安全策略实验
1.拓扑图
2.需求分析
需求:
1.VLAN 2属于办公区,VLAN 3属于生产区
2.办公区PC在工作日时间(周一至周五,早8到晚6)可以正常访问OA server其他时间不允许
3.办公区PC可以在任意时刻访问Web Server
4.生产区PC可以在任意时刻访问OA Server但是不能访问Web Server
5.特例:生产区PC3可以在每周一早10到早11访问Web Server用来更新企业最新产品信息
首先配置IP地址,配置好之后,在trust区域进行vlan配置。之后按照需求进行策略配置。
3.配置详细信息
进入管理接口,即进入GE0/0/0接口,开启web服务
[FW1]int g0/0/0
[FW1-GigabitEthernet0/0/0]service-manage all permit
在浏览器中输入,https://192.168.0.1:8443/地址,进行web页面访问。
https://192.168.0.1:8443/
1.VLAN 2属于办公区,VLAN 3属于生产区
防火墙配置:
LSW1:
[Huawei]vlan 2
[Huawei]vlan 3
[Huawei-vlan3]int g 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 2
[Huawei-GigabitEthernet0/0/2]int g 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 3
[Huawei-GigabitEthernet0/0/3]int g 0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 3
[Huawei-GigabitEthernet0/0/4]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan 2 3
2.办公区PC在工作日时间(周一至周五,早8到晚6)可以正常访问OA server其他时间不允许
命令配置:
1.地址
[FW1]ip address-set BG
[FW1-object-address-set-BG]address 192.168.1.0 mask 25
[FW1]ip address-set OA
[FW1-object-address-set-OA]address 10.0.0.1 mask 32
2.时间段
[FW1]time-range WORKING_TIME
[FW1-time-range-WORKING_TIME]period-range 08:00:00 to 18:00:00 working-day
3.创建安全策略
[FW1]security-policy
[FW1-policy-security]rule name policy_1
[FW1-policy-security-rule-policy_1]description BG_TO_OA
[FW1-policy-security-rule-policy_1]source-zone trust
[FW1-policy-security-rule-policy_1]destination-zone dmz
[FW1-policy-security-rule-policy_1]source-address address-set BG
[FW1-policy-security-rule-policy_1]destination-address address-set OA
[FW1-policy-security-rule-policy_1]time-range WORKING_TIME
[FW1-policy-security-rule-policy_1]action permit
web界面:
3.办公区PC可以在任意时刻访问Web Server
命令配置:
[FW1]ip address-set WEB
[FW1-object-address-set-WEB]address 10.0.0.2 mask 32
[FW1]security-policy
[FW1-policy-security]rule name policy_2
[FW1-policy-security-rule-policy_2]description BG_TO_WEB
[FW1-policy-security-rule-policy_2]source-zone trust
[FW1-policy-security-rule-policy_2]destination-zone dmz
[FW1-policy-security-rule-policy_2]source-address address-set BG
[FW1-policy-security-rule-policy_2]destination-address address-set WEB
[FW1-policy-security-rule-policy_2]action permit
web界面:
4.生产区PC可以在任意时刻访问OA Server但是不能访问Web Server
命令配置:
[FW1]security-policy
[FW1-policy-security]rule name policy_3
[FW1-policy-security-rule-policy_3]description SC_TO_OA
[FW1-policy-security-rule-policy_3]source-zone trust
[FW1-policy-security-rule-policy_3]destination-zone dmz
[FW1-policy-security-rule-policy_3]source-address 192.168.1.128 25
[FW1-policy-security-rule-policy_3]destination-address address-set OA
[FW1-policy-security-rule-policy_3]action permit
web界面:
5.特例:生产区PC3可以在每周一早10到早11访问Web Server用来更新企业最新产品信息
命令配置:
[FW1]time-range pc3-web
[FW1-time-range-pc3-web]period-range 10:00:00 to 11:00:00 Mon
[FW1]security-policy
[FW1-policy-security]rule name policy_4
[FW1-policy-security-rule-policy_4]description SC_TO_WEB
[FW1-policy-security-rule-policy_4]source-zone trust
[FW1-policy-security-rule-policy_4]destination-zone dmz
[FW1-policy-security-rule-policy_4]source-address 192.168.1.130 25
[FW1-policy-security-rule-policy_4]destination-address address-set WEB
[FW1-policy-security-rule-policy_4]time-range pc3-web
[FW1-policy-security-rule-policy_4]action permit
web界面:
4.测试
办公区PC在工作日时间(周一至周五,早8到晚6)可以正常访问OA server其他时间不允许
办公区PC可以在任意时刻访问Web Server
生产区PC可以在任意时刻访问OA Server但是不能访问Web Server
特例:生产区PC3可以在每周一早10到早11访问Web Server用来更新企业最新产品信息
