拓扑:1
接口和IP配置
r1:
[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]ip address 12.0.0.2 24[r1]interface LoopBack 0
[r1-LoopBack0]ip address 100.1.1.1 24
fw:
[fw]interface GigabitEthernet 0/0/0
[fw-GigabitEthernet0/0/0]service-manage all permit[fw]interface GigabitEthernet 1/0/0
[fw-GigabitEthernet1/0/0]ip address 12.0.0.1 24
需求一
安全策略要求:
1、只存在一个公网IP地址,公司内网所有部门都需要借用同一个接口访问外网
2、财务部禁止访问Internet,研发部门只有部分员工可以访问Internet,行政部门全部可以访问互联网
3、为三个部门的虚拟系统分配相同的资源类
配置思路:
1、由根系统管理员创建虚拟系统abc并且为其分配资源以及配置管理员
2、根系统管理员为内网用户创建安全策略和NAT策略
3、由abc三个虚拟系统各自完成IP、路由、安全策略配置
1、启动虚拟系统
[FW]vsys enable
2、配置资源类
1:
[fw-resource-class-1]resource-item-limit session reserved-number 500 maximum 1000
设置最小会话数500最大1000
[fw-resource-class-1]resource-item-limit bandwidth 2 outbound
出接口带宽2m
[fw-resource-class-1]resource-item-limit policy reserved-number 200
策略数200
[fw-resource-class-1]resource-item-limit user reserved-number 100
用户数100[fw]display resource global-resource ---查看剩余公共资源
和上面的1一样
2:3:
3、创建虚拟系统
[fw]vsys name vsysa ---创建虚拟系统,名称为vsysa
[fw-vsys-vsysa]assign resource-class 1 ---设定使用的资源类
[fw-vsys-vsysa]assign interface GigabitEthernet 1/0/1 ---将接口划入虚拟系统[fw]vsys name vsysb
[fw-vsys-vsysa]assign resource-class 2
[fw-vsys-vsysa]assign interface GigabitEthernet 1/0/2[fw]vsys name vsysc
[fw-vsys-vsysa]assign resource-class 3
[fw-vsys-vsysa]assign interface GigabitEthernet 1/0/3
4、管理员配置
vsysa :
[FW]switch vsys vsysa ---切换到vsysa系统中
[FW-vsysa]aaa
[FW-vsysa-aaa]manager-user admin@@vsysa ---创建vsysa虚拟系统管理员,@@为固定,前为用户 名,后为虚拟系统名称
[FW-vsysa-aaa-manager-user-admin@@vsysa]password --配置密码,需要输入两遍,密码没有回 显Enter Password:admin@123
Confirm Password:admin@123
[FW-vsysa-aaa-manager-user-admin@@vsysa]level 15 --设定权限
[FW-vsysa-aaa-manager-user-admin@@vsysa]service-type web telnet ssh ---设定登录服 务,一般选择ssh和web即可
[FW-vsysa-aaa-manager-user-admin@@vsysa]quit
[FW-vsysa-aaa]bind manager-user admin@@vsysa role system-admin ---定义 admin@@vsysa用户为系统管理员vsysb:
[fw]switch vsys vsysb
<fw-vsysb>system-view
[fw-vsysb]aaa
[fw-vsysb-aaa]manager-user admin@@vsysb
[fw-vsysb-aaa-manager-user-admin@@vsysb]passwordEnter Password:admin@123
Confirm Password:admin@123
[fw-vsysb-aaa-manager-user-admin@@vsysb]level 15
[fw-vsysb-aaa-manager-user-admin@@vsysb]service-type web ssh telnet
[fw-vsysc-aaa-manager-user-admin@@vsysb]q
[fw-vsysb-aaa]bind manager-user admin@@vsysb role system-adminvsysc:
[fw]switch vsys vsysc
<fw-vsysc>system-view
[fw-vsysc]aaa
[fw-vsysc-aaa]manager-user admin@@vsysc
[fw-vsysc-aaa-manager-user-admin@@vsysc]passwordEnter Password:admin@123
Confirm Password:admin@123
[fw-vsysc-aaa-manager-user-admin@@vsysc]level 15
