ENSP实验一:防火墙基础配置

时间:2024-11-08 13:15:13

1、搭建拓扑图

配置client(内网)、FTP Server(外网)的IP地址

客户端设置:

服务端设置:

 

2、配置防火墙命名

进入防火墙,输入密码:默认为admin@123

<USG6000V1>system-view  //进入系统模式
[USG6000V1]sysname FW1  //命名为FW1

3、配置安全区域

[FW1]firewall zone trust 
[FW1-zone-trust]add int g1/0/0

[FW1]firewall zone untrust 
[FW1-zone-untrust]add int g1/0/2

4、配置IP地址

[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip address 192.168.2.254 24
[FW1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip address 200.1.1.1 24
[FW1-GigabitEthernet1/0/2]dis ip int b  //查看接口IP信息


*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 6
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 6

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              192.168.0.1/24       down       down      
GigabitEthernet1/0/0              192.168.2.254/24     up         up        
GigabitEthernet1/0/1              unassigned           down       down      
GigabitEthernet1/0/2              200.1.1.1/24         up         up        
GigabitEthernet1/0/3              unassigned           down       down      
GigabitEthernet1/0/4              unassigned           down       down      
GigabitEthernet1/0/5              unassigned           down       down      
GigabitEthernet1/0/6              unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Virtual-if0                       unassigned           up         up(s)     

[FW1-GigabitEthernet1/0/2]

5、配置安全策略

[FW1]security-policy  //进入安全配置模式
[FW1-policy-security]rule name test    //取名字
[FW1-policy-security-rule-test]source-zone trust     //源区域
[FW1-policy-security-rule-test]destination-zone untrust     //目标区域
[FW1-policy-security-rule-test]source-address 192.168.2.0 mask 255.255.255.0    //源地址
[FW1-policy-security-rule-test]destination-address 200.1.1.0 mask 255.255.255.0	   //目标地址
[FW1-policy-security-rule-test]service icmp  //流量类型
[FW1-policy-security-rule-test]action permit   //行为为允许

6、ping测试

继续配置安全策略,实现服务器ping客户端