配置防火墙网页登录 1.配置防火墙缺省允许报文通过 system-view [tele]firewall packet-filterenable [tele] firewall packet-filter default permit 为防火墙的以太网接口(GigabitEthernet0/0为例)配置IP地址,并将接口加入到 安全域.
[tele]interfaceGigabitEthernet 0/0 [tele-GigabitEthernet0/0] ip address 192.168.0.1 255.255.255.0 [tele-GigabitEthernet0/0]quit [tele]firewall zone trust [tele-zone-trust] add GigabitEthernet 0/0 2.添加登录用户(建立一个账户名和密码都为admin的账户类型为telnet) [tele]local-user admin [tele-luser-admin]password simple admin [tele-luser-admin]service-type telnet
3.在GigabitEthernet0/1接口上配置FTP及内部服务器 [tele] interfaceGigabitEthernet0/1 [tele-GigabitEthernet0/1] ip address 1.1.1.1 255.0.0.0 [tele-GigabitEthernet0/1] nat outbound 2000 inside10.0.0.2 [tele-GigabitEthernet0/1]nat server protocol tcp global 1.1.1.1 ftp inside 10.0.0.2 [tele-GigabitEthernet0/1] quit 4.配置访问控制列表,允许10.0.0.0/8网段访问internet [tele]acl number2000 [tele-acl-basic-2000] rule 0 permit source 10.0.0.0 0.0.0.255 [tele-acl-basic-2000]rule1deny 5.IPSeCVPN配置 配置分公司IP:192.168.1.0/24到总公司IP:10.1.1.0/24的IPSecVPN 总公司端VPN配置步骤如下:
第一步:配置ACL3000,禁止总公司IP:10.1.1.0/24访问分公司IP: 192.168.1.0/24时进行NAT转换,允许总公司IP:10.1.1.0/24访问公网时进行NAT转 换.
[tele]aclnumber3000 [tele-acl-adv-3000] rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 [tele-acl-adv-3000] rule permit ip [tele-acl-adv-3000]quit 第二步:配置ACL3200,允许总公司IP:10.1.1.0/24访问分公司IP: 192.168.1.0/24 [tele] acl number3200 [tele-acl-adv-3200] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 [tele-acl-adv-3200] quit 第三步:配置本端设备名称为routera [tele] ikelocal-nameroutera 第四步:配置对等体peer [tele] ikepeerpeer
[tele-ike-peer-peer] exchange-mode aggressive [tele-ike-peer-peer]pre-shared-key123456 [tele-ike-peer-peer] id-typename [tele-ike-peer-peer]remote-name tele [tele-ike-peer-peer] nat traversal 第五步:配置IPSec安全提议test [tele] ipsecproposal test [tele-ipsec-proposal-test] encapsulation-mode tunnel [tele-ipsec-proposal-test] transform esp [tele-ipsec-proposal-test] esp encryption-algorithm 3des [tele-ipsec-proposal-test] esp authentication-algorithm md5 [tele-ipsec-proposal-test] quit 第六步:创建安全策略test并指定通过IKE协商建立SA [tele] ipsec policy test 1 isakmp 第七步:配置安全策略test引I用IKE对等体peer
第八步:配置安全策略test引用访问控制列表3200 [tele-ipsec-policy-isakmp-test-1] security acl 3200 第九步:配置安全策略test引I用IPSec安全提议test [tele-ipsec-policy-isakmp-test-1] proposal test [tele-ipsec-policy-isakmp-test-1] quit 第十步:配置上行接口IP地址202.1.1.2/24,并在接口上应用IPSec策略 [tele]intGigabitEthernet0/0 [tele-GigabitEthernet0/0] ip address 202.1.1.2 24 [tele-GigabitEthernet0/0] nat outbound3000 [tele-GigabitEtherneto/0] ipsecpolicy test 第十一步:配置下行接口IP地址10.1.1.1/24 [tele-GigabitEthernet0/1] ip address 10.1.1.1 24 第十二步:配置到分公司局域网的静态路由 [tele]ip route-static 192.168.1.0 255.255.255.0 192.168.1.254
