]policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound]policy0

14:06:57 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.255

14:07:18 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]actionpermit

14:07:31 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]q

14:07:40 2014/07/08

[FW-policy-interzone-trust-untrust-outbound]q

14:07:40 2014/07/08

]policy interzone dmz untrust inbound

14:09:01 2014/07/08

[FW-policy-interzone-dmz-untrust-inbound]policy0

14:09:08 2014/07/08

[FW-policy-interzone-dmz-untrust-inbound-0]policydestination 10.0.3.3 0

14:09:37 2014/07/08

[FW-policy-interzone-dmz-untrust-inbound-0]policyservice service-set telnet

[FW-policy-interzone-dmz-untrust-inbound-0]actionpermit

14:09:55 2014/07/08

[FW-policy-interzone-dmz-untrust-inbound-0]q

14:09:55 2014/07/08

步驟五.配置Easy-Ip，實(shí)現(xiàn)Trust區(qū)域到Untrust區(qū)域的訪問。 

       配置使用Easy-IP，進(jìn)行NAT源地址轉(zhuǎn)換。并且將NAT與接口進(jìn)行綁定。

[FW-nat-policy-interzone-trust-untrust-outbound]policy0

最新評(píng)論