防火墙2

 1.

interface GigabitEthernet1/0/1
undo shutdown
ip address 200.1.1.1 255.255.255.0

interface GigabitEthernet1/0/4
undo shutdown
ip address 169.254.43.1 255.255.255.0

service-manage enable  #进入到管理模式

service-manage all permit  #允许所有

（service-manage http permit
  service-manage https permit
  service-manage ping permit
  service-manage ssh permit
  service-manage snmp permit
  service-manage telnet permit）

firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/4
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1

security-policy
rule name permit_trust_dmz
source-zone trust
destination-zone dmz
service http
service icmp
action permit

2.

[FW1]security-policy       #安全策略
[FW1-policy-security]rule name permit_telnet    #安全策略名字
[FW1-policy-security-rule-permit_telnet]source-zone trust    #配置安全策略源区域trust
[FW1-policy-security-rule-permit_telnet]destination-zone local  
[FW1-policy-security-rule-permit_telnet]action permit #允许trust区域访问防火墙本地区域local

[FW1]user-interface vty 0 4  #配置vty，允许5个终端使用telnet功能

[FW1-ui-vty0-4]authentication-mode aaa  配置telnet使用aaa身份验证

[FW1-ui-vty0-4]protocol inbound telnet    允许aaa验证telnet

[FW1]aaa  进入aaa验证

[FW1-aaa]manager-user benet

[FW1-aaa-manager-user-lj]password cipher lj@12345  

[FW1-aaa-manager-user-lj]service-type telnet   aaa给telnet提供验证功能

[FW1-aaa-manager-user-lj]level 15  设置telnet账户li为管理员权限

#“0”是参观级别，啥都做不了；“1”是监控级别，可以查看相关配置；“2”为配置级别，可以配置部分参数；“3-15”是管理级别，拥有最大的权限

 

ssh：

[FW1]security-policy
[FW1-policy-security]rule name permit_ssh
[FW1-policy-security-rule-permit_ssh]source-zone trust
[FW1-policy-security-rule-permit_ssh]destination-zone local
[FW1-policy-security-rule-permit_ssh]action permit

[FW1]rsa local-key-pair create   #设置ssh密钥对，最长2048

The key name will be: FW1_Host
The range of public key size is (2048 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
.+++++
........................++
....++++
...........++

[FW1]user-interface vty 0 4
[FW1-ui-vty0-4]authentication-mode aaa

[FW1-ui-vty0-4]protocol inbound ssh

[FW1]ssh user ljssh

[FW1]ssh user ljssh authentication-type password  #使用密码验证

[FW1]ssh user ljssh service-type stelnet
[FW1]aaa

[FW1-aaa]manager-user ljssh      #AAA验证用户名

[FW1-aaa-manager-user-ljssh]password cipher lj@12345
Info: You are advised to config on man-machine mode.
[FW1-aaa-manager-user-ljssh]service-type ssh#AAA给ssh提供验证

[FW1-aaa-manager-user-ljssh]level 15  #设置ssh验证账户为管理员

[FW1]stelnet server enable  #开启ssh

 

web：

[FW1]security-policy
[FW1-policy-security]rule name permit_web
[FW1-policy-security-rule-permit_web]source-zone trust
[FW1-policy-security-rule-permit_web]destination-zone local
[FW1-policy-security-rule-permit_web]action permit

[FW1]web-manager enable

[FW1]aaa

[FW1-aaa]manager-user web #配置验证账户名为web

[FW1-aaa-manager-user-ljweb]password

Enter Password:  输入密码

Confirm Password: 重新输入
[FW1-aaa-manager-user-ljweb]service-type web
[FW1-aaa-manager-user-ljweb]level 15