仙桃网站定制外贸企业网站推广
一.实验拓扑
二.实验需求
1 、只存在一个公网 IP 地址,公司内网所有部门都需要借用同一个接口访问外网
2 、财务部禁止访问 Internet ,研发部门只有部分员工可以访问 Internet ,行政部门全部可以访问互联网
3 、为三个部门的虚拟系统分配相同的资源类
4、内部研发部能够访问财务部
5、由根系统管理员创建虚拟系统 abc 并且为其分配资源以及配置管理员
6、根系统管理员为内网用户创建安全策略和 NAT 策略
7、由 abc 三个虚拟系统各自完成 IP 、路由、安全策略配置
三.实验配置
开启虚拟系统并创建资源类
其中r1,r2,r3内容一致
创建虚拟系统
vsysb和vsysc创建方式与vsysa一致
创建管理员
[FW]switch vsys vsysa
[FW-vsysa]aaa
[FW-vsysa-aaa]manager-user admin@@vsysa
[FW-vsysa-aaa-manager-user-admin@@vsysa]password
Enter Password:admin@123
Confirm Password:admin@123
[FW-vsysa-aaa-manager-user-admin@@vsysa]level 15
[FW-vsysa-aaa-manager-user-admin@@vsysa]service-type web telnet ssh
[FW-vsysa-aaa-manager-user-admin@@vsysa]quit
[FW-vsysa-aaa]bind manager-user admin@@vsysa role system-adminvsysb和vsysc管理员创建方式与a相同
配置FW路由器基本配置
[FW1]dis current-configuration interface
interface GigabitEthernet1/0/0undo shutdownip address 11.0.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1undo shutdownip binding vpn-instance vsysaip address 10.3.0.254 255.255.255.0
#
interface GigabitEthernet1/0/2undo shutdownip binding vpn-instance vsysbip address 10.3.1.254 255.255.255.0
#
interface GigabitEthernet1/0/3undo shutdownip binding vpn-instance vsyscip address 10.3.2.254 255.255.255.0
#
interface Virtual-if0ip address 172.16.0.1 255.255.255.0
#
interface Virtual-if1ip address 172.16.1.1 255.255.255.0
#
interface Virtual-if2ip address 172.16.2.1 255.255.255.0
#
interface Virtual-if3ip address 172.16.3.1 255.255.255.0
#
interface GigabitEthernet1/0/1undo shutdownip binding vpn-instance vsysaip address 10.3.0.254 255.255.255.0
#
interface Virtual-if1ip address 172.16.1.1 255.255.255.0
#
return
#
interface GigabitEthernet1/0/2undo shutdownip binding vpn-instance vsysbip address 10.3.1.254 255.255.255.0
#
interface Virtual-if2ip address 172.16.2.1 255.255.255.0
#
return
#
interface GigabitEthernet1/0/3undo shutdownip binding vpn-instance vsyscip address 10.3.2.254 255.255.255.0
#
interface Virtual-if3ip address 172.16.3.1 255.255.255.0
#
return
[r1]dis current-configuration interface
interface GigabitEthernet0/0/0ip address 11.0.0.2 255.255.255.0
interface LoopBack0ip address 100.1.1.1 255.255.255.0
public区域安全策略及nat策略
[FW1-policy-security-rule-to_internet]dis this
2025-03-04 12:29:40.900
#rule name to_internetsource-zone trustdestination-zone untrustaction permit
#
return
[FW1]nat-policy
[FW1-policy-nat]
[FW1-policy-nat]
[FW1-policy-nat]dis this
2025-03-04 12:30:09.980
#
nat-policyrule name asource-zone trustdestination-zone untrustsource-address 10.3.0.0 mask 255.255.0.0action source-nat easy-ip
#
return
[FW1]ip route-static 0.0.0.0 0 11.0.0.2
[FW1]dis zone
2025-03-04 12:37:35.800
localpriority is 100interface of the zone is (0):
#
trustpriority is 85interface of the zone is (2):GigabitEthernet0/0/0Virtual-if0
#
untrustpriority is 5interface of the zone is (1):GigabitEthernet1/0/0
#
dmzpriority is 50interface of the zone is (0):
#
vpn-instance vsysa localpriority is 100interface of the zone is (0):
#
vpn-instance vsysa trustpriority is 85interface of the zone is (1):GigabitEthernet1/0/1
#
vpn-instance vsysa untrustpriority is 5interface of the zone is (1):Virtual-if1
#
vpn-instance vsysa dmzpriority is 50interface of the zone is (0):
#
vpn-instance vsysb localpriority is 100interface of the zone is (0):
#
vpn-instance vsysb trustpriority is 85interface of the zone is (1):GigabitEthernet1/0/2
#
vpn-instance vsysb untrustpriority is 5interface of the zone is (1):Virtual-if2
#
vpn-instance vsysb dmzpriority is 50interface of the zone is (0):
#
vpn-instance vsysc localpriority is 100interface of the zone is (0):
#
vpn-instance vsysc trustpriority is 85interface of the zone is (1):GigabitEthernet1/0/3
#
vpn-instance vsysc untrustpriority is 5interface of the zone is (1):Virtual-if3
#
vpn-instance vsysc dmzpriority is 50interface of the zone is (0):
#
vsysa区域安全策略及缺省路由
[FW1-vsysa-policy-security]dis this
2025-03-04 12:31:46.930
#
security-policyrule name to_vsysbsource-zone trustdestination-zone untrustsource-address 10.3.0.0 mask 255.255.255.0destination-address 10.3.1.0 mask 255.255.255.0action permitrule name to_internetsource-zone trustdestination-zone untrustsource-address address-set aaaction permit
#
return
[FW1-vsysa]ip route-static 0.0.0.0 0 public vsysb区域安全策略及缺省路由
[FW1-vsysb]security-policy
[FW1-vsysb-policy-security]dis this
2025-03-04 12:34:14.740
#
security-policyrule name to_vsysasource-zone untrustdestination-zone trustsource-address 10.3.0.0 mask 255.255.255.0destination-address 10.3.1.0 mask 255.255.255.0action permit
#
return
[FW1-vsysb]ip route-static 0.0.0.0 0 public vsysc区域安全策略及缺省路由
[FW1-vsysc]security-policy
[FW1-vsysc-policy-security]dis this
2025-03-04 12:35:21.580
#
security-policyrule name to_internetsource-zone trustdestination-zone untrustsource-address 10.3.2.0 mask 255.255.255.0action permit
#
return
[FW1-vsysc]ip route-static 0.0.0.0 0 public 四.实验验证
pc1研发部能够访问外网
pc2财务部不能访问
pc3行政部可以访问
pc1研发部可以访问pc2财务部