27 防火墙不同区域之间是如何通信

26 华三防火墙安全区域-CSDN博客

目标实现不同区域的通信

1 给防火墙配置IP地址

WEB页面配置IP地址

2 在PC机上配置对应对IP地址（该要启用的接口一定要启用 IP地址子网掩码网关一定要查看好）

3 将配置好的IP地址对应的不同接口加入到不同的区域上去

在WEB页面中可以新建区域

在命令行操作

4 测试实现防火墙到同网段的IP互通

5 创建防火墙中的对象目的是为了更好的管理策略.(对象的名字是啥你的IP地址是地址还是网段)

网段对象租 IP地址范围主机IP地址主机名 IP地址/子网掩码

网段：在计算机网络中，网段是指具有相同网络地址的一组主机的集合。一个网段可以包含多个主机，这些主机可以通过相同的网络地址进行通信。
对象租：对象租是指为了方便管理和配置，将主机、服务、IP地址等相关信息组织起来，并分配给特定的用户或用户组。通过对象租可以将相关的信息整理起来，方便进行管理和控制。
IP地址范围：IP地址范围是指一段连续的IP地址，通常用于指定一组主机的可用IP地址。例如，192.168.0.1-192.168.0.10就表示从192.168.0.1到192.168.0.10的十个IP地址。
主机IP地址：主机IP地址是指网络中每个主机的唯一标识。通过IP地址，可以唯一确定一个主机的位置和身份。
主机名：主机名是指一个网络中的主机的名称。主机名通常用于方便用户记忆和使用，可以作为主机的别名使用。
IP地址/子网掩码：IP地址和子网掩码一起使用，用于确定主机所在的子网络。IP地址用于标识主机的唯一性，而子网掩码用于指定子网络的范围。
防火墙对象：防火墙对象是防火墙中用于规则配置的一种概念。防火墙对象可以是一个IP地址、IP地址范围、主机名、网段等，用于标识网络中的特定主机或服务。通过配置防火墙对象，可以方便地进行规则的管理和控制，提高网络的安全性和管理效率。

对时间段的管理：

6 新建安全策略实现不同区域的互通

01 常规操作

02 服务

测试:

PC1 全互联所有网络

PC5 去往所有区域

[H3C]ping 10.58.142.254
Ping 10.58.142.254 (10.58.142.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.142.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.58.142.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 10.58.142.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[H3C]%Jul  7 14:45:47:808 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.142.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.
ping 10.58.143.254
Ping 10.58.143.254 (10.58.143.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.143.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.58.143.254: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 10.58.143.254: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 10.58.143.254: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 10.58.143.254: icmp_seq=4 ttl=255 time=1.000 ms

--- Ping statistics for 10.58.143.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms
[H3C]%Jul  7 14:45:54:615 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.143.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms.

[H3C]
[H3C]ping 10.58.144.254
Ping 10.58.144.254 (10.58.144.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.144.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.58.144.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 10.58.144.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[H3C]%Jul  7 14:46:05:772 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.

[H3C]ping 10.58.144.2
Ping 10.58.144.2 (10.58.144.2): 56 data bytes, press CTRL_C to break

--- Ping statistics for 10.58.144.2 ---
1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[H3C]%Jul  7 14:46:12:034 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.2: 1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

[H3C]ping 10.58.144.2
Ping 10.58.144.2 (10.58.144.2): 56 data bytes, press CTRL_C to break
Request time out
Request time out

--- Ping statistics for 10.58.144.2 ---
3 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[H3C]%Jul  7 14:48:32:225 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.2: 3 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

[H3C]
[H3C]ping 192.168.1.254
Ping 192.168.1.254 (192.168.1.254): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.1.254: icmp_seq=0 ttl=255 time=2.000 ms
56 bytes from 192.168.1.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.1.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.1.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.1.254: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 192.168.1.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.400/2.000/0.800 ms
[H3C]%Jul  7 14:48:43:191 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.1.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.400/2.000/0.800 ms.

[H3C]ping 192.168.1.1
Ping 192.168.1.1 (192.168.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.1.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=0.000 ms
56 bytes from 192.168.1.1: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 192.168.1.1: icmp_seq=3 ttl=254 time=0.000 ms
56 bytes from 192.168.1.1: icmp_seq=4 ttl=254 time=0.000 ms

--- Ping statistics for 192.168.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.400/1.000/0.490 ms
[H3C]%Jul  7 14:48:47:001 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.1.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.400/1.000/0.490 ms.

