- Firewall theoretical knowledge (must remember)
- Classification of firewalls
- packet filtering firewall
Just write the ACL on the router
- proxy firewall
Equivalent to a rental agency
Disadvantages: slow
- Stateful Inspection Firewall
After a data packet arrives at the firewall, if the policy allows it to pass, it will be allowed to pass. And create a stateful entry.
Advantages: fast processing of subsequent packets, high security
- firewall mode
- routing pattern
- transparent mode
- blend mode
- Regional division
| firewall zone type |
priority |
connected area |
| UNTRUST |
5 |
External network interface |
| TRUST |
85 |
Intranet interface |
| DMZ |
50 |
server |
| LOCAL |
100 |
traffic to my firewall itself |
Inbound from low to high
Outbound from high to low
Note: Priority ranges from 1-100
- experimental topology
- Experimental requirements
- Experimental configuration
- Define the zone type of the firewall
<SRG>system-view // Enter the system view
[SRG]undo info-center enable // Close the center output command
[SRG]sysname FW // The name is FW
[FW]firewall zone trust // Define the trust zone
[FW-zone-trust]add interface g0/0/1 // add interface g0/0/1
[FW-zone-trust]quit
[FW]firewall zone dmz // Define DMZ area
[FW-zone-dmz]add interface g0/0/3 // add interface g0/0/3
[FW-zone-dmz]quit
[FW]firewall zone untrust // Define an untrusted zone
[FW-zone-untrust]add interface g0/0/2 // add interface g0/0/2
[FW-zone-untrust]quit
- Configure the IP address of the firewall
[FW]interface g0/0/1
[FW-GigabitEthernet0/0/1]ip address 172.16.2.1 24
[FW-GigabitEthernet0/0/1]quit
[FW]interface g0/0/3
[FW-GigabitEthernet0/0/3]ip address 172.16.1.1 24
[FW-GigabitEthernet0/0/3]quit
[FW]interface g0/0/2
[FW-GigabitEthernet0/0/2]ip address 100.1.1.1 24
[FW-GigabitEthernet0/0/2]quit
- Configure the IP address of the terminal
Configuration of hotel room computer
Configuration of hotel web server
Configuration of external network equipment
- Test network connectivity
The first step: whether 172.16.2.2 can access 172.16.1.2
Through the above output, you can see that it is not working, and let it go through the following command
[FW]firewall packet-filter default permit interzone trust untrust direction outbound
// The priority of trust is 85, and the priority of untrust is 5. It is called outbound from high to low, so the data from trust to untrust is released
[FW]firewall packet-filter default permit interzone trust dmz direction outbound
// The priority of trust is 85, and the priority of DMZ is 50. It is called outbound from high to low, so the data from trust to DMZ is released.
Step 2: Test it again
We can see that we can access
- NAT
[FW]nat-policy interzone trust untrust outbound //NAT policy is from trusted zone to untrusted zone
[FW-nat-policy-interzone-trust-untrust-outbound]policy 1 //策略1
[FW-nat-policy-interzone-trust-untrust-outbound-1]policy source any // All users below
[FW-nat-policy-interzone-trust-untrust-outbound-1]policy destination any // Access all networks
[FW-nat-policy-interzone-trust-untrust-outbound-1]action source-nat //作NAT
[FW-nat-policy-interzone-trust-untrust-outbound-1]easy-ip GigabitEthernet 0/0/2 //用esay IP
[FW-nat-policy-interzone-trust-untrust-outbound-1]quit
[FW-nat-policy-interzone-trust-untrust-outbound]quit
Students who want to participate in Teacher Liu's training camp, please add VX at the bottom of the article,