以下是FW1的配置命令(FW3的配置命令相似,注意ip地址等不同)
进入防火墙接口:
<USG6000V1>sys
配置防火墙接口相应的ip地址:
[USG6000V1]int g 1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 10.1.2.1 24
[USG6000V1-GigabitEthernet1/0/0]int g 1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip addres 40.1.1.1 24
[USG6000V1-GigabitEthernet1/0/1]int g 1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip address 30.1.1.1 24
将连接防火墙的相应接口划分进相应的区域:
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface g 1/0/1
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface g 1/0/0
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface GigabitEthernet 1/0/2
配置安全策略:
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name p1
[USG6000V1-policy-security-rule-p1]source-zone trust
[USG6000V1-policy-security-rule-p1]destination-zone untrust
[USG6000V1-policy-security-rule-p1]action permit
[USG6000V1-policy-security]default action permit #外网接口互相ping通(防火墙调试完毕再关闭此命令)
开放防洪墙接口的ping权限命令
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]service-manage enable
[USG6000V1-GigabitEthernet1/0/0]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/0]int g 1/0/1
[USG6000V1-GigabitEthernet1/0/1]service-manage enable
[USG6000V1-GigabitEthernet1/0/1]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/1]int g 1/0/2
[USG6000V1-GigabitEthernet1/0/2]service-manage enable
[USG6000V1-GigabitEthernet1/0/2]service-manage ping permit
配置VRRP备份1组和2组,并设置状态为action
[USG6000V1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 10.1.2.3 255.255.255.0 active
[USG6000V1-GigabitEthernet1/0/0]int g 1/0/1
[USG6000V1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 40.1.1.3 255.255.255.0 active
制定心跳吸线的接口:
[USG6000V1]hrp interface GigabitEthernet 1/0/2 remote 30.1.1.1 #ip为制定目的端口
启用双机热备功能:(在其中一台防火墙上配置。配置设备为Backup:备份状态。名外一台则为Master设备:活跃状态)
[USG6000V1]hrp enable
注:
如需相关NAT配置策略请看上一章;
相关验证和调试命令评论下次更新。
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容,请联系我们,一经查实,本站将立刻删除。
如需转载请保留出处:https://51itzy.com/kjqy/172984.html