华为eNSP-防火墙实验

实验一

实验环境

实验要求

1规划并配置IP地址
2将网络分别加入对应的区域
3实现pc1访问pc2，pc2访问服务器，其他不能互访

实验步骤

配置IP

FW1 IP
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip ad 192.168.1.254 24
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip ad 192.168.2.254 24
[FW1-GigabitEthernet1/0/1]int 1/0/2
[FW1-GigabitEthernet1/0/2]ip ad 192.168.3.254 24

配置FW1端口
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/0
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/1
[FW1]firewall zone dmz
[FW1-zone-dmz]add int g1/0/2

配置规则
[FW1]security-policy
[FW1-policy-security]rule name t-u
[FW1-policy-security-rule-t-u]source-zone trust
[FW1-policy-security-rule-t-u]destination-zone
[FW1-policy-security-rule-t-u]source-address 192.168.1.1 mask 255.255.255.0
[FW1-policy-security-rule-t-u]destination-address 192.168.2.2 24
[FW1-policy-security-rule-t-u]action permit
​

[FW1]security-policy
[FW1-policy-security]rule name t-i
[FW1-policy-security-rule-t-i]source-zone untrust
[FW1-policy-security-rule-t-i]destination-zone dmz
[FW1-policy-security-rule-t-i]source-address 192.168.2.2 mask 255.255.255.0
[FW1-policy-security-rule-t-i]destination-address 192.168.3.3 24
[FW1-policy-security-rule-t-i]action permit
​

Pc1 ping pc2 pc1 ping 服务器

Pc2 ping 服务器

实验二

实验环境

实验要求

1. 配置 NAT，内网 pc 正常访问公网 pc
2. 登录 web 界面

实验步骤

配置R1
[R1-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[R1-GigabitEthernet0/0/1]ip address 192.168.4.1 24
[R1-ospf-1]a 0
[R1-ospf-1-area-0.0.0.0]network 192.168.4.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]network 192.168.1.254 0.0.0.0
配置FW1
[FW1]ip route-static 0.0.0.0 0 192.168.2.2
[FW1]ospf
[FW1-ospf-1]a 0
[FW1-ospf-1-area-0.0.0.0]network 1923.168 [FW1-ospf-1]default-route-advertise
[FW1]nat address-group 1 section 0 192.168.2.10 192.168.2.10
[FW1]nat-policy rule name snat
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group 1
​

[FW1]security-policy
[FW1-policy-security]rule name t-u
[FW1-policy-security-rule-t-u]di th source-zone trust
[FW1-policy-security-rule-t-u] destination-zone untrust
[FW1-policy-security-rule-t-u ]source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-security-rule-t-u ]action permit
​

Pc1 ping pc 2

设置cloud1

连接fw的g0/0/0端口

[FW1-GigabitEthernet0/0/0]ip address 192.168.70.7 24

[FW1-GigabitEthernet0/0/0]service-manage https permit