外网连接 H3C MSR5006路由器,再连接H3C SecPath F100-s 防火墙。路由器已经配置完。就是不会连接防火墙和
路由器,防火墙有四个以太网端口,没有wan口。我该怎么配置?防火墙web界面可以登录。然后防火墙要连接2台24口3层交换机。请高手详细解答。谢谢!...
路由器,防火墙有四个以太网端口,没有wan口。我该怎么配置?防火墙web界面可以登录。然后防火墙要连接2台24口3层交换机。请高手详细解答。谢谢!
展开
3个回答
展开全部
防火墙不能当透明墙用,这样用三层防护不起作用。此套设备需要是全路由环境。下面有个配置你参考一下。MSR5006做出口做nat-----F100做路由模式-----三层交换机
以下配置将默认参数省略了。
<Gateway>dis cu
#
sysname Gateway
#
acl number 2000 内网nat转换规则
rule 2 permit source 172.16.112.0 0.0.0.255
rule 3 permit source 172.16.113.0 0.0.0.255
rule 4 permit source 172.16.114.0 0.0.0.255
rule 5 permit source 172.16.115.0 0.0.0.255
rule 6 permit source 172.16.116.0 0.0.0.255
rule 7 permit source 172.16.117.0 0.0.0.255
rule 8 permit source 172.16.118.0 0.0.0.255
rule 9 permit source 172.16.119.0 0.0.0.255
rule 10 permit source 172.16.130.0 0.0.0.255
#
#
interface GigabitEthernet0/0 连接防火墙的端口
ip address 172.16.112.226 255.255.255.128
#
interface GigabitEthernet0/1 连接外网
ip address x.x.x.x 255.255.255.248
nat outbound 2000
#
interface GigabitEthernet0/2
#
interface GigabitEthernet0/3
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface GigabitEthernet0/0
add interface GigabitEthernet0/2
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
add interface GigabitEthernet0/1
set priority 5
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone DMZ
set priority 50
#
#
ip route-static 0.0.0.0 0.0.0.0 x.x.x.x preference 60 外网默认网关。
ip route-static 172.16.112.0 255.255.255.0 172.16.112.250 preference 60 内网网段路由指向防火墙
ip route-static 172.16.113.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.114.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.115.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.116.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.117.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.118.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.119.0 255.255.255.0 172.16.112.250 preference 60
#
firewall defend ip-spoofing
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-reverse-query
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
防火墙
<F100-S>dis cu
#
sysname F100-S
#
firewall packet-filter enable
firewall packet-filter default permit
#
#
interface Aux0
async mode flow
#
interface Ethernet0/0 连接MSR5006的端口
ip address 172.16.112.250 255.255.255.128
#
interface Ethernet0/1 连接内网三层交换机的端口
ip address 172.16.113.1 255.255.255.0
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/1
add interface Ethernet0/2
set priority 85
#
firewall zone untrust
add interface Ethernet0/0
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
#
ip route-static 0.0.0.0 0.0.0.0 172.16.112.226 preference 60 默认路由指向msr5006
ip route-static 172.16.114.0 255.255.255.0 172.16.113.2 preference 60 内网网段指向三层交换机
ip route-static 172.16.115.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.116.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.117.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.118.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.119.0 255.255.255.0 172.16.113.2 preference 60
#
firewall defend ip-spoofing
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-reverse-query
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
三层交换机-大致为
#
int vlan 100
ip add 172.16.113.2 255.255.255.0
#
int e1/0/1 此端口连接防火墙
port access vlan 100
#
ip rou 0.0.0.0 0.0.0.0 172.16.113.1
#
剩下的就是你自己内网的vlan信息了。在此配置里也就是
172.16.114.0 255.255.255.0
172.16.115.0 255.255.255.0
172.16.116.0 255.255.255.0
172.16.117.0 255.255.255.0
172.16.118.0 255.255.255.0
172.16.119.0 255.255.255.0
以下配置将默认参数省略了。
<Gateway>dis cu
#
sysname Gateway
#
acl number 2000 内网nat转换规则
rule 2 permit source 172.16.112.0 0.0.0.255
