防火墙不能当透明墙用,这样用三层防护不起作用。此套设备需要是全路由环境。下面有个配置你参考一下。MSR5006做出口做nat-----F100做路由模式-----三层交换机
以下配置将默认参数省略了。
#
sysname Gateway
#
acl number 2000 内网nat转换规则
rule 2 permit source 172.16.112.0 0.0.0.255
rule 3 permit source 172.16.113.0 0.0.0.255
rule 4 permit source 172.16.114.0 0.0.0.255
rule 5 permit source 172.16.115.0 0.0.0.255
rule 6 permit source 172.16.116.0 0.0.0.255
rule 7 permit source 172.16.117.0 0.0.0.255
rule 8 permit source 172.16.118.0 0.0.0.255
rule 9 permit source 172.16.119.0 0.0.0.255
rule 10 permit source 172.16.130.0 0.0.0.255
#
#
interface GigabitEthernet0/0 连接防火墙的端口
ip address 172.16.112.226 255.255.255.128
#
interface GigabitEthernet0/1 连接外网
ip address x.x.x.x 255.255.255.248
nat outbound 2000
#
interface GigabitEthernet0/2
#
interface GigabitEthernet0/3
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface GigabitEthernet0/0
add interface GigabitEthernet0/2
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
add interface GigabitEthernet0/1
set priority 5
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone DMZ
set priority 50
#
#
ip route-static 0.0.0.0 0.0.0.0 x.x.x.x preference 60 外网默认网关。
ip route-static 172.16.112.0 255.255.255.0 172.16.112.250 preference 60 内网网段路由指向防火墙
ip route-static 172.16.113.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.114.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.115.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.116.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.117.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.118.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.119.0 255.255.255.0 172.16.112.250 preference 60
#
firewall defend ip-spoofing
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-reverse-query
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
防火墙
#
sysname F100-S
#
firewall packet-filter enable
firewall packet-filter default permit
#
#
interface Aux0
async mode flow
#
interface Ethernet0/0 连接MSR5006的端口
ip address 172.16.112.250 255.255.255.128
#
interface Ethernet0/1 连接内网三层交换机的端口
ip address 172.16.113.1 255.255.255.0
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/1
add interface Ethernet0/2
set priority 85
#
firewall zone untrust
add interface Ethernet0/0
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
#
ip route-static 0.0.0.0 0.0.0.0 172.16.112.226 preference 60 默认路由指向msr5006
ip route-static 172.16.114.0 255.255.255.0 172.16.113.2 preference 60 内网网段指向三层交换机
ip route-static 172.16.115.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.116.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.117.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.118.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.119.0 255.255.255.0 172.16.113.2 preference 60
#
firewall defend ip-spoofing
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-reverse-query
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
三层交换机-大致为
#
int vlan 100
ip add 172.16.113.2 255.255.255.0
#
int e1/0/1 此端口连接防火墙
port access vlan 100
#
ip rou 0.0.0.0 0.0.0.0 172.16.113.1
#
剩下的就是你自己内网的vlan信息了。在此配置里也就是
172.16.114.0 255.255.255.0
172.16.115.0 255.255.255.0
172.16.116.0 255.255.255.0
172.16.117.0 255.255.255.0
172.16.118.0 255.255.255.0
172.16.119.0 255.255.255.0
防火墙的配置和路由器有点像,你就把防火墙当成二级路由配置就OK了,给防火墙一个IP ,进去配置完毕后,防火墙的四个LAN口接四个交换机就行了。也就是在路由器里分配一个固定IP给防火墙,防火墙相当于二级路由用。
你试试看连接一号口或者最后一个口,一般的级联口不是第一个就是最后一个,最后一个的情况比较多。从上一层交换机分下一根线连接到下面交换机的最后一个口(不行就第一个试一下)然后依次连下去!
内容全部来源于网络收集,如有侵权,请联系网站删除:QQ:24596024