26 华三防火墙安全区域-博客
目标实现不同区域的通信
1 给防火墙配置IP地址
WEB页面配置IP地址
2 在PC机上配置对应对IP地址 (该要启用的接口一定要启用 IP地址 子网掩码 网关 一定要查看好)
3 将配置好的IP地址对应的不同接口加入到不同的区域上去
在WEB页面中可以新建区域
在命令行操作
4 测试实现防火墙到同网段的IP互通
5 创建防火墙中的对象目的是为了更好的管理策略.(对象的名字是啥 你的IP地址是地址还是网段)
网段 对象租 IP地址范围 主机IP地址 主机名 IP地址/子网掩码
- 网段:在计算机网络中,网段是指具有相同网络地址的一组主机的集合。一个网段可以包含多个主机,这些主机可以通过相同的网络地址进行通信。
- 对象租:对象租是指为了方便管理和配置,将主机、服务、IP地址等相关信息组织起来,并分配给特定的用户或用户组。通过对象租可以将相关的信息整理起来,方便进行管理和控制。
- IP地址范围:IP地址范围是指一段连续的IP地址,通常用于指定一组主机的可用IP地址。例如,192.168.0.1-192.168.0.10就表示从192.168.0.1到192.168.0.10的十个IP地址。
- 主机IP地址:主机IP地址是指网络中每个主机的唯一标识。通过IP地址,可以唯一确定一个主机的位置和身份。
- 主机名:主机名是指一个网络中的主机的名称。主机名通常用于方便用户记忆和使用,可以作为主机的别名使用。
- IP地址/子网掩码:IP地址和子网掩码一起使用,用于确定主机所在的子网络。IP地址用于标识主机的唯一性,而子网掩码用于指定子网络的范围。
- 防火墙对象:防火墙对象是防火墙中用于规则配置的一种概念。防火墙对象可以是一个IP地址、IP地址范围、主机名、网段等,用于标识网络中的特定主机或服务。通过配置防火墙对象,可以方便地进行规则的管理和控制,提高网络的安全性和管理效率。
对时间段的管理:
6 新建安全策略实现不同区域的互通
01 常规操作
02 服务
测试:
PC1 全互联所有网络
PC5 去往所有区域
[H3C]ping 10.58.142.254
Ping 10.58.142.254 (10.58.142.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.142.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.58.142.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.58.142.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[H3C]%Jul 7 14:45:47:808 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.142.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.
ping 10.58.143.254
Ping 10.58.143.254 (10.58.143.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.143.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.58.143.254: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 10.58.143.254: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 10.58.143.254: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 10.58.143.254: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 10.58.143.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms
[H3C]%Jul 7 14:45:54:615 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.143.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms.
[H3C]
[H3C]ping 10.58.144.254
Ping 10.58.144.254 (10.58.144.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.144.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.58.144.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.58.144.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[H3C]%Jul 7 14:46:05:772 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.
[H3C]ping 10.58.144.2
Ping 10.58.144.2 (10.58.144.2): 56 data bytes, press CTRL_C to break
--- Ping statistics for 10.58.144.2 ---
1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[H3C]%Jul 7 14:46:12:034 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.2: 1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
[H3C]ping 10.58.144.2
Ping 10.58.144.2 (10.58.144.2): 56 data bytes, press CTRL_C to break
Request time out
Request time out
--- Ping statistics for 10.58.144.2 ---
3 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[H3C]%Jul 7 14:48:32:225 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.2: 3 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
[H3C]
[H3C]ping 192.168.1.254
Ping 192.168.1.254 (192.168.1.254): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.1.254: icmp_seq=0 ttl=255 time=2.000 ms
56 bytes from 192.168.1.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.1.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.1.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.1.254: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 192.168.1.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.400/2.000/0.800 ms
[H3C]%Jul 7 14:48:43:191 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.1.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.400/2.000/0.800 ms.
