防火墙虚拟系统实验

配置

[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]ip address 12.0.0.2 24
[r1]interface LoopBack 0
[r1-LoopBack0]ip address 100.1.1.1 24

[fw]interface GigabitEthernet 0/0/0    
[fw-GigabitEthernet0/0/0]service-manage all permit 
[fw]interface GigabitEthernet 1/0/0
[fw-GigabitEthernet1/0/0]ip address 12.0.0.1 24

需求一

要求：

1、只存在一个公网IP地址，公司内网所有部门都需要借用同一个接口访问外网

2、财务部禁止访问Internet，研发部门只有部分员工可以访问Internet，行政部门全部可以访问互联网

3、为三个部门的虚拟系统分配相同的资源类

[FW]vsys enable 

[fw-resource-class-1]resource-item-limit session reserved-number 500 maximum 1000
[fw-resource-class-1]resource-item-limit bandwidth 2 outbound 
[fw-resource-class-1]resource-item-limit policy reserved-number 200
[fw-resource-class-1]resource-item-limit user reserved-number 100
[fw]display resource global-resource 

[fw]vsys name vsysa 
[fw-vsys-vsysa]assign resource-class 1
[fw-vsys-vsysa]assign interface GigabitEthernet 1/0/1 
[fw]vsys name vsysb
[fw-vsys-vsysa]assign resource-class 2
[fw-vsys-vsysa]assign interface GigabitEthernet 1/0/2
[fw]vsys name vsysc
[fw-vsys-vsysa]assign resource-class 3
[fw-vsys-vsysa]assign interface GigabitEthernet 1/0/3

vsysa :
[FW]switch vsys vsysa
[FW-vsysa]aaa
[FW-vsysa-aaa]manager-user admin@@vsysa 
[FW-vsysa-aaa-manager-user-admin@@vsysa]password
Enter Password:admin@123 
Confirm Password:admin@123 
[FW-vsysa-aaa-manager-user-admin@@vsysa]level 15  
[FW-vsysa-aaa-manager-user-admin@@vsysa]service-type web telnet ssh 
[FW-vsysa-aaa-manager-user-admin@@vsysa]quit 
[FW-vsysa-aaa]bind manager-user admin@@vsysa role system-admin 
 
vsysb:    
[fw]switch vsys vsysb
<fw-vsysb>system-view 
[fw-vsysb]aaa
[fw-vsysb-aaa]manager-user admin@@vsysb
[fw-vsysb-aaa-manager-user-admin@@vsysb]password
Enter Password:admin@123
Confirm Password:admin@123    
[fw-vsysb-aaa-manager-user-admin@@vsysb]level 15
[fw-vsysb-aaa-manager-user-admin@@vsysb]service-type web ssh telnet 
[fw-vsysc-aaa-manager-user-admin@@vsysb]q
[fw-vsysb-aaa]bind manager-user admin@@vsysb role system-admin 
 
vsysc:
[fw]switch vsys vsysc    
<fw-vsysc>system-view 
[fw-vsysc]aaa
[fw-vsysc-aaa]manager-user admin@@vsysc
[fw-vsysc-aaa-manager-user-admin@@vsysc]password
Enter Password:admin@123
Confirm Password:admin@123    
[fw-vsysc-aaa-manager-user-admin@@vsysc]level 15    
[fw-vsysc-aaa-manager-user-admin@@vsysc]service-type web ssh telnet 
[fw-vsysc-aaa-manager-user-admin@@vsysc]q
[fw-vsysc-aaa]bind manager-user admin@@vsysc role system-admin 

配置根虚拟接口ip

[fw]interface Virtual-if0 
[fw-Virtual-if0]ip address 172.16.0.1 24

[fw]firewall zone trust     
[fw-zone-trust]add interface Virtual-if 0
    
[fw]firewall zone untrust 
[fw-zone-untrust]add interface GigabitEthernet 1/0/0

安全策略

[fw]security-policy
[fw-policy-security]rule name t_to_internet    
[fw-policy-security-rule-t_to_internet]source-zone trust 
[fw-policy-security-rule-t_to_internet]destination-zone untrust 
[fw-policy-security-rule-t_to_internet]action permit 

nat策略

[fw]nat-policy 
[fw-policy-nat]rule name 1    
[fw-policy-nat-rule-1]source-zone trust     
[fw-policy-nat-rule-1]destination-zone untrust 
---egress-interface GigabitEthernet 1/0/0
[fw-policy-nat-rule-1]source-address 10.3.0.0 16
[fw-policy-nat-rule-1]action source-nat easy-ip

接口，缺省路由和区域划分

接口ip：
[fw]switch vsys vsysa
<fw-vsysa>system-view 
[fw-vsysa]interface GigabitEthernet 1/0/1
[fw-vsysa-GigabitEthernet1/0/1]ip address 10.3.0.254 24
[fw-vsysa]interface Virtual-if 1
[fw-vsysa-Virtual-if1]ip address 172.16.1.1 24
 
区域划分：
[fw-vsysa]firewall zone trust 
[fw-vsysa-zone-trust]add interface GigabitEthernet 1/0/1  
[fw-vsysa]firewall zone untrust 
[fw-vsysa-zone-untrust]add interface Virtual-if 1
 
缺省路由；
[fw-vsysa]ip route-static 0.0.0.0 0 public
 
地址组：
[fw-vsysa]ip address-set 1 type object  
[fw-vsysa-object-address-set-1]address range 10.3.0.1 10.3.0.10
 
安全策略：
[fw-vsysa]security-policy    
[fw-vsysa-policy-security]rule name 1 
[fw-vsysa-policy-security-rule-1]source-zone trust   
[fw-vsysa-policy-security-rule-1]destination-zone untrust
[fw-vsysa-policy-security-rule-1]source-address address-set 1 
[fw-vsysa-policy-security-rule-1]action permit 








[fw]switch  vsys vsysb
<fw-vsysb>system-view 
[fw-vsysb]interface GigabitEthernet 1/0/2    
[fw-vsysb-GigabitEthernet1/0/2]ip address 10.3.1.254 24
[fw-vsysb]interface Virtual-if 2
[fw-vsysb-Virtual-if2]ip address 172.16.1.1 24
[fw-vsysb]firewall zone trust 
[fw-vsysb-zone-trust]add interface GigabitEthernet 1/0/2
[fw-vsysb]firewall zone  untrust 
[fw-vsysb-zone-untrust]add interface Virtual-if 2
[fw-vsysb]ip route-static 0.0.0.0 0 public 










[fw]switch  vsys vsysc
<fw-vsysc>system-view 
[fw-vsysc]interface GigabitEthernet 1/0/3
[fw-vsysc-GigabitEthernet1/0/3]ip address 10.3.2.254 24
[fw-vsysc]interface Virtual-if 3    
[fw-vsysc-Virtual-if3]ip address 172.16.2.1 24
[fw-vsysc]firewall zone trust    
[fw-vsysc-zone-trust]add interface GigabitEthernet 1/0/3  
[fw-vsysc]firewall zone  untrust 
[fw-vsysc-zone-untrust]add interface Virtual-if 3
[fw-vsysc]ip route-static 0.0.0.0 0 public 
[fw-vsysc]security-policy     
[fw-vsysc-policy-security]rule name 3    
[fw-vsysc-policy-security-rule-3]source-zone trust 
[fw-vsysc-policy-security-rule-3]destination-zone untrust     
[fw-vsysc-policy-security-rule-3]source-address 10.3.2.0 24    
[fw-vsysc-policy-security-rule-3]action permit