rule 3 permit source 172.16.113.0 0.0.0.255
rule 4 permit source 172.16.114.0 0.0.0.255
rule 5 permit source 172.16.115.0 0.0.0.255
rule 6 permit source 172.16.116.0 0.0.0.255
rule 7 permit source 172.16.117.0 0.0.0.255
rule 8 permit source 172.16.118.0 0.0.0.255
rule 9 permit source 172.16.119.0 0.0.0.255
rule 10 permit source 172.16.130.0 0.0.0.255
#
#
interface GigabitEthernet0/0 连接防火墙的端口
ip address 172.16.112.226 255.255.255.128
#
interface GigabitEthernet0/1 连接外网
ip address x.x.x.x 255.255.255.248
nat outbound 2000
#
interface GigabitEthernet0/2
#
interface GigabitEthernet0/3
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface GigabitEthernet0/0
add interface GigabitEthernet0/2
set priority 85
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone untrust
add interface GigabitEthernet0/1
set priority 5
statistic enable ip inzone
statistic enable ip outzone
#
firewall zone DMZ
set priority 50
#
#
ip route-static 0.0.0.0 0.0.0.0 x.x.x.x preference 60 外网默认网关。
ip route-static 172.16.112.0 255.255.255.0 172.16.112.250 preference 60 内网网段路由指向防火墙
ip route-static 172.16.113.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.114.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.115.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.116.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.117.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.118.0 255.255.255.0 172.16.112.250 preference 60
ip route-static 172.16.119.0 255.255.255.0 172.16.112.250 preference 60
#
firewall defend ip-spoofing
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-reverse-query
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
防火墙
<F100-S>dis cu
#
sysname F100-S
#
firewall packet-filter enable
firewall packet-filter default permit
#
#
interface Aux0
async mode flow
#
interface Ethernet0/0 连接MSR5006的端口
ip address 172.16.112.250 255.255.255.128
#
interface Ethernet0/1 连接内网三层交换机的端口
ip address 172.16.113.1 255.255.255.0
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/1
add interface Ethernet0/2
set priority 85
#
firewall zone untrust
add interface Ethernet0/0
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
#
ip route-static 0.0.0.0 0.0.0.0 172.16.112.226 preference 60 默认路由指向msr5006
ip route-static 172.16.114.0 255.255.255.0 172.16.113.2 preference 60 内网网段指向三层交换机
ip route-static 172.16.115.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.116.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.117.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.118.0 255.255.255.0 172.16.113.2 preference 60
ip route-static 172.16.119.0 255.255.255.0 172.16.113.2 preference 60
#
firewall defend ip-spoofing
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-reverse-query
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
三层交换机-大致为
#
int vlan 100
ip add 172.16.113.2 255.255.255.0
#
int e1/0/1 此端口连接防火墙
port access vlan 100
#
ip rou 0.0.0.0 0.0.0.0 172.16.113.1
#
剩下的就是你自己内网的vlan信息了。在此配置里也就是
172.16.114.0 255.255.255.0
172.16.115.0 255.255.255.0
172.16.116.0 255.255.255.0
172.16.117.0 255.255.255.0
172.16.118.0 255.255.255.0
172.16.119.0 255.255.255.0
参考资料: H3C金牌代理沈阳赛莫网络工程师-为你解决!
展开全部
防火墙的配置和路由器有点像,你就把防火墙当成二级路由配置就OK了,给防火墙一个IP ,进去配置完毕后,防火墙的四个LAN口接四个交换机就行了。也就是在路由器里分配一个固定IP给防火墙,防火墙相当于二级路由用。
追问
防火墙里怎么配置ip , 那么的话是不是把透明模式改成路由模式?
追答
对,当成二级路由就行了,然后,其他交换机全接防火墙
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
展开全部
你试试看连接一号口或者最后一个口,一般的级联口不是第一个就是最后一个,最后一个的情况比较多。从上一层交换机分下一根线连接到下面交换机的最后一个口(不行就第一个试一下)然后依次连下去!
追问
我已经把防火墙设成透明模式。0/0端口可以访问web页面,其他3个端口不能访问web。按照你的思路 路由器连接0/0和0/3后用其他端口试图访问外网但是失败。
已赞过
已踩过<
评论
收起
你对这个回答的评价是?
推荐律师服务:
若未解决您的问题,请您详细描述您的问题,通过百度律临进行免费专业咨询