[H3C]ping 192.168.1.1
Ping 192.168.1.1 (192.168.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.1.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=0.000 ms
56 bytes from 192.168.1.1: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 192.168.1.1: icmp_seq=3 ttl=254 time=0.000 ms
56 bytes from 192.168.1.1: icmp_seq=4 ttl=254 time=0.000 ms
--- Ping statistics for 192.168.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.400/1.000/0.490 ms
[H3C]%Jul 7 14:48:47:001 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.1.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.400/1.000/0.490 ms.
[H3C]ping 192.168.3.254
Ping 192.168.3.254 (192.168.3.254): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.3.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.3.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.3.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.3.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.3.254: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 192.168.3.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[H3C]%Jul 7 14:48:52:843 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.3.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.
ping 192.168.3.1
Ping 192.168.3.1 (192.168.3.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.3.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 192.168.3.1: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 192.168.3.1: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 192.168.3.1: icmp_seq=3 ttl=254 time=1.000 ms
56 bytes from 192.168.3.1: icmp_seq=4 ttl=254 time=1.000 ms
--- Ping statistics for 192.168.3.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms
[H3C]%Jul 7 14:48:56:515 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.3.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms.
[H3C]ping 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=1.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms
[H3C]%Jul 7 14:49:01:531 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms.
[H3C]ping 192.168.2.254
Ping 192.168.2.254 (192.168.2.254): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.2.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.2.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.2.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.2.254: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 192.168.2.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
%Jul 7 14:49:06:629 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.
[H3C]
[H3C]ping 192.168.0.1
Ping 192.168.0.1 (192.168.0.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.0.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.0.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.0.1: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 192.168.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms
[H3C]%Jul 7 14:49:12:479 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms.
[H3C]ping 192.168.0.43
Ping 192.168.0.43 (192.168.0.43): 56 data bytes, press CTRL_C to break
--- Ping statistics for 192.168.0.43 ---
1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[H3C]%Jul 7 14:49:17:622 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.0.43: 1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
[H3C]
[H3C]ping 10.58.143.2
Ping 10.58.143.2 (10.58.143.2): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.143.2: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 10.58.143.2: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 10.58.143.2: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 10.58.143.2: icmp_seq=3 ttl=254 time=0.000 ms
56 bytes from 10.58.143.2: icmp_seq=4 ttl=254 time=1.000 ms
--- Ping statistics for 10.58.143.2 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.800/1.000/0.400 ms
[H3C]%Jul 7 14:49:32:076 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.143.2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.800/1.000/0.400 ms.
[H3C]ping 10.58.144.254
Ping 10.58.144.254 (10.58.144.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.144.254: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.58.144.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms
[H3C]%Jul 7 14:49:49:818 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms.
[H3C]ping 10.58.142.254
Ping 10.58.142.254 (10.58.142.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.142.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.58.142.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.58.142.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[H3C]%Jul 7 14:49:56:110 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.142.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.
