配置
[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]ip address 12.0.0.2 24
[r1]interface LoopBack 0
[r1-LoopBack0]ip address 100.1.1.1 24
[fw]interface GigabitEthernet 0/0/0
[fw-GigabitEthernet0/0/0]service-manage all permit
[fw]interface GigabitEthernet 1/0/0
[fw-GigabitEthernet1/0/0]ip address 12.0.0.1 24需求一
要求:
1、只存在一个公网IP地址,公司内网所有部门都需要借用同一个接口访问外网
2、财务部禁止访问Internet,研发部门只有部分员工可以访问Internet,行政部门全部可以访问互联网
3、为三个部门的虚拟系统分配相同的资源类
[FW]vsys enable
[fw-resource-class-1]resource-item-limit session reserved-number 500 maximum 1000
[fw-resource-class-1]resource-item-limit bandwidth 2 outbound
[fw-resource-class-1]resource-item-limit policy reserved-number 200
[fw-resource-class-1]resource-item-limit user reserved-number 100
[fw]display resource global-resource
[fw]vsys name vsysa
[fw-vsys-vsysa]assign resource-class 1
[fw-vsys-vsysa]assign interface GigabitEthernet 1/0/1
[fw]vsys name vsysb
[fw-vsys-vsysa]assign resource-class 2
[fw-vsys-vsysa]assign interface GigabitEthernet 1/0/2
[fw]vsys name vsysc
[fw-vsys-vsysa]assign resource-class 3
[fw-vsys-vsysa]assign interface GigabitEthernet 1/0/3
vsysa :
[FW]switch vsys vsysa
[FW-vsysa]aaa
[FW-vsysa-aaa]manager-user admin@@vsysa
[FW-vsysa-aaa-manager-user-admin@@vsysa]password
Enter Password:admin@123
Confirm Password:admin@123
[FW-vsysa-aaa-manager-user-admin@@vsysa]level 15
[FW-vsysa-aaa-manager-user-admin@@vsysa]service-type web telnet ssh
[FW-vsysa-aaa-manager-user-admin@@vsysa]quit
[FW-vsysa-aaa]bind manager-user admin@@vsysa role system-admin
vsysb:
[fw]switch vsys vsysb
<fw-vsysb>system-view
[fw-vsysb]aaa
[fw-vsysb-aaa]manager-user admin@@vsysb
[fw-vsysb-aaa-manager-user-admin@@vsysb]password
Enter Password:admin@123
Confirm Password:admin@123
[fw-vsysb-aaa-manager-user-admin@@vsysb]level 15
[fw-vsysb-aaa-manager-user-admin@@vsysb]service-type web ssh telnet
[fw-vsysc-aaa-manager-user-admin@@vsysb]q
[fw-vsysb-aaa]bind manager-user admin@@vsysb role system-admin
vsysc:
[fw]switch vsys vsysc
<fw-vsysc>system-view
[fw-vsysc]aaa
[fw-vsysc-aaa]manager-user admin@@vsysc
[fw-vsysc-aaa-manager-user-admin@@vsysc]password
Enter Password:admin@123
Confirm Password:admin@123
[fw-vsysc-aaa-manager-user-admin@@vsysc]level 15
[fw-vsysc-aaa-manager-user-admin@@vsysc]service-type web ssh telnet
[fw-vsysc-aaa-manager-user-admin@@vsysc]q
[fw-vsysc-aaa]bind manager-user admin@@vsysc role system-admin 
配置根虚拟接口ip
[fw]interface Virtual-if0
[fw-Virtual-if0]ip address 172.16.0.1 24
[fw]firewall zone trust
[fw-zone-trust]add interface Virtual-if 0
[fw]firewall zone untrust
[fw-zone-untrust]add interface GigabitEthernet 1/0/0
安全策略
[fw]security-policy
[fw-policy-security]rule name t_to_internet
[fw-policy-security-rule-t_to_internet]source-zone trust
[fw-policy-security-rule-t_to_internet]destination-zone untrust
[fw-policy-security-rule-t_to_internet]action permit nat策略
[fw]nat-policy
[fw-policy-nat]rule name 1
[fw-policy-nat-rule-1]source-zone trust
[fw-policy-nat-rule-1]destination-zone untrust
---egress-interface GigabitEthernet 1/0/0
[fw-policy-nat-rule-1]source-address 10.3.0.0 16
[fw-policy-nat-rule-1]action source-nat easy-ip接口,缺省路由和区域划分
接口ip:
[fw]switch vsys vsysa
<fw-vsysa>system-view
[fw-vsysa]interface GigabitEthernet 1/0/1
[fw-vsysa-GigabitEthernet1/0/1]ip address 10.3.0.254 24
[fw-vsysa]interface Virtual-if 1
[fw-vsysa-Virtual-if1]ip address 172.16.1.1 24
区域划分:
[fw-vsysa]firewall zone trust
[fw-vsysa-zone-trust]add interface GigabitEthernet 1/0/1
[fw-vsysa]firewall zone untrust
[fw-vsysa-zone-untrust]add interface Virtual-if 1
缺省路由;
[fw-vsysa]ip route-static 0.0.0.0 0 public
地址组:
[fw-vsysa]ip address-set 1 type object
[fw-vsysa-object-address-set-1]address range 10.3.0.1 10.3.0.10
安全策略:
[fw-vsysa]security-policy
[fw-vsysa-policy-security]rule name 1
[fw-vsysa-policy-security-rule-1]source-zone trust
[fw-vsysa-policy-security-rule-1]destination-zone untrust
[fw-vsysa-policy-security-rule-1]source-address address-set 1
[fw-vsysa-policy-security-rule-1]action permit
[fw]switch vsys vsysb
<fw-vsysb>system-view
[fw-vsysb]interface GigabitEthernet 1/0/2
[fw-vsysb-GigabitEthernet1/0/2]ip address 10.3.1.254 24
[fw-vsysb]interface Virtual-if 2
[fw-vsysb-Virtual-if2]ip address 172.16.1.1 24
[fw-vsysb]firewall zone trust
[fw-vsysb-zone-trust]add interface GigabitEthernet 1/0/2
[fw-vsysb]firewall zone untrust
[fw-vsysb-zone-untrust]add interface Virtual-if 2
[fw-vsysb]ip route-static 0.0.0.0 0 public
[fw]switch vsys vsysc
<fw-vsysc>system-view
[fw-vsysc]interface GigabitEthernet 1/0/3
[fw-vsysc-GigabitEthernet1/0/3]ip address 10.3.2.254 24
[fw-vsysc]interface Virtual-if 3
[fw-vsysc-Virtual-if3]ip address 172.16.2.1 24
[fw-vsysc]firewall zone trust
[fw-vsysc-zone-trust]add interface GigabitEthernet 1/0/3
[fw-vsysc]firewall zone untrust
[fw-vsysc-zone-untrust]add interface Virtual-if 3
[fw-vsysc]ip route-static 0.0.0.0 0 public
[fw-vsysc]security-policy
[fw-vsysc-policy-security]rule name 3
[fw-vsysc-policy-security-rule-3]source-zone trust
[fw-vsysc-policy-security-rule-3]destination-zone untrust
[fw-vsysc-policy-security-rule-3]source-address 10.3.2.0 24
[fw-vsysc-policy-security-rule-3]action permit