[H3C]ping 192.168.3.254
Ping 192.168.3.254 (192.168.3.254): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.3.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.3.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.3.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.3.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.3.254: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 192.168.3.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[H3C]%Jul  7 14:48:52:843 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.3.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.
ping 192.168.3.1
Ping 192.168.3.1 (192.168.3.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.3.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 192.168.3.1: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 192.168.3.1: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 192.168.3.1: icmp_seq=3 ttl=254 time=1.000 ms
56 bytes from 192.168.3.1: icmp_seq=4 ttl=254 time=1.000 ms

--- Ping statistics for 192.168.3.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms
[H3C]%Jul  7 14:48:56:515 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.3.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms.

[H3C]ping 192.168.2.1
Ping 192.168.2.1 (192.168.2.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=1.000 ms

--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms
[H3C]%Jul  7 14:49:01:531 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.000/1.000/0.000 ms.

[H3C]ping 192.168.2.254
Ping 192.168.2.254 (192.168.2.254): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.2.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.2.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.2.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.2.254: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 192.168.2.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
%Jul  7 14:49:06:629 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.2.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.
[H3C]
[H3C]ping 192.168.0.1
Ping 192.168.0.1 (192.168.0.1): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.0.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.0.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.0.1: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 192.168.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms
[H3C]%Jul  7 14:49:12:479 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms.

[H3C]ping 192.168.0.43
Ping 192.168.0.43 (192.168.0.43): 56 data bytes, press CTRL_C to break

--- Ping statistics for 192.168.0.43 ---
1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[H3C]%Jul  7 14:49:17:622 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 192.168.0.43: 1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

[H3C]
[H3C]ping 10.58.143.2
Ping 10.58.143.2 (10.58.143.2): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.143.2: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 10.58.143.2: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 10.58.143.2: icmp_seq=2 ttl=254 time=1.000 ms
56 bytes from 10.58.143.2: icmp_seq=3 ttl=254 time=0.000 ms
56 bytes from 10.58.143.2: icmp_seq=4 ttl=254 time=1.000 ms

--- Ping statistics for 10.58.143.2 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.800/1.000/0.400 ms
[H3C]%Jul  7 14:49:32:076 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.143.2: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.800/1.000/0.400 ms.


[H3C]ping 10.58.144.254
Ping 10.58.144.254 (10.58.144.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.144.254: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 10.58.144.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms
[H3C]%Jul  7 14:49:49:818 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms.

[H3C]ping 10.58.142.254
Ping 10.58.142.254 (10.58.142.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.142.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.58.142.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.58.142.254: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 10.58.142.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[H3C]%Jul  7 14:49:56:110 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.142.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.

[H3C]ping 10.58.144.2
Ping 10.58.144.2 (10.58.144.2): 56 data bytes, press CTRL_C to break
Request time out

--- Ping statistics for 10.58.144.2 ---
2 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[H3C]%Jul  7 14:50:24:092 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.2: 2 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

[H3C]
[H3C]ping 10.58.144.254
Ping 10.58.144.254 (10.58.144.254): 56 data bytes, press CTRL_C to break
56 bytes from 10.58.144.254: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.58.144.254: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.58.144.254: icmp_seq=4 ttl=255 time=0.000 ms

--- Ping statistics for 10.58.144.254 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms
[H3C]%Jul  7 14:50:28:920 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 10.58.144.254: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.000/0.200/1.000/0.400 ms.

