您现在的位置是:首页 >技术杂谈 >防火墙网络安全策略实验网站首页技术杂谈
防火墙网络安全策略实验
1拓扑
2需求
1.VLAN 2属于办公区,VLAN 3属于生产区
2.办公区PC在工作日时间(周一至周五,早8到晚6)可以正常访问OA server其他时间不允许
3.办公区PC可以在任意时刻访问Web Server
4.生产区PC可以在任意时刻访问OA Server但是不能访问Web Server
5.特例:生产区PC3可以在每周一早10到早11访问Web Server用来更新企业最新产品信息
进入管理接口,即进入GE0/0/0接口,开启web服务
[1]int g0/0/0
[1-GigabitEthernet0/0/0]service-manage all permit
防火墙配置:Username:admin
Password:*****
The password needs to be changed. Change now? [Y/N]: y
Please enter old password: Admin@123
Please enter new password: admin@123
Please confirm new password: admin@123
[1] sysname 1
[1] interface GigabitEthernet 0/0/0
[1-GigabitEthernet0/0/0] service-manage all permit
LSW1:
[Huawei]vlan 2
[Huawei]vlan 3
[Huawei-vlan3]int g 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 2
[Huawei-GigabitEthernet0/0/2]int g 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 3
[Huawei-GigabitEthernet0/0/3]int g 0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 3
[Huawei-GigabitEthernet0/0/4]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
1.地址
[1]ip address-set BG
[1-object-address-set-BG]address 192.168.1.0 mask 25
[1]ip address-set OA
[1-object-address-set-OA]address 10.0.0.1 mask 32
2.时间段
[1]time-range WORKING_TIME
[1-time-range-WORKING_TIME]period-range 08:00:00 to 18:00:00 working-day
3.创建安全策略
[1]security-policy
[1-policy-security]rule name policy_1
[1-policy-security-rule-policy_1]description BG_TO_OA
[1-policy-security-rule-policy_1]source-zone trust
[1-policy-security-rule-policy_1]destination-zone dmz
[1-policy-security-rule-policy_1]source-address address-set BG
[1-policy-security-rule-policy_1]destination-address address-set OA
[1-policy-security-rule-policy_1]time-range WORKING_TIME
[1-policy-security-rule-policy_1]action permit
[1]ip address-set WEB
[1-object-address-set-WEB]address 10.0.0.2 mask 32
[1]security-policy
[1-policy-security]rule name policy_2
[1-policy-security-rule-policy_2]description BG_TO_WEB
[1-policy-security-rule-policy_2]source-zone trust
[1-policy-security-rule-policy_2]destination-zone dmz
[1-policy-security-rule-policy_2]source-address address-set BG
[1-policy-security-rule-policy_2]destination-address address-set WEB
[1-policy-security-rule-policy_2]action permit
[1]security-policy
[1-policy-security]rule name policy_3
[1-policy-security-rule-policy_3]description SC_TO_OA
[1-policy-security-rule-policy_3]source-zone trust
[1-policy-security-rule-policy_3]destination-zone dmz
[1-policy-security-rule-policy_3]source-address 192.168.1.128 25
[1-policy-security-rule-policy_3]destination-address address-set OA
[1-policy-security-rule-policy_3]action permit
[1]time-range pc3-web
[1-time-range-pc3-web]period-range 10:00:00 to 11:00:00 Mon
[1]security-policy
[1-policy-security]rule name policy_4
[1-policy-security-rule-policy_4]description SC_TO_WEB
[1-policy-security-rule-policy_4]source-zone trust
[1-policy-security-rule-policy_4]destination-zone dmz
[1-policy-security-rule-policy_4]source-address 192.168.1.130 25
[1-policy-security-rule-policy_4]destination-address address-set WEB
[1-policy-security-rule-policy_4]time-range pc3-web
[1-policy-security-rule-policy_4]action permit
站长推荐
- U8W/U8W-Mini使用与常见问题解决
U8W/U8W-Mini使用与常见问题解决 - 分享几个国内免费的ChatGPT镜像网址(亲测有效)
分享几个国内免费的ChatGPT镜像网址(亲测有效) - stm32使用HAL库配置串口中断收发数据(保姆级教程)
stm32使用HAL库配置串口中断收发数据(保姆级教程) - QT多线程的5种用法,通过使用线程解决UI主界面的耗时操作代码,防止界面卡死。
QT多线程的5种用法,通过使用线程解决UI主界面的耗时操作代码,防止界面卡死。... - SpringSecurity实现前后端分离认证授权
SpringSecurity实现前后端分离认证授权