1、實驗拓普
2、配置過程
1.cloud1配置,使本同能經過web方式鏈接防火牆USG6000V
a.利用本機安裝的virtualBox添加一張虛擬網卡,IP地址爲192.168.0.254/24,以下圖(在virtualbox界面中點擊「管理菜單」->全局設定):
b.通以上方法能夠在本地網絡裏看到一張虛擬網卡:
c.測試本機是否與USG6000V是否連通
注意若是不通,
一是請查看USG6000V的G0/0/0接口是否配置以下信息:
web
interface GigabitEthernet0/0/0 undo shutdown ip binding *-instance default ip address 192.168.0.1 255.255.255.0 alias GE0/METH service-manage https permit //是否容許 https service-manage ping permit** //是否容許PING
二是查看防火牆是否開啓web服務
web-manager enable
d.確保通連通後打開瀏覽器測試
瀏覽器
2.防火牆FW1接口配置
`#
interface Vlanif1
ip address 192.168.11.254 255.255.255.0
service-manage ping permit
#
interface Vlanif3
ip address 192.168.3.254 255.255.255.0
service-manage ping permit
#
interface Vlanif4
ip address 192.168.4.254 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding ***-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
alias trust_內網
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 202.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 172.16.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/3
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 3 to 4
#
interface GigabitEthernet1/0/4
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 3 to 4
#`
安全
3.安全區配置
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface Vlanif1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
firewall zone name vlan3zone id 4
set priority 3
add interface Vlanif3
#
firewall zone name vlan4zone id 5
set priority 4
add interface Vlanif4
#
firewall zone name portszone id 6
set priority 8
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
#
網絡
4.安全策略配置
#
security-policy
rule name local_any
source-zone local
action permit
rule name lan_wan
source-zone trust
source-zone vlan3zone
destination-zone untrust
action permit
rule name trust_dmz
source-zone trust
destination-zone dmz
action permit
rule name untrust_dmz
source-zone untrust
destination-zone dmz
destination-address 172.16.1.2 32
service http
action permit
rule name trust_vlan4zone
source-zone trust
source-zone vlan4zone
destination-zone trust
destination-zone vlan4zone
action permit
rule name any_managevlan1
destination-zone trust
destination-address 192.168.11.0 24
action permit
#
tcp
5.NAT配置
#
nat-policy
rule name lan_to_isp
source-zone trust
source-zone vlan3zone
egress-interface GigabitEthernet1/0/1
source-address 192.168.1.0 24
source-address 192.168.3.0 24
action nat easy-ip
#
#
nat server mywebserver 0 protocol tcp global 202.1.1.1 www inside 172.16.1.2 www no-reverse
#
ide