脚本

#
 version 7.1.064, Alpha 7164
#
 sysname FW-ZONE
#
context Admin id 1
#
 telnet server enable
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 1
#
 xbar load-single
 password-recovery enable
 lpu-type f-series
#
vlan 1
#
object-group ip address ISP区域出口网关
 security-zone isp
 0 network host address 192.168.3.254
#
object-group ip address NASS区域02
 security-zone NASS
 0 network host address 10.58.144.254
#
object-group ip address NASS区域防护墙出口01
 security-zone NASS
 0 network host address 10.58.143.254
#
object-group ip address PC1
 security-zone Trust
 0 network host address 192.168.2.1
#
object-group ip address PC1防火墙出口网关
 description 防火墙内网区域地址
 security-zone Trust
 0 network host address 192.168.1.254
 object 0 description PC1
#
object-group ip address PC2
 security-zone Trust
 0 network host address 192.168.1.1
#
object-group ip address PC2防火墙出口网关
 description 防火墙内网区域地址
 security-zone Trust
 0 network host address 192.168.2.254
 object 0 description PC2
#
object-group ip address PC3
 security-zone Untrust
 0 network host address 10.58.142.2
#
object-group ip address PC4
 security-zone isp
 0 network host address 192.168.3.1
#
object-group ip address PC5
 security-zone NASS
 0 network host address 10.58.143.2
#
object-group ip address PC7
 security-zone NASS
 0 network host address 10.58.144.2
#
object-group ip address WEB
 security-zone DMZ
 0 network host address 192.168.0.45
#
object-group ip address 防护墙管理地址
 security-zone DMZ
 0 network host address 192.168.0.1
#
object-group ip address 防火墙外网出口网关
 security-zone Untrust
 0 network host address 10.58.142.254
#
interface NULL0
#
interface GigabitEthernet1/0/0
 port link-mode route
 combo enable copper
 ip address 192.168.1.254 255.255.255.0
 ip address 192.168.1.6 255.255.255.0 sub
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/1
 port link-mode route
 description 管理接口
 combo enable copper
 ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2
 port link-mode route
 combo enable copper
 ip address 192.168.2.254 255.255.255.0
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/3
 port link-mode route
 combo enable copper
 ip address 192.168.3.254 255.255.255.0
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/4
 port link-mode route
 combo enable copper
 shutdown
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/5
 port link-mode route
 combo enable copper
 ip address 10.58.142.254 255.255.255.0
 manage ping inbound
 manage ping outbound
#
interface GigabitEthernet1/0/6
 port link-mode route
 combo enable copper
 ip address 10.58.143.254 255.255.255.0
#
interface GigabitEthernet1/0/7
 port link-mode route
 combo enable copper
 ip address 10.58.144.254 255.255.255.0
#
interface GigabitEthernet1/0/8
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/9
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/10
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/11
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/12
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/13
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/14
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/15
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/16
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/17
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/18
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/19
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/20
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/21
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/22
 port link-mode route
 combo enable copper
#
interface GigabitEthernet1/0/23
 port link-mode route
 combo enable copper
#
security-zone name Local
#
security-zone name Trust
 import interface GigabitEthernet1/0/0
 import interface GigabitEthernet1/0/2
#
security-zone name DMZ
#
security-zone name Untrust
 import interface GigabitEthernet1/0/4
 import interface GigabitEthernet1/0/5
#
security-zone name Management
 import interface GigabitEthernet1/0/1
#
security-zone name hello
#
security-zone name isp
 import interface GigabitEthernet1/0/3
#
security-zone name ISP2
#
security-zone name NASS
 import interface GigabitEthernet1/0/6
 import interface GigabitEthernet1/0/7
#
zone-pair security source Trust destination Untrust
 packet-filter 3001
 packet-filter 3002
 packet-filter 3003
#
 scheduler logfile size 16
#
line class aux
 user-role network-operator
#
line class console
 user-role network-admin
#
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-admin
#
line con 0
 authentication-mode scheme
 user-role network-admin
#
line vty 0 4
 authentication-mode scheme
 user-role network-admin
#
line vty 5 63
 user-role network-operator
#
 info-center loghost 127.0.0.1 port 3301 format default
 info-center source CFGLOG loghost level informational
#
acl advanced 3002
 rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 10.58.142.0 0.0.0.255
#
acl advanced 3003
 rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 10.58.142.0 0.0.0.255
#
domain system
#
 aaa session-limit ftp 16
 aaa session-limit telnet 16
 aaa session-limit ssh 16
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user admin class manage
 password hash $h$6$1oUcwMteE/rJ72TU$RiIijBkXKTS+QDwyCS40a6wI7+ORtl3K3xG/SzalxsblSLJrjEj9QjXQ0uv2d4eScyDMjSAlxIKwHNHGAfPW8Q==
 service-type ssh telnet terminal http https
 authorization-attribute user-role level-3
 authorization-attribute user-role level-15
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
#
local-user root class manage
 password hash $h$6$0sgd0nnThKQb5NMG$ThvZMWskPhv5BMYnNLx7E47mdrCfB5cv22mcTbpamc+c33bvkUSN2O0BrLtPplBRmnCVCdPPJiS1hM29f0OCxw==
 access-limit 1000
 service-type ftp
 service-type pad ssh telnet terminal http https
 authorization-attribute work-directory slot1#flash:
 authorization-attribute user-role network-admin
#
 ip http enable
 ip https enable
#
security-policy ip
 rule 0 name PC1去往外网地址PC4
  action pass
  source-zone Trust
  destination-zone Untrust
  source-ip PC1
  destination-ip PC3
 rule 1 name PC1去往外网地址PC2
  action pass
  source-zone Trust
  destination-zone Trust
  source-ip PC1
  destination-ip PC2
 rule 2 name PC1去往ISP区域
  action pass
  source-zone Trust
  destination-zone isp
  source-ip PC1
  destination-ip PC4
 rule 3 name PC2去往外网地址PC4
  action pass
  source-zone Trust
  destination-zone Untrust
  source-ip PC2
  destination-ip PC3
 rule 4 name PC2去往PC1
  action pass
  source-zone Trust
  destination-zone Trust
  source-ip PC2
  destination-ip PC1
 rule 5 name PC2去往ISP区域
  action pass
  source-zone Trust
  destination-zone isp
  source-ip PC2
  destination-ip PC4
 rule 6 name 外网访问内网区域
  action pass
  source-zone Untrust
  destination-zone isp
  destination-zone Trust
  destination-zone DMZ
  source-ip PC3
  destination-ip PC1
  destination-ip PC2
  destination-ip PC4
  destination-ip 防护墙管理地址
 rule 7 name PC1去往外网地址NASS
  action pass
  source-zone Trust
  destination-zone NASS
  source-ip PC1
  destination-ip PC3
  destination-ip NASS区域02
  destination-ip NASS区域防护墙出口01
 rule 8 name PC2去往外网地址NASS
  action pass
  source-zone Trust
  destination-zone NASS
  source-ip PC2
  destination-ip PC3
  destination-ip NASS区域02
  destination-ip NASS区域防护墙出口01
  destination-ip PC5
  destination-ip PC7
#
return

