cjh 外网访问防火墙映射的内网服务器时的安全策略应配置untrust到trust,还是untrust到local? 答案:应配置untrust到trust
外网访问防火墙映射的内网服务器时的安全策略应配置untrust到trust,还是untrust到local? 答案:应配置untrust到trust
(1)拓扑图
(2)基本配置
接口配置
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.2.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.1.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage telnet permit
#
安全策略
security-policy
rule name untrust-To-local
source-zone untrust
destination-zone local
action permit
rule name untrust-To-trust
source-zone untrust
destination-zone trust
action permit
rule name trust-To-untrust
source-zone trust
destination-zone untrust
action permit
#
NAT策略
nat server tcp23 protocol tcp global 192.168.2.254 2223 inside 192.168.1.100 telnet
nat-policy
rule name To-Internet
source-zone trust
destination-zone untrust
action source-nat easy-ip
#
(3)测试 sw2 telnet 192.168.2.254 23 ,结果:通
<sw2>telnet 192.168.2.254 2223
Trying 192.168.2.254 ...
Press CTRL+K to abort
Connected to 192.168.2.254 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Password:
查看会话表
<USG6000V2>display firewall session table
2022-04-14 07:08:16.320
Current Total Sessions : 17
tcp VPN: default --> default 10.12.11.103:58839 --> 10.12.5.5:8443
tcp VPN: default --> default 10.12.11.103:58976 --> 10.12.5.5:8443
SMB VPN: default --> default 10.12.63.1:138 --> 10.12.255.255:138
tcp VPN: default --> default 10.12.11.103:58974 --> 10.12.5.5:8443
SMB VPN: default --> default 10.12.63.8:138 --> 10.12.255.255:138
Telnet VPN: public --> public 192.168.2.200:61656 --> 192.168.2.254:2223[192.168.1.100:23]
tcp VPN: default --> default 10.12.11.103:58840 --> 10.12.5.5:8443
SMB VPN: default --> default 10.12.12.217:138 --> 10.12.255.255:138
tcp VPN: default --> default 10.12.11.103:58893 --> 10.12.5.5:8443
SMB VPN: default --> default 10.12.11.113:138 --> 10.12.255.255:138
tcp VPN: default --> default 10.12.11.103:58975 --> 10.12.5.5:8443
SMB VPN: default --> default 10.12.11.117:138 --> 10.12.255.255:138
tcp VPN: default --> default 10.12.11.103:58838 --> 10.12.5.5:8443
SMB VPN: default --> default 10.12.11.129:138 --> 10.12.255.255:138
tcp VPN: default --> default 10.12.11.103:58972 --> 10.12.5.5:8443
tcp VPN: default --> default 10.12.11.103:58973 --> 10.12.5.5:8443
NetBios_Name_Service VPN: default --> default 10.12.12.150:137 --> 10.12.255.255:137
<USG6000V2>
(4)关闭策略
关闭其中两条策略与清除命中记录
#
security-policy
rule name untrust-To-local
disable
source-zone untrust
destination-zone local
action permit
rule name untrust-To-trust
source-zone untrust
destination-zone trust
action permit
rule name trust-To-untrust
disable
source-zone trust
destination-zone untrust
action permit
测试 sw2 telnet 192.168.2.254 23 ,结果:通
<sw2>telnet 192.168.2.254 2223
Trying 192.168.2.254 ...
Press CTRL+K to abort
Connected to 192.168.2.254 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Password:
NAT网络地址转换(列表、list、全)
http://www.zh-cjh.com/wenzhangguilei/988.html
配置NAT Server时,安全策略中指定的目的地址是转换前的还是转换后的地址?答:转换后的地址
http://www.zh-cjh.com/luyoujiaohuan/3664.html
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 外网访问防火墙映射的内网服务器时的安全策略应配置untrust到trust,还是untrust到local? 答案:应配置untrust到trust
作者: cjh
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm