案例四:如果想限制某些终端能上网,哪些不能上网有什么方法呢?
实际中有这样的需求,客户那边希望某些区域只能boss上网或者boss随时都可以上,但是员工需要休息时间才能上,针对这样的需求我们来看看怎么去实现!
采用正常配置模式的步骤与思路
(1)防火墙确定好内外网接口,配置对应的对接方式以及加入安全区域,开启DHCP
(2)关于只让某一个能够上网或者不上网,在防火墙里面控制有两个办法,第一个是控制IP,第二个是控制MAC,如果我们要控制IP的话 就需要在DHCP静态绑定,这样保证每次获取的IP是同一个,MAC的话直接安全策略输入即可。
(3)根据需求跟规划配置对应的安全策略与NAT策略
(4)如果涉及到基于时间的策略,那么一定要确保防火墙的时间是正确的。
整体配置
#
dhcp enable
#
#
interface
GigabitEthernet1/0/0
undo shutdown
ip address 192.168.101.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
dhcp select interface
dhcp server ip-range 192.168.101.1 192.168.101.254
dhcp server gateway-list 192.168.101.254
dhcp server dns-list 223.5.5.5 114.114.114.114
#
interface
GigabitEthernet1/0/1
undo shutdown
ip address 192.168.102.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
dhcp select interface
dhcp server ip-range 192.168.102.1 192.168.102.254
dhcp server gateway-list 192.168.102.254
dhcp server
static-bind ip-address 192.168.102.250 mac-address 5489-9843-18af
dhcp server dns-list 223.5.5.5 114.114.114.114
#
interface
GigabitEthernet1/0/2
undo shutdown
ip address dhcp-alloc
#
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
#
ip address-set 不允许上网
type object
address 0 192.168.102.250 mask 32
#
ip address-set 102允许上网
type object
address 0 192.168.102.0 mask 24
#
ip address-set
BOSS_server type object
address 0 5489-9864-0d2c
address 1 192.168.101.249 mask 32
#
ip address-set 101网段
type object
address 0 192.168.101.0 mask 24
#
time-range 休息时间
period-range 12:00:00 to 13:30:00 working-day
#
security-policy
rule name PC4_deny_internet
source-zone trust
destination-zone untrust
source-address address-set 不允许上网
action deny
rule name 允许102其他上网
source-zone trust
destination-zone untrust
source-address address-set 102允许上网
action permit
rule name Local_any
source-zone local
action permit
rule name BOSS
source-zone trust
destination-zone untrust
source-address address-set BOSS_server
action permit
rule name 休息时间允许上网
source-zone trust
destination-zone untrust
source-address address-set 101网段
time-range 休息时间
action permit
#
nat-policy
rule name 允许上网
source-zone trust
destination-zone untrust
action source-nat easy-ip
容易忽略的点
(1)内网根据客户的需求是划分在同一个网段还是不同网段,如果是同一个网段要把接口切换成二层,然后配置VLANIF,在开DHCP(上面案例演示的是不同网段)
(2)在DHCP静态绑定里面,如果这个绑定的主机MAC已经分配到了一个IP,必须先清空该数据,在进行绑定(用命令行reset ip pool interface GigabitEthernet1/0/1 192.168.101.250释放掉该MAC绑定的IP )
3)安全策略的顺序,一定要从精细到粗犷的顺序来规划配置。