1.測試拓撲:
2.測試總結:
3.基本配置:
a.路由器r1:
inte***ce ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
b.防火牆srx:
set inte***cesge-0/0/0.0family inetaddress 202.100.1.10/24
set inte***cesge-0/0/1.0family inetaddress 10.1.1.10/24
set inte***cesge-0/0/2.0family inetaddress 192.168.1.10/24
②將介面劃入zone:
setsecurity zones security-zone untrust inte***cesge-0/0/0.0
setsecurity zones security-zone trust inte***cesge-0/0/1.0
setsecurity zones security-zone dmz inte***cesge-0/0/2.0
③配置zone間策略,允許trust到untrust的任何訪問:
setsecurity policies from-zone trust to-zone untrust policy permit-all match source-address any
setsecurity policies from-zone trust to-zone untrust policy permit-all match destination-address any
setsecurity policies from-zone trust to-zone untrust policy permit-all then permit
④配置zone間策略,允許dmz到untrust的任何訪問:
set security policies from-zone dmz to-zoneuntrust policy permit-all match source-address any
set security policies from-zone dmz to-zoneuntrust policy permit-all match destination-address any
set security policies from-zone dmz to-zoneuntrustpolicy permit-all then permit
c.主機pc1:
ip:10.1.1.8/24
gw:10.1.1.10
d.路由器r2:
inte***ce f0/0
ip address 192.168.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.10
4.nat配置:
a.第一種nat:
source nat:inte***ce nat配置:
a.指定nat的zone:
setsecurity nat sourcerule-set source-nat from zone trust
setsecurity nat sourcerule-setsource-natto zone untrust
b.配置inte***ce nat:
setsecurity nat source rule-set source-nat rule nat-inte***ce match source-address 0.0.0.0/0
setsecurity nat source rule-set source-nat rule nat-inte***ce match destination-address 0.0.0.0/0
setsecurity nat source rule-set source-nat rule nat-inte***ce then source-nat inte***ce
c.提交配置:
commit
d.驗證:
從主機pc1上面ping路由器r1介面位址,並在r1上debug ip icmp,可以看到icmp源位址為防火牆介面位址
r1#*mar 2 01:35:56.797: icmp: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*mar 2 01:35:57.793: icmp: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*mar 2 01:35:58.809: icmp: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*mar 2 01:35:59.749: icmp: echo reply sent, src 202.100.1.1, dst 202.100.1.10
r1#b.第二種nat:
source nat:pool based nat配置:
set security nat source pool src-nat-pool1address 202.100.1.11 to 202.100.1.13
b.指定nat的zone(前面已經配置,可以不配):
set security nat source rule-set source-nat from zone trust
set security nat sourcerule-set source-natto zone untrust
c.配置pool based nat:
set security nat source rule-set source-nat rule nat-pool match source-address 0.0.0.0/0
sets ecurity nat source rule-set source-nat rule nat-pool match destination-address 0.0.0.0/0
防火牆 防火牆安全
作為計算機的第一道屏障,防火牆的重要性不言而喻,儘管防火牆在面臨網路攻擊時仍有很大的缺陷,不如無法阻止自內而外的攻擊,對複雜多變的網路攻擊攻擊無法預警和像ids所做的那樣。但防火牆依然是伺服器乃至個人機的一道不可或缺的屏障。木桶原理 本文將對防火牆做乙個初步的簡介,顯然像我們知道的那樣,防火牆是一款...
防火牆系列(一) 何為防火牆
簡單解釋下內聯網路和外聯網路 內聯網路類似於區域網是指某個企業或者單位內部互動的網路,外聯網路就是外部的internet 部署在使用者內聯網路和外聯網路之間的一道屏障,一切內外聯網路交換的資料都應該通過防火牆裝置。以預先定義好的安全規則為標準,防火牆將對通過他的資料進行安全監測,符合安全規則的資料流...
外圍防火牆規則 內部防火牆規則
外圍防火牆規則 通常情況下,您的外圍防火牆需要以預設的形式或者通過配置來實現下列規則 拒絕所有通訊,除非顯式允許的通訊。阻止宣告具有內部或者外圍網路源位址的外來資料報。阻止宣告具有外部源 ip 位址的外出資料報 通訊應該只源自堡壘主機 允許從 dns 解析程式到 internet 上的dns 伺服器...