rule 8 name PC2去往外网地址NASS
action pass
source-zone Trust
destination-zone NASS
source-ip PC2
destination-ip PC3
destination-ip NASS区域02
destination-ip NASS区域防护墙出口01
destination-ip PC5
destination-ip PC7

rule 8: 这是规则的编号，表示这是第八条规则。
name PC2去往外网地址NASS: 规则的名称，表明这条规则是关于从PC2（可能是内部网络中的一台计算机）到NASS（可能是一个外部网络地址或服务）的流量。
action pass: 这条规则的行动是允许（pass），意味着符合此规则的流量将被放行。
source-zone Trust: 源区域（source-zone）是“Trust”，这通常表示源设备所在的网络区域被认为是可信任的。
destination-zone NASS: 目的区域（destination-zone）是NASS，这可能是一个特定的外部网络或服务区域。
source-ip PC2: 指定了流量的源IP地址是PC2。
destination-ip: 后面跟着的是多个目的IP地址，这些地址是允许PC2与之通信的目的地。这些地址可能代表不同的网络设备或服务：
- PC3: 另一个内部或外部的计算机。
- NASS区域02: NASS的第二个区域，可能是一个特定的子网或网络段。
- NASS区域防护墙出口01: NASS区域的一个出口点，可能是一个防火墙或路由器。
- PC5 和 PC7: 其他两个计算机的IP地址。

rule 10 name PC7-PC2
action pass
source-zone NASS
destination-zone Trust
source-ip PC7
destination-ip PC1

#
object-group ip address ISP

 security-zone isp
 0 network host address 192.168.3.254
#              
object-group ip address NASS02
 security-zone NASS
 0 network host address 10.58.144.254
#
object-group ip address NASSǽ01
 security-zone NASS
 0 network host address 10.58.143.254
#
object-group ip address PC1
 security-zone Trust
 0 network host address 192.168.2.1
#
object-group ip address PC1ǽ

 description ǽ

 security-zone Trust
 0 network host address 192.168.1.254
 object 0 description PC1
#
object-group ip address PC2
 security-zone Trust
 0 network host address 192.168.1.1
#
object-group ip address PC2ǽ

 description ǽ

 security-zone Trust
 0 network host address 192.168.2.254
 object 0 description PC2
#
object-group ip address PC3
 security-zone Untrust
 0 network host address 10.58.142.2
#
object-group ip address PC4
 security-zone isp
 0 network host address 192.168.3.1
#
object-group ip address PC5
 security-zone NASS
 0 network host address 10.58.143.2
#
object-group ip address PC7
 security-zone NASS
 0 network host address 10.58.144.2
#
object-group ip address WEB
 security-zone DMZ
 0 network host address 192.168.0.45
#

object-group ip address PC3
security-zone Untrust
0 network host address 10.58.142.2

object-group ip address PC3: 这行定义了一个名为"PC3"的IP地址对象组。对象组是网络设备上用来组织和分组相关网络对象（如IP地址、MAC地址等）的一种方式。
security-zone Untrust: 这行指定了"PC3"对象组所属的安全区域是"Untrust"。在许多网络策略中，"Untrust"区域通常指的是不受信任的网络区域，可能是外部网络或互联网。
0 network host address 10.58.142.2: 这行指定了对象组"PC3"包含的具体网络对象。这里的"0"可能是一个索引或标识符，用于唯一标识对象组内的条目。"network host"表明这是一个针对特定主机的网络条目。"address 10.58.142.2"指定了这个对象组包含的具体IP地址，即10.58.142.2。