鲁达 设置区域:
1、进入到对应区域
2、将对应接口添加到该区域
检查区域接口命令 display zone
防火墙接口下开启ping service-manage ping permit
防火墙接口下开启https service-manage https permit
策略配置:
数据中心
trus和untrust域间:允许内网访问外网
允许源地址192.168.0.0 24的网段报文通过
[SRG]policy interzone trust untrust outbound
[SRG-policy-interzone-trust-untrust-outbound]policy 1
[SRG-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.0 0.0.255.255
[SRG-policy-interzone-trust-untrust-outbound-1]action permit
[SRG]firewall packet-filter default permit interzone trust untrust direction out
bound 允许所有内网地址访问公网//必须
DMZ和untrust域间:公网访问内网服务器
policy 2:允许目的地址为10.1.1.0 目的端口为21的报文通过
[SRG]policy interzone untrust dmz inbound
[SRG-policy-interzone-dmz-untrust-inbound]policy 2
[SRG-policy-interzone-dmz-untrust-inbound-2]policy destination 10.1.1.10 0
[SRG-policy-interzone-dmz-untrust-inbound-2]policy service service-set http
trus和DMZ域间:允许内网访问外网
policy 3:允许源地址192.168.0.0 24的网段报文通过
[SRG]policy interzone trust dmz outbound
[SRG-policy-interzone-trust-dmz-outbound]policy 3
[SRG-policy-interzone-trust-dmz-outbound-3]policy source 192.168.0.0 0.0.255.255
[SRG-policy-interzone-trust-dmz-outbound-3]action permit
[SRG-policy-interzone-trust-dmz-outbound]q
服务器配置:
[SRG]nat server protocol tcp global 200.1.1.1 80 inside 10.1.1.10 http
NAT配置:
[SRG]nat-policy interzone trust untrust outbound
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 0
[SRG-nat-policy-interzone-trust-untrust-outbound-0]policy source 192.168.1.0 0.0.0.255
[SRG-nat-policy-interzone-trust-untrust-outbound-0]action source-nat
[SRG-nat-policy-interzone-trust-untrust-outbound-0]easy-ip GigabitEthernet 0/0/2
[SRG-nat-policy-interzone-trust-untrust-outbound]q
[SRG]interface g0/0/2
[SRG-GigabitEthernet0/0/2]nat enable
网络工程师 单选 0人 0% 华为 0人 0% 思科 投票