Purpose
- 1 configuration master firewall security zone
- 2 master security policy configuration
Experimental results
- 1 firewall trust to achieve access to the DMZ and untrust
- 2 firewall tDMZ to achieve access to the untrust
First, the initial configuration of the firewall
USG6600 firewall default initial password for the account, the account admin, password Admin @ 123, need to change the password the first time you log in. Under normal circumstances, Huawei's new generation of firewall, by default, only 0 is allowed for all services, the user can open the corresponding port services according to the needs, we are here to do experiments using a simulator, simply open the interface mode next, use the command service-manage ping permit to open ping service
Second, configure the interface IP address, open the ping service
sys
sysn FE_A
inter g1/0/0
ip address 192.168.1.1 24
service-manage ping permit
quit
interface GigabitEthernet 1/0/1
ip address 10.1.1.1 24
service-manage ping permit
quit
interface GigabitEthernet 1/0/2
ip address 200.1.1.1 24
service-manage ping permit
quit
Third, the addition of the corresponding region of
firewall zone trust
add interface GigabitEthernet 1/0/0 //将端口加入trust区
quit
firewall zone dmz
add interface GigabitEthernet 1/0/1 //将端口加入DMZ区
quit
firewall zone untrust
add interface GigabitEthernet 1/0/2 //将端口加入untrust区
quitFourth, the development of security policy,
security-policy //进入安全策略
rule name policy_trust_untrust //定义规则名称为policy_trust_untrust
source-zone trust //定义数据流方向的源端
destination-zone untrust //定义数据流方向的目的端
action permit //动作允许通过
quit
rule name policy_trust_dmz
source-zone dmz
destination-zone trust
action permit
quit
rule name policy_dmz_untrust
source-zone dmz
destination-zone untrust
action permit
return
Fifth, set the IP address of the PC
The DMZ PC1: 10.1.1.2
Trust Zone PC2: 192.168.1.2
the Untrust zone PC3: 200.1.1.2
Six test
