eNSP网络中防火墙命令行配置_ensp网络设计中引入配置防火墙等网络安全设计保护网络

以上述网络拓扑为例

目的：1、B区能够访问外网，同时能够单向访问内网服务器

           2、外网客户端能够通过http访问内网服务器

为了模拟现实情况，对内网进行ospf配置使内网联通

[USG6000V1]ospf 1
[USG6000V1-ospf-1]area 0
[USG6000V1-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255
[USG6000V1-ospf-1-area-0.0.0.0]network 192.168.4.0 0.0.0.255
配置ospf
[USG6000V1]ip route-static 0.0.0.0 0 11.1.1.1
配置缺省路由
[USG6000V1-ospf-1]default-route-advertise
将缺省路由传递给AR1与AR2

1

进行防火墙配置

[USG6000V1]security-policy
进入安全策略配置
[USG6000V1-policy-security]rule name trust-to-untrust
创建名为trust-to-untrust的规则
[USG6000V1-policy-security-rule-trust-to-untrust]source-zone trust
指明源区域
[USG6000V1-policy-security-rule-trust-to-untrust]destination-zone untrust
指明目的区域
[USG6000V1-policy-security-rule-trust-to-untrust]action permit
启用规则

进行nat配置

[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name trust
[USG6000V1-policy-nat-rule-trust]source-zone trust 
[USG6000V1-policy-nat-rule-trust]destination-zone untrust
[USG6000V1-policy-nat-rule-trust]action source-nat easy-ip

配置防火墙规则使B区能够访问A区

[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust-to-dmz
[USG6000V1-policy-security-rule-trust-to-dmz]source-zone trust
[USG6000V1-policy-security-rule-trust-to-dmz]destination-zone dmz
[USG6000V1-policy-security-rule-trust-to-dmz]action permit

2

进行端口映射

[USG6000V1]nat server protocol tcp global 11.1.1.3 8080 inside 192.168.1.2 80

进行防火墙配置

[USG6000V1]security-policy
[USG6000V1-policy-security]rule name untrust-to-dmz
[USG6000V1-policy-security-rule-untrust-to-dmz]source-zone untrust
[USG6000V1-policy-security-rule-untrust-to-dmz]destination-zone dmz 
[USG6000V1-policy-security-rule-untrust-to-dmz]action permit