任务:PC1能够ping通PC2,通过配置FW实现。
image.png#step1:增加GE1/0/0到zone trust,具体说应该是增加接口GE1/0/0连接的网络到Trust区域。
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
##Zone说明
[FW3]dis zone
2022-09-04 06:37:07.030
local ///信任等级,越高越信任,100,所有接口默认都在Local区域。但不能代表该接口接的网络
priority is 100
interface of the zone is (0):
#
trust /// 一般将内网的接口划分到trust区域。
priority is 85
interface of the zone is (1):
GigabitEthernet0/0/0
#
untrust ///一般将外网的接口划分到untrust区域。
priority is 5
interface of the zone is (0):
#
dmz /// 介于信任和非信任之间,一般将服务器所在的网络划入该区域。
priority is 50
interface of the zone is (0):
#//step2:开启接口禁ping功能。
[FW3-GigabitEthernet1/0/0]service-manage ping permit
//测试可以ping通。
PC>ping 172.16.1.2
From 172.16.1.2: bytes=32 seq=1 ttl=255 time<1 ms#增加GE1/0/1到zone DMZ
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#设置GE1/0/1 的ping功能为允许
interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.2.2 255.255.255.0
service-manage ping permit
#// 此时先ping测试一下,ping测抓包,主要看Packet default filter packets,丢弃了5个ping报文,目前ping测还是不通,接下继续配置安全策略。
[FW3]dis firewall statistics system discard
Discard statistic information:
Fib miss packets discarded: 3
IPv4 service-manage deny packets discarded: 17
Packet default filter packets discarded: 67
ARP miss packets discarded: 136
Invalid receive zone packets discarded: 1
Invalid send zone packets discarded: 1
Dispatch drop packets discarded: 569
[FW3]dis firewall statistics system discard
Discard statistic information:
Fib miss packets discarded: 3
IPv4 service-manage deny packets discarded: 17
Packet default filter packets discarded: 72
ARP miss packets discarded: 136
Invalid receive zone packets discarded: 1
Invalid send zone packets discarded: 1
Dispatch drop packets discarded: 569# 安全策略配置:(默认策略拒绝)
规则1;流量自上而下匹配,如果匹配执行对应动作,这里只有一个,多个rule要注意顺序。
规则2:如果策略关联了一体化检查配置文件,可以对更高层载荷执行深度内容检查。
<FW3>dis security-policy rul all #查看当前默认规则
Total:1
RULE ID RULE NAME STATE ACTION HITS
-------------------------------------------------------------------------------
0 default enable deny 77
-------------------------------------------------------------------------------
#step3:配置安全策略。
rule name Trust_DMZ #自定义名称
source-zone trust
destination-zone dmz
source-address 172.16.1.1 mask 255.255.255.255
source-address address-set add_s #增加地址集,也可以增加service集。
destination-address 172.16.2.1 mask 255.255.255.255
service icmp
action permit
#
#
ip address-set add_s type object
address 0 172.1.1.1mask 32
address 1 172.16.6.0 mask 24
address 2 172.16.7.0 mask 24
#
[FW3-policy-security-rule-Trust_DMZ]disp security-policy rule all
2022-09-04 09:35:03.320
Total:2
RULE ID RULE NAME STATE ACTION HITS
-------------------------------------------------------------------------------
1 Trust_DMZ enable permit 0
0 default enable deny 82
-------------------------------------------------------------------------------
//PC1 ping PC2 10次,都通了。
[FW3-policy-security-rule-Trust_DMZ]disp security-policy rule all
2022-09-04 09:37:55.150
Total:2
RULE ID RULE NAME STATE ACTION HITS
-------------------------------------------------------------------------------
1 Trust_DMZ enable permit 10
0 default enable deny 82
-------------------------------------------------------------------------------//PC1 ping PC2 10次,都通了。
[[FW3-policy-security-rule-Trust_DMZ]disp security-policy rule all
-policy-security-rule-Trust_DMZ]disp security-policy rule all
2022-09-04 09:37:55.150
Total:2
RULE ID RULE NAME STATE ACTION HITS
-------------------------------------------------------------------------------
1 Trust_DMZ enable permit 10
0 default enable deny 82
-------------------------------------------------------------------------------// 安全策略会话查询,状态化查询。
<FW1>dis firewall session table verbose
Current Total Sessions : 19
icmp VPN: public --> public ID: c387f131b97a4886736315980f //public表示没有虚拟防火墙。
Zone: trust --> dmz TTL: 00:00:20 Left: 00:00:12
Recv Interface: GigabitEthernet1/0/0 //ping报文接收接口。
Interface: GigabitEthernet1/0/1 NextHop: 172.16.2.1 MAC: 5489-98df-6a11 //ping报文发送接口,下一跳及mac地址,mac是pc2的mac。
<--packets: 1 bytes: 60 --> packets: 1 bytes: 60 //收发报文的数量
172.16.1.1:5016 --> 172.16.2.1:2048 PolicyName: Trust_DMZ //匹配的安全策略。
icmp VPN: public --> public ID: c387f131b97bb48bc063159806
Zone: trust --> dmz TTL: 00:00:20 Left: 00:00:03
Recv Interface: GigabitEthernet1/0/0
Interface: GigabitEthernet1/0/1 NextHop: 172.16.2.1 MAC: 5489-98df-6a11
<--packets: 1 bytes: 60 --> packets: 1 bytes: 60
172.16.1.1:2712 --> 172.16.2.1:2048 PolicyName: Trust_DMZ
icmp VPN: public --> public ID: c387f131b97a560c9663159810
