Article directory
experiment one
lab environment
Experimental requirements
1. Plan and configure IP addresses.
2. Add the network to the corresponding area.
3. Implement pc1 to access pc2 and pc2 to access the server.
Experimental procedure
Configure IP
FW1 IP
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip ad 192.168.1.254 24
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip ad 192.168.2.254 24
[FW1-GigabitEthernet1/0/1]int 1/0/2
[FW1-GigabitEthernet1/0/2]ip ad 192.168.3.254 24
配置FW1端口
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/0
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/1
[FW1]firewall zone dmz
[FW1-zone-dmz]add int g1/0/2
配置规则
[FW1]security-policy
[FW1-policy-security]rule name t-u
[FW1-policy-security-rule-t-u]source-zone trust
[FW1-policy-security-rule-t-u]destination-zone
[FW1-policy-security-rule-t-u]source-address 192.168.1.1 mask 255.255.255.0
[FW1-policy-security-rule-t-u]destination-address 192.168.2.2 24
[FW1-policy-security-rule-t-u]action permit
[FW1]security-policy
[FW1-policy-security]rule name t-i
[FW1-policy-security-rule-t-i]source-zone untrust
[FW1-policy-security-rule-t-i]destination-zone dmz
[FW1-policy-security-rule-t-i]source-address 192.168.2.2 mask 255.255.255.0
[FW1-policy-security-rule-t-i]destination-address 192.168.3.3 24
[FW1-policy-security-rule-t-i]action permit
Pc1 ping pc2 pc1 ping server
Pc2 ping server
Experiment 2
lab environment
Experimental requirements
- Configure NAT, the intranet pc can access the public network pc normally
- Login to the web interface
Experimental procedure
配置R1
[R1-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[R1-GigabitEthernet0/0/1]ip address 192.168.4.1 24
[R1-ospf-1]a 0
[R1-ospf-1-area-0.0.0.0]network 192.168.4.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 192.168.1.254 0.0.0.0
配置FW1
[FW1]ip route-static 0.0.0.0 0 192.168.2.2
[FW1]ospf
[FW1-ospf-1]a 0
[FW1-ospf-1-area-0.0.0.0]network 1923.168 [FW1-ospf-1]default-route-advertise
[FW1]nat address-group 1 section 0 192.168.2.10 192.168.2.10
[FW1]nat-policy rule name snat
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group 1
[FW1]security-policy
[FW1-policy-security]rule name t-u
[FW1-policy-security-rule-t-u]di th source-zone trust
[FW1-policy-security-rule-t-u] destination-zone untrust
[FW1-policy-security-rule-t-u ]source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-security-rule-t-u ]action permit
Pc1 ping pc 2
set cloud1
Connect to the g0/0/0 port of fw
[FW1-GigabitEthernet0/0/0]ip address 192.168.70.7 24
[FW1-GigabitEthernet0/0/0]service-manage https permit