[H3C]ping 10.58.144.2
Ping 10.58.144.2 (10.58.144.2): 56 data bytes, press CTRL_C to break
Request time out
--- Ping statistics for 10.58.144.2 ---
2 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[H3C]%Jul 7 14:50:24:092 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.2: 2 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
[H3C]
[H3C]ping 10.58.144.254
Ping 10.58.144.254 (10.58.144.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.144.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.58.144.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.58.144.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[H3C]%Jul 7 14:50:28:920 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.脚本
#
version 7.1.064, Alpha 7164
#
sysname FW-ZONE
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
object-group ip address ISP区域出口网关
security-zone isp
0 network host address 192.168.3.254
#
object-group ip address NASS区域02
security-zone NASS
0 network host address 10.58.144.254
#
object-group ip address NASS区域防护墙出口01
security-zone NASS
0 network host address 10.58.143.254
#
object-group ip address PC1
security-zone Trust
0 network host address 192.168.2.1
#
object-group ip address PC1防火墙出口网关
description 防火墙内网区域地址
security-zone Trust
0 network host address 192.168.1.254
object 0 description PC1
#
object-group ip address PC2
security-zone Trust
0 network host address 192.168.1.1
#
object-group ip address PC2防火墙出口网关
description 防火墙内网区域地址
security-zone Trust
0 network host address 192.168.2.254
object 0 description PC2
#
object-group ip address PC3
security-zone Untrust
0 network host address 10.58.142.2
#
object-group ip address PC4
security-zone isp
0 network host address 192.168.3.1
#
object-group ip address PC5
security-zone NASS
0 network host address 10.58.143.2
#
object-group ip address PC7
security-zone NASS
0 network host address 10.58.144.2
#
object-group ip address WEB
security-zone DMZ
0 network host address 192.168.0.45
#
object-group ip address 防护墙管理地址
security-zone DMZ
0 network host address 192.168.0.1
#
object-group ip address 防火墙外网出口网关
security-zone Untrust
0 network host address 10.58.142.254
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.1.254 255.255.255.0
ip address 192.168.1.6 255.255.255.0 sub
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/1
port link-mode route
description 管理接口
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 192.168.2.254 255.255.255.0
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 192.168.3.254 255.255.255.0
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
shutdown
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/5
port link-mode route
combo enable copper
ip address 10.58.142.254 255.255.255.0
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/6
port link-mode route
combo enable copper
ip address 10.58.143.254 255.255.255.0
#
interface GigabitEthernet1/0/7
port link-mode route
combo enable copper
ip address 10.58.144.254 255.255.255.0
#
interface GigabitEthernet1/0/8
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/9
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/10
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/11
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/12
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/13
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/14
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/15
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/20
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/21
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/22
port link-mode route
combo enable copper
#
interface GigabitEthernet1/0/23
port link-mode route
combo enable copper
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/4
import interface GigabitEthernet1/0/5
#
security-zone name Management
import interface GigabitEthernet1/0/1
#
security-zone name hello
#
security-zone name isp
import interface GigabitEthernet1/0/3
#
security-zone name ISP2
#
security-zone name NASS
import interface GigabitEthernet1/0/6
import interface GigabitEthernet1/0/7
#
zone-pair security source Trust destination Untrust
packet-filter 3001
packet-filter 3002
packet-filter 3003
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
#
line vty 5 63
user-role network-operator
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
acl advanced 3002
