需求:
-
AR1可ping防火墙FW1的G0/0/0口
-
AR1、AR2、AR3在不同区域
-
AR1可访问AR2
实现:
-
配置各路由器的IP地址、静态路由
-
FW配置策略并将端口加入相关区域
防火墙代码如下:
html
interface GigabitEthernet0/0/0
undo shutdown
ip address 1.1.1.2 255.255.255.0
# 默认不允许ping防火墙,此命令开启防火墙端口ping功能
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 3.3.3.2 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 2.2.2.2 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
# 设置区域优先级,此处为默认
set priority 85
# 将端口加入区域
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
security-policy
#创建 icmp的规则
rule name icmp
source-address 1.1.1.1 mask 255.255.255.255
destination-address 2.2.2.0 mask 255.255.255.0
service icmp
action permit测试