[fw-vsysc-aaa-manager-user-admin@@vsysc]service-type web ssh telnet
[fw-vsysc-aaa-manager-user-admin@@vsysc]q
[fw-vsysc-aaa]bind manager-user admin@@vsysc role system-admin
web:
2
3
4
5
公共接口 --- 勾选后,该接口发出的流量为出方向,即为公有接口。一般而言,在虚拟系统中,只有**
存在多个物理接口时,才会配置公共接口,来替代Virtual-if接口。 --- 资源类中的出接口带宽,只有在接口为公共接口时才有效。默认公共接口为Virtual-if接口
6
配置根虚拟接口ip
fw
[fw]interface Virtual-if0
[fw-Virtual-if0]ip address 172.16.0.1 24
区域划分
[fw]firewall zone trust
[fw-zone-trust]add interface Virtual-if 0
[fw]firewall zone untrust
[fw-zone-untrust]add interface GigabitEthernet 1/0/0
静态路由:7
安全策略
[fw]security-policy
[fw-policy-security]rule name t_to_internet
[fw-policy-security-rule-t_to_internet]source-zone trust
[fw-policy-security-rule-t_to_internet]destination-zone untrust
[fw-policy-security-rule-t_to_internet]action permit
因为有虚拟系统所以根上只要简单的配置安全策略,因为虚拟系统上也有安全策略,流量过来会先经过虚拟系统上的安全策略
nat策略
[fw]nat-policy
[fw-policy-nat]rule name 1
[fw-policy-nat-rule-1]source-zone trust
[fw-policy-nat-rule-1]destination-zone untrust
---这里也可以用出接口(把目的区域换成指定的出接口,因为是用的easy-ip)
---egress-interface GigabitEthernet 1/0/0
[fw-policy-nat-rule-1]source-address 10.3.0.0 16
---这里直接放通13.0.0.0/16包括了里面的所以网段,因为里面不能放通流量会被安全策略干掉
[fw-policy-nat-rule-1]action source-nat easy-ip
接口,缺省路由和区域划分:
vsysa:
接口ip:
[fw]switch vsys vsysa
<fw-vsysa>system-view[fw-vsysa]interface GigabitEthernet 1/0/1
[fw-vsysa-GigabitEthernet1/0/1]ip address 10.3.0.254 24[fw-vsysa]interface Virtual-if 1
[fw-vsysa-Virtual-if1]ip address 172.16.1.1 24区域划分:
[fw-vsysa]firewall zone trust
[fw-vsysa-zone-trust]add interface GigabitEthernet 1/0/1
[fw-vsysa]firewall zone untrust
[fw-vsysa-zone-untrust]add interface Virtual-if 1缺省路由;
[fw-vsysa]ip route-static 0.0.0.0 0 public ---缺省指向根地址组:
[fw-vsysa]ip address-set 1 type object ---地址组名为1,类型为object
[fw-vsysa-object-address-set-1]address range 10.3.0.1 10.3.0.10
从10.3.0.1 -10.3.0.10安全策略:
[fw-vsysa]security-policy ---进入视图
[fw-vsysa-policy-security]rule name 1 ---创建名为1
[fw-vsysa-policy-security-rule-1]source-zone trust --源区域
[fw-vsysa-policy-security-rule-1]destination-zone untrust --目的区域
[fw-vsysa-policy-security-rule-1]source-address address-set 1 ---源地址为地址组1
[fw-vsysa-policy-security-rule-1]action permit
---只有地址组1的用户可以访问外网
vsysb:
[fw]switch vsys vsysb
<fw-vsysb>system-view[fw-vsysb]interface GigabitEthernet 1/0/2
[fw-vsysb-GigabitEthernet1/0/2]ip address 10.3.1.254 24[fw-vsysb]interface Virtual-if 2
[fw-vsysb-Virtual-if2]ip address 172.16.1.1 24[fw-vsysb]firewall zone trust
[fw-vsysb-zone-trust]add interface GigabitEthernet 1/0/2[fw-vsysb]firewall zone untrust
