拓扑
需求
1.VLAN2属于办公区;VLAN3属于生产区。
2.办公区PC在工作日时间(周一到周五,早8到玩6)可以正常访问OA server,其他时间不允许。
3.办公区PC可以在任意时刻访问web server。
4.生产去PC可以在任意时刻访问OA server,但是不能访问web server。
5.特例:生产区PC可以在每周一早10到早11访问web server,用来更新企业最新产品信息
需求分析
1. 按照拓扑图进行IP地址的配置,并在FW1上的GE1/0/1上增加子接口,将192.168.1.126和192.168.1.254划分到trust区域,将10.0.0.254划分到dmz区域。
2、在进行安全策略前,建好地址集
3、注意策略先后顺序不产生冲突
配置
命令行配置
交换机
SW1:
[SW1]vlan 2
[SW1]vlan 3
[SW1]int g0/0/2
[SW1-GigabitEthernet0/0/2]port link-type access
[SW1-GigabitEthernet0/0/2]port default vlan 2
[SW1-GigabitEthernet0/0/2]q[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]port default vlan 3[SW1-GigabitEthernet0/0/4]port link-type access
[SW1-GigabitEthernet0/0/4]port default vlan 3[SW1-GigabitEthernet0/0/1]port link-type trunk
[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan all SW2:
[SW2]vlan 2
[SW2-vlan2]vlan 3[SW2-GigabitEthernet0/0/1]port link-type trunk
[SW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
fw
区域划分
[fw]interface GigabitEthernet 0/0/0
[fw-GigabitEthernet0/0/0]ip address 172.25.254.100 24
[fw-GigabitEthernet0/0/0]service-manage all permit
[fw]interface GigabitEthernet 1/0/1.1
[fw-GigabitEthernet1/0/1.1]ip address 192.168.1.126 25
[fw-GigabitEthernet1/0/1.1]vlan-type dot1q 2
[fw-GigabitEthernet1/0/1.1]service-manage ping permit
[fw]interface GigabitEthernet 1/0/1.2
[fw-GigabitEthernet1/0/1.2]ip address 192.168.1.254 25
[fw-GigabitEthernet1/0/1.2]vlan-type dot1q 3
[fw-GigabitEthernet1/0/1.2]service-manage ping permit
[fw]interface GigabitEthernet 1/0/0
[fw-GigabitEthernet1/0/0]ip address 10.0.0.254 24
[fw]firewall zone trust
[fw-zone-trust]add interface GigabitEthernet 1/0/1.1
[fw-zone-trust]add interface GigabitEthernet 1/0/1.2
[fw]firewall zone dmz
[fw-zone-dmz]add interface GigabitEthernet 1/0/0
创建地址集和时间段
[fw]ip address-set bg type object ----- 创建地址集
[fw-object-address-set-bg]address 192.168.1.0 mask 25
[fw]ip address-set oa type object
[fw-object-address-set-oa]address 10.0.0.1 mask 32
[fw]ip address-set web type object ----- 创建地址集
[fw-object-address-set-web]address 10.0.0.2 mask 32
[fw]ip address-set sc type object ----- 创建地址集
[fw-object-address-set-sc]address 192.168.1.128 mask 25
[fw]time-range aaa ----- 创建时间段
[fw-time-range-aaa]period-range 10:00:00 to 11:00:00 Mon
[fw]time-range worktime ----- 创建时间段
[fw-time-range-worktime]period-range 08:00:00 to 18:00:00 working-day
配置安全策略
[fw]security-policy ----- 进入安全策略配置视图
[fw-policy-security-rule-policy_1]description bg_to_oa
[fw-policy-security-rule-policy_1]source-zone trust
[fw-policy-security-rule-policy_1]destination-zone dmz
[fw-policy-security-rule-policy_1]source-address address-set bg
[fw-policy-security-rule-policy_1]destination-address address-set oa
[fw-policy-security-rule-policy_1]time-range worktime
[fw-policy-security-rule-policy_1]action permit2~4都与1相同格式,微调地址集
图形化配置
测试
因为策略1,4不在时间段,因此不能生效
