防火墙1

 将g1/0/0口放入trust中

cmd 中192.168.12.1（通）

1）LSW1上配置4个vlan 100 10 20 30 并将端口放进vlan中且配地址

interface Vlanif10
ip address 203.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 204.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 205.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 202.1.1.2 255.255.255.0

interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 100

2）给路由器，防火墙配地址

R1:

interface GigabitEthernet0/0/0
ip address 202.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 200.1.1.2 255.255.255.0

FW1:

以1/0/1为例：

interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.1.254 255.255.255.0

service-manage enable

service-manage all permit

3）做i静态，使其能到防火墙

 LSW1:

ip route-static 0.0.0.0 0.0.0.0 202.1.1.1

FW1:

ip route-static 202.1.1.0 255.255.255.0 200.1.1.2
ip route-static 203.1.1.0 255.255.255.0 200.1.1.2
ip route-static 204.1.1.0 255.255.255.0 200.1.1.2
ip route-static 205.1.1.0 255.255.255.0 200.1.1.2

AR1:

ip route-static 0.0.0.0 0.0.0.0 200.1.1.1
ip route-static 192.168.2.0 255.255.255.0 200.1.1.1
ip route-static 203.1.1.0 255.255.255.0 202.1.1.2
ip route-static 204.1.1.0 255.255.255.0 202.1.1.2
ip route-static 205.1.1.0 255.255.255.0 202.1.1.2

4)配置防火墙区域：

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/5
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/4

1.trust访问DMZ的http

security-policy
 rule name permit_trust_dmz
 source-zone trust
 destination-zone dmz
 service http
 service icmp
 action permit

结果：client1能ping通192.168.1.253

将server的服务启动既可访问： 

2.untrust的client2访问DMZ的http client3不能

security-policy

  rule name permit_untrust_dmz
  source-zone untrust
  destination-zone dmz
  source-address 203.1.1.0 mask 255.255.255.0
  destination-address 192.168.1.0 mask 255.255.255.0
  service http
  service icmp
  action permit

结果：

  

3.DMZ的PC2能够和VLAN10通信

security-policy

  rule name permit_client2_pc2
  source-zone untrust
  destination-zone dmz
  source-address 203.1.1.0 mask 255.255.255.0
  destination-address 192.168.2.0 mask 255.255.255.0
  service icmp
  action permit

4.防火墙能ping通trust的中client1

security-policy 

  rule name permit_local_trust
  source-zone local
  destination-zone trust
  service icmp
  action permit

5.防火墙能够telnet到AR1

security-policy

  rule name permit_local_untrust

  source-zone local
  destination-zone untrust
  service icmp
  service telnet
  action permit

AR1:

[R1]telnet server  enable

[R1-aaa]local-user lj password cipher 123

[R1-aaa]local-user lj privilege level 15

[R1]user-interface vty 0 4

[R1-ui-vty0-4]authentication-mode aaa

[R1-ui-vty0-4]protocol inbound all

6.dmz区域内测试，不能ping通

security-policy

  rule name deny_200_253
  source-zone dmz
  destination-zone dmz
  source-address 192.168.2.200 mask 255.255.255.255
  destination-address 192.168.1.253 mask 255.255.255.255
  service icmp
  action deny

7.trustclient1能够FTP到dmz的serve2

security-policy
  rule name permit_trust_dmz
  source-zone trust
  destination-zone dmz
  service ftp
  service icmp
  action permit