[fw-vsysb-zone-untrust]add interface Virtual-if 2
[fw-vsysb]ip route-static 0.0.0.0 0 public这里因为需求是禁止访问外网,所以不用写安全策略,因为默认安全策略禁止所以
vsysc:
[fw]switch vsys vsysc
<fw-vsysc>system-view
[fw-vsysc]interface GigabitEthernet 1/0/3
[fw-vsysc-GigabitEthernet1/0/3]ip address 10.3.2.254 24[fw-vsysc]interface Virtual-if 3
[fw-vsysc-Virtual-if3]ip address 172.16.2.1 24[fw-vsysc]firewall zone trust
[fw-vsysc-zone-trust]add interface GigabitEthernet 1/0/3
[fw-vsysc]firewall zone untrust
[fw-vsysc-zone-untrust]add interface Virtual-if 3
[fw-vsysc]ip route-static 0.0.0.0 0 public[fw-vsysc]security-policy
[fw-vsysc-policy-security]rule name 3
[fw-vsysc-policy-security-rule-3]source-zone trust
[fw-vsysc-policy-security-rule-3]destination-zone untrust
[fw-vsysc-policy-security-rule-3]source-address 10.3.2.0 24
[fw-vsysc-policy-security-rule-3]action permit
测试:
先用pc1当前ip0.1访问100.1.1.1
:8
将0.1改为0.11看超过0.10的用户是否能够访问100.1.1.1,安全策略是否生效
:9,10
pc2去ping100.1.1.1
:11
pc3去ping100.1.1.1
:12
pc1 ping pc2
:13
这里pc1-pc2是虚拟系统通过根来转发,所以要在a,b上补安全策略,根上补上对应路由
a:
[fw-vsysa-policy-security]rule name a_to_b
[fw-vsysa-policy-security-rule-a_to_b]source-zone trust
[fw-vsysa-policy-security-rule-a_to_b]destination-zone untrust
[fw-vsysa-policy-security-rule-a_to_b]source-address 10.3.0.0 24
[fw-vsysa-policy-security-rule-a_to_b]destination-address 10.3.1.0 24
[fw-vsysa-policy-security-rule-a_to_b]action permit---因为上面那条去外网的安全策略只允许0.1-0.10的用户,所以要把a_to_b移到到最上面
[fw-vsysa-policy-security]rule move a_to_b before 1
b:
[fw-vsysb-policy-security]rule name 2
[fw-vsysb-policy-security-rule-2]source-zone untrust
[fw-vsysb-policy-security-rule-2]destination-zone trust
[fw-vsysb-policy-security-rule-2]source-address 10.3.0.0 24
[fw-vsysb-policy-security-rule-2]destination-address 10.3.1.0 24
[fw-vsysb-policy-security-rule-2]action permitpublic:
[fw]ip route-static 10.3.1.0 24 vpn-instance vsysb ----补的这条路由时通过根来进行转发
---从a通过缺省路由转发给根,由根根据上面这条静态路由转发给b[fw]ip route-static vpn-instance vsysa 10.3.1.0 24 vpn-instance vsysb
----这条路由只能有根来下发,有a直接转发给b不在经过根让根转发
---在根系统上,为vsysa系统配置静态路由,指向vsysb
:14
a_to_c
根:
[fw]ip route-static vpn-instance vsysa 10.3.2.0 24 vpn-instance vsysca:
[fw-policy-security]rule name a_to_c
[fw-policy-security-rule-a_to_c]source-zone trust
[fw-policy-security-rule-a_to_c]destination-zone untrust
[fw-policy-security-rule-a_to_c]source-address 10.3.0.0 24
[fw-policy-security-rule-a_to_c]destination-address 10.3.2.0 24
[fw-policy-security-rule-a_to_c]action permit
c:
[fw-vsysc-policy-security]rule name 4
[fw-vsysc-policy-security-rule-4]source-zone untrust
