Forwarding policy based on IP address

Enterprise 2023-05-05 04:46:56 views: null

step one:

<USG6000V1> system-view

[USG6000V1]interface GigabitEthernet 0/0/0

[USG6000V1-GigabitEthernet0/0/0]display this

Step 2: Configure the IP addresses of the interfaces on both sides of the firewall

 [USG6000V1-GigabitEthernet0/0/0]undo ip binding vpn-instance default

[USG6000V1-GigabitEthernet0/0/0]dis this

[USG6000V1-GigabitEthernet0/0/0]ip address 192.168.5.1 24

[USG6000V1-GigabitEthernet0/0/0]interface GigabitEthernet 1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 1.1.1.1 24

[USG6000V1-GigabitEthernet1/0/0]q

Step 3: Add GigabitEthernet 0/0/0 port to the trust zone, and GigabitEthernet 1/0/0 to the untrust zone


[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface GigabitEthernet 0/0/0 

[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/0

[USG6000V1-zone-untrust]q

Step 4: Configure an address set named ip_deny, and add several IP addresses that are not allowed to pass through the firewall into the address set.

Create an address set named ip_deny
[USG6000V1] ip address-set ip_deny type object

Will not allow IP addresses passing through the firewall to join the ip_deny address set

[USG6000V1-object-address-set-ip_deny]address 192.168.5.2 0
[USG6000V1-object-address-set-ip_deny]address 192.168.5.3 0
[USG6000V1-object-address-set-ip_deny]address 192.168.5.6 0 

 [USG6000V1-object-address-set-ip_deny]q

Step 5: Create a forwarding policy that does not allow IP addresses to pass through the firewall, that is to say, several IP addresses added to the ip_deny address set will not be allowed to pass through the firewall

[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy_deny
[USG6000V1-policy-security-rule-policy_deny]source-address address-set ip_deny 

[USG6000V1-policy-security-rule-policy_deny]action deny

[USG6000V1-policy-security-rule-policy_deny]q
[USG6000V1-policy-security]q

Step 6: Create a forwarding policy that allows other IP addresses belonging to the network segment 192.168.5.0/24 to pass through the firewall.


[USG6000V1]security-policy
[USG6000V1-policy-security]rule name policy_permit
[USG6000V1-policy-security-rule-policy_permit]source-address 192.168.5.0 24

[USG6000V1-policy-security-rule-policy_permit]action permit
[USG6000V1-policy-security-rule-policy_permit]q 

Step 7: Test, because the IP addresses of pc1 and pc2 (192.168.5.2 and 192.168.5.3) are added to the forwarding policy that does not allow access to the firewall IP address, and pc3 (192.168.5.4) is not added to the firewall IP that is not allowed to access The forwarding strategy of the address, so pc1 and pc2 cannot be pinged, and pc3 successfully pings the target host, and the experiment is successful

 

 I started to forget to mark the pictures, but I have already written the steps, and the pictures are just an aid.

Guess you like

Origin blog.csdn.net/weixin_64033212/article/details/129669427
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com