实验一
实验环境
实验要求
1规划并配置IP地址
2将网络分别加入对应的区域
3实现pc1访问pc2,pc2访问服务器,其他不能互访
实验步骤
配置IP
FW1 IP
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip ad 192.168.1.254 24
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip ad 192.168.2.254 24
[FW1-GigabitEthernet1/0/1]int 1/0/2
[FW1-GigabitEthernet1/0/2]ip ad 192.168.3.254 24
配置FW1端口
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/0
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/1
[FW1]firewall zone dmz
[FW1-zone-dmz]add int g1/0/2
配置规则
[FW1]security-policy
[FW1-policy-security]rule name t-u
[FW1-policy-security-rule-t-u]source-zone trust
[FW1-policy-security-rule-t-u]destination-zone
[FW1-policy-security-rule-t-u]source-address 192.168.1.1 mask 255.255.255.0
[FW1-policy-security-rule-t-u]destination-address 192.168.2.2 24
[FW1-policy-security-rule-t-u]action permit
[FW1]security-policy
[FW1-policy-security]rule name t-i
[FW1-policy-security-rule-t-i]source-zone untrust
[FW1-policy-security-rule-t-i]destination-zone dmz
[FW1-policy-security-rule-t-i]source-address 192.168.2.2 mask 255.255.255.0
[FW1-policy-security-rule-t-i]destination-address 192.168.3.3 24
[FW1-policy-security-rule-t-i]action permit
Pc1 ping pc2 pc1 ping 服务器
Pc2 ping 服务器
实验二
实验环境
实验要求
- 配置 NAT,内网 pc 正常访问公网 pc
- 登录 web 界面
实验步骤
配置R1
[R1-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[R1-GigabitEthernet0/0/1]ip address 192.168.4.1 24
[R1-ospf-1]a 0
[R1-ospf-1-area-0.0.0.0]network 192.168.4.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 192.168.1.254 0.0.0.0
配置FW1
[FW1]ip route-static 0.0.0.0 0 192.168.2.2
[FW1]ospf
[FW1-ospf-1]a 0
[FW1-ospf-1-area-0.0.0.0]network 1923.168 [FW1-ospf-1]default-route-advertise
[FW1]nat address-group 1 section 0 192.168.2.10 192.168.2.10
[FW1]nat-policy rule name snat
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group 1
[FW1]security-policy
[FW1-policy-security]rule name t-u
[FW1-policy-security-rule-t-u]di th source-zone trust
[FW1-policy-security-rule-t-u] destination-zone untrust
[FW1-policy-security-rule-t-u ]source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-security-rule-t-u ]action permit
Pc1 ping pc 2
设置cloud1
连接fw的g0/0/0端口
[FW1-GigabitEthernet0/0/0]ip address 192.168.70.7 24
[FW1-GigabitEthernet0/0/0]service-manage https permit