[fw-vsysc-policy-security-rule-4]destination-zone trust
[fw-vsysc-policy-security-rule-4]source-address 10.3.0.0 24
[fw-vsysc-policy-security-rule-4]destination-address 10.3.2.0 24
[fw-vsysc-policy-security-rule-4]action permit
:15
b_to_c
根:
[fw]ip route-static vpn-instance vsysb 10.3.2.0 24 vpn-instance vsysc
b:
[fw-vsysb-policy-security]rule name 3
[fw-vsysb-policy-security-rule-3]source-zone trust
[fw-vsysb-policy-security-rule-3]destination-zone untrust
[fw-vsysb-policy-security-rule-3]source-address 10.3.1.0 24
[fw-vsysb-policy-security-rule-3]destination-address 10.3.2.0 24
[fw-vsysb-policy-security-rule-3]action permitc:
[fw-vsysc-policy-security]rule name 5
[fw-vsysc-policy-security-rule-5]source-zone untrust
[fw-vsysc-policy-security-rule-5]destination-zone trust
[fw-vsysc-policy-security-rule-5]source-address 10.3.1.0 24
[fw-vsysc-policy-security-rule-5]destination-address 10.3.2.0 24
[fw-vsysc-policy-security-rule-5]action permit
:16
b_to_a
根:
[fw]ip route-static vpn-instance vsysb 10.3.0.0 24 vpn-instance vsysa
a:
[fw-vsysa-policy-security]rule name b_to_a
[fw-vsysa-policy-security-rule-b_to_a]source-zone untrust
[fw-vsysa-policy-security-rule-b_to_a]destination-zone trust
[fw-vsysa-policy-security-rule-b_to_a]source-address 10.3.1.0 24
[fw-vsysa-policy-security-rule-b_to_a]destination-address 10.3.0.0 24
[fw-vsysa-policy-security-rule-b_to_a]action permitb:
[fw-vsysb-policy-security]rule name 4
[fw-vsysb-policy-security-rule-4]source-zone trust
[fw-vsysb-policy-security-rule-4]destination-zone untrust
[fw-vsysb-policy-security-rule-4]source-address 10.3.1.0 24
[fw-vsysb-policy-security-rule-4]destination-address 10.3.0.0 24
[fw-vsysb-policy-security-rule-4]action permit
:17
c_to_a
根:
[fw]ip route-static vpn-instance vsysc 10.3.0.0 24 vpn-instance vsysa
a:
[fw-vsysa-policy-security]rule name c_to_a
[fw-vsysa-policy-security-rule-c_to_a]source-zone untrust
[fw-vsysa-policy-security-rule-c_to_a]destination-zone trust
[fw-vsysa-policy-security-rule-c_to_a]source-address 10.3.2.0 24
[fw-vsysa-policy-security-rule-c_to_a]destination-address 10.3.0.0 24
[fw-vsysa-policy-security-rule-c_to_a]action permit
c:已经有t_unt的安全策略
:18
c_to_b
根:
[fw]ip route-static vpn-instance vsysc 10.3.1.0 24 vpn-instance vsysb
b:
[fw-vsysb-policy-security]rule name 5
[fw-vsysb-policy-security-rule-5]source-zone untrust
[fw-vsysb-policy-security-rule-5]destination-zone trust
[fw-vsysb-policy-security-rule-5]source-address 10.3.2.0 24
[fw-vsysb-policy-security-rule-5]destination-address 10.3.1.0 24
[fw-vsysb-policy-security-rule-5]action permit
c:已经有t_unt的安全策略
:19
