防火墙虚拟系统
- 电脑硬件
- 2025-09-11 20:39:02
一.实验拓扑 二.实验需求 1 、只存在一个公网 IP 地址,公司内网所有部门都需要借用同一个接口访问外网 2 、财务部禁止访问 Internet ,研发部门只有部分员工可以访问 Internet ,行政部门全部可以访问互联网 3 、为三个部门的虚拟系统分配相同的资源类 4、内部研发部能够访问财务部 5、由根系统管理员创建虚拟系统 abc 并且为其分配资源以及配置管理员 6、根系统管理员为内网用户创建安全策略和 NAT 策略 7、由 abc 三个虚拟系统各自完成 IP 、路由、安全策略配置 三.实验配置 开启虚拟系统并创建资源类
其中r1,r2,r3内容一致
创建虚拟系统vsysb和vsysc创建方式与vsysa一致
创建管理员 [FW]switch vsys vsysa [FW-vsysa]aaa [FW-vsysa-aaa]manager-user admin@@vsysa [FW-vsysa-aaa-manager-user-admin@@vsysa]password Enter Password:admin@123 Confirm Password:admin@123 [FW-vsysa-aaa-manager-user-admin@@vsysa]level 15 [FW-vsysa-aaa-manager-user-admin@@vsysa]service-type web telnet ssh [FW-vsysa-aaa-manager-user-admin@@vsysa]quit [FW-vsysa-aaa]bind manager-user admin@@vsysa role system-adminvsysb和vsysc管理员创建方式与a相同
配置FW路由器基本配置 [FW1]dis current-configuration interface interface GigabitEthernet1/0/0 undo shutdown ip address 11.0.0.1 255.255.255.0 # interface GigabitEthernet1/0/1 undo shutdown ip binding vpn-instance vsysa ip address 10.3.0.254 255.255.255.0 # interface GigabitEthernet1/0/2 undo shutdown ip binding vpn-instance vsysb ip address 10.3.1.254 255.255.255.0 # interface GigabitEthernet1/0/3 undo shutdown ip binding vpn-instance vsysc ip address 10.3.2.254 255.255.255.0 # interface Virtual-if0 ip address 172.16.0.1 255.255.255.0 # interface Virtual-if1 ip address 172.16.1.1 255.255.255.0 # interface Virtual-if2 ip address 172.16.2.1 255.255.255.0 # interface Virtual-if3 ip address 172.16.3.1 255.255.255.0 # interface GigabitEthernet1/0/1 undo shutdown ip binding vpn-instance vsysa ip address 10.3.0.254 255.255.255.0 # interface Virtual-if1 ip address 172.16.1.1 255.255.255.0 # return # interface GigabitEthernet1/0/2 undo shutdown ip binding vpn-instance vsysb ip address 10.3.1.254 255.255.255.0 # interface Virtual-if2 ip address 172.16.2.1 255.255.255.0 # return # interface GigabitEthernet1/0/3 undo shutdown ip binding vpn-instance vsysc ip address 10.3.2.254 255.255.255.0 # interface Virtual-if3 ip address 172.16.3.1 255.255.255.0 # return [r1]dis current-configuration interface interface GigabitEthernet0/0/0 ip address 11.0.0.2 255.255.255.0 interface LoopBack0 ip address 100.1.1.1 255.255.255.0 public区域安全策略及nat策略 [FW1-policy-security-rule-to_internet]dis this 2025-03-04 12:29:40.900 # rule name to_internet source-zone trust destination-zone untrust action permit # return [FW1]nat-policy [FW1-policy-nat] [FW1-policy-nat] [FW1-policy-nat]dis this 2025-03-04 12:30:09.980 # nat-policy rule name a source-zone trust destination-zone untrust source-address 10.3.0.0 mask 255.255.0.0 action source-nat easy-ip # return [FW1]ip route-static 0.0.0.0 0 11.0.0.2 [FW1]dis zone 2025-03-04 12:37:35.800 local priority is 100 interface of the zone is (0): # trust priority is 85 interface of the zone is (2): GigabitEthernet0/0/0 Virtual-if0 # untrust priority is 5 interface of the zone is (1): GigabitEthernet1/0/0 # dmz priority is 50 interface of the zone is (0): # vpn-instance vsysa local priority is 100 interface of the zone is (0): # vpn-instance vsysa trust priority is 85 interface of the zone is (1): GigabitEthernet1/0/1 # vpn-instance vsysa untrust priority is 5 interface of the zone is (1): Virtual-if1 # vpn-instance vsysa dmz priority is 50 interface of the zone is (0): # vpn-instance vsysb local priority is 100 interface of the zone is (0): # vpn-instance vsysb trust priority is 85 interface of the zone is (1): GigabitEthernet1/0/2 # vpn-instance vsysb untrust priority is 5 interface of the zone is (1): Virtual-if2 # vpn-instance vsysb dmz priority is 50 interface of the zone is (0): # vpn-instance vsysc local priority is 100 interface of the zone is (0): # vpn-instance vsysc trust priority is 85 interface of the zone is (1): GigabitEthernet1/0/3 # vpn-instance vsysc untrust priority is 5 interface of the zone is (1): Virtual-if3 # vpn-instance vsysc dmz priority is 50 interface of the zone is (0): # vsysa区域安全策略及缺省路由 [FW1-vsysa-policy-security]dis this 2025-03-04 12:31:46.930 # security-policy rule name to_vsysb source-zone trust destination-zone untrust source-address 10.3.0.0 mask 255.255.255.0 destination-address 10.3.1.0 mask 255.255.255.0 action permit rule name to_internet source-zone trust destination-zone untrust source-address address-set aa action permit # return [FW1-vsysa]ip route-static 0.0.0.0 0 public vsysb区域安全策略及缺省路由 [FW1-vsysb]security-policy [FW1-vsysb-policy-security]dis this 2025-03-04 12:34:14.740 # security-policy rule name to_vsysa source-zone untrust destination-zone trust source-address 10.3.0.0 mask 255.255.255.0 destination-address 10.3.1.0 mask 255.255.255.0 action permit # return [FW1-vsysb]ip route-static 0.0.0.0 0 public vsysc区域安全策略及缺省路由 [FW1-vsysc]security-policy [FW1-vsysc-policy-security]dis this 2025-03-04 12:35:21.580 # security-policy rule name to_internet source-zone trust destination-zone untrust source-address 10.3.2.0 mask 255.255.255.0 action permit # return [FW1-vsysc]ip route-static 0.0.0.0 0 public 四.实验验证pc1研发部能够访问外网
pc2财务部不能访问
pc3行政部可以访问
pc1研发部可以访问pc2财务部