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 10.58.142.0 0.0.0.255
#
acl advanced 3003
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 10.58.142.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$1oUcwMteE/rJ72TU$RiIijBkXKTS+QDwyCS40a6wI7+ORtl3K3xG/SzalxsblSLJrjEj9QjXQ0uv2d4eScyDMjSAlxIKwHNHGAfPW8Q==
service-type ssh telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role level-15
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user root class manage
password hash $h$6$0sgd0nnThKQb5NMG$ThvZMWskPhv5BMYnNLx7E47mdrCfB5cv22mcTbpamc+c33bvkUSN2O0BrLtPplBRmnCVCdPPJiS1hM29f0OCxw==
access-limit 1000
service-type ftp
service-type pad ssh telnet terminal http https
authorization-attribute work-directory slot1#flash:
authorization-attribute user-role network-admin
#
ip http enable
ip https enable
#
security-policy ip
rule 0 name PC1去往外网地址PC4
action pass
source-zone Trust
destination-zone Untrust
source-ip PC1
destination-ip PC3
rule 1 name PC1去往外网地址PC2
action pass
source-zone Trust
destination-zone Trust
source-ip PC1
destination-ip PC2
rule 2 name PC1去往ISP区域
action pass
source-zone Trust
destination-zone isp
source-ip PC1
destination-ip PC4
rule 3 name PC2去往外网地址PC4
action pass
source-zone Trust
destination-zone Untrust
source-ip PC2
destination-ip PC3
rule 4 name PC2去往PC1
action pass
source-zone Trust
destination-zone Trust
source-ip PC2
destination-ip PC1
rule 5 name PC2去往ISP区域
action pass
source-zone Trust
destination-zone isp
source-ip PC2
destination-ip PC4
rule 6 name 外网访问内网区域
action pass
source-zone Untrust
destination-zone isp
destination-zone Trust
destination-zone DMZ
source-ip PC3
destination-ip PC1
destination-ip PC2
destination-ip PC4
destination-ip 防护墙管理地址
rule 7 name PC1去往外网地址NASS
action pass
source-zone Trust
destination-zone NASS
source-ip PC1
destination-ip PC3
destination-ip NASS区域02
destination-ip NASS区域防护墙出口01
rule 8 name PC2去往外网地址NASS
action pass
source-zone Trust
destination-zone NASS
source-ip PC2
destination-ip PC3
destination-ip NASS区域02
destination-ip NASS区域防护墙出口01
destination-ip PC5
destination-ip PC7
#
returnrule 8 name PC2去往外网地址NASS
action pass
source-zone Trust
destination-zone NASS
source-ip PC2
destination-ip PC3
destination-ip NASS区域02
destination-ip NASS区域防护墙出口01
destination-ip PC5
destination-ip PC7
- rule 8: 这是规则的编号,表示这是第八条规则。
- name PC2去往外网地址NASS: 规则的名称,表明这条规则是关于从PC2(可能是内部网络中的一台计算机)到NASS(可能是一个外部网络地址或服务)的流量。
- action pass: 这条规则的行动是允许(pass),意味着符合此规则的流量将被放行。
- source-zone Trust: 源区域(source-zone)是“Trust”,这通常表示源设备所在的网络区域被认为是可信任的。
- destination-zone NASS: 目的区域(destination-zone)是NASS,这可能是一个特定的外部网络或服务区域。
- source-ip PC2: 指定了流量的源IP地址是PC2。
- destination-ip: 后面跟着的是多个目的IP地址,这些地址是允许PC2与之通信的目的地。这些地址可能代表不同的网络设备或服务:
- PC3: 另一个内部或外部的计算机。
- NASS区域02: NASS的第二个区域,可能是一个特定的子网或网络段。
- NASS区域防护墙出口01: NASS区域的一个出口点,可能是一个防火墙或路由器。
- PC5 和 PC7: 其他两个计算机的IP地址。
rule 10 name PC7-PC2
action pass
source-zone NASS
destination-zone Trust
source-ip PC7
destination-ip PC1
#
object-group ip address ISP
security-zone isp
0 network host address 192.168.3.254
#
object-group ip address NASS02
security-zone NASS
0 network host address 10.58.144.254
#
object-group ip address NASSǽ01
security-zone NASS
0 network host address 10.58.143.254
#
object-group ip address PC1
security-zone Trust
0 network host address 192.168.2.1
#
object-group ip address PC1ǽ
description ǽ
security-zone Trust
0 network host address 192.168.1.254
object 0 description PC1
#
object-group ip address PC2
security-zone Trust
0 network host address 192.168.1.1
#
object-group ip address PC2ǽ
description ǽ
security-zone Trust
0 network host address 192.168.2.254
object 0 description PC2
#
object-group ip address PC3
security-zone Untrust
0 network host address 10.58.142.2
#
object-group ip address PC4
security-zone isp
0 network host address 192.168.3.1
#
object-group ip address PC5
security-zone NASS
0 network host address 10.58.143.2
#
object-group ip address PC7
security-zone NASS
0 network host address 10.58.144.2
#
object-group ip address WEB
security-zone DMZ
0 network host address 192.168.0.45
#object-group ip address PC3
security-zone Untrust
0 network host address 10.58.142.2
- object-group ip address PC3: 这行定义了一个名为"PC3"的IP地址对象组。对象组是网络设备上用来组织和分组相关网络对象(如IP地址、MAC地址等)的一种方式。
- security-zone Untrust: 这行指定了"PC3"对象组所属的安全区域是"Untrust"。在许多网络策略中,"Untrust"区域通常指的是不受信任的网络区域,可能是外部网络或互联网。
- 0 network host address 10.58.142.2: 这行指定了对象组"PC3"包含的具体网络对象。这里的"0"可能是一个索引或标识符,用于唯一标识对象组内的条目。"network host"表明这是一个针对特定主机的网络条目。"address 10.58.142.2"指定了这个对象组包含的具体IP地址,即10.58.142.2。
