Example:
createaccesscontrollistwithnumber102.
[Eudemon]ACLnumber102
ACL#configurationrules,allowspecificuserstoaccesstheinternalserverfromtheexternalnetwork.
TheaboveconfigurationhascompletedthecreationofACL.ThefollowingconfigurationreferstoACLinpacketfilteringapplications,andthespecificexplanationsofthecommandsaredescribedintherelevantchapters.
#ACLRule101inTrustregiontotheUntrustregionofthedirection.
[Eudemon-Interzone-trust-untrust]packet-filter101outbound
#ACLrule102inunTrustregiontothetrustregionbetweenthedirectionof.
[Eudemon-Interzone-trust-untrust]packet-filter102inbound
Theapplicationof#protocolbetweenTrustandUntrustregionsenableFTPprotocoltesting.
[Eudemon-Interzone-trust-untrust]detectFTP
2,ASPFconfigurationexample
[Eudemon]firewallsessionaging-timeFTP3000
[Eudemon]firewallsessionaging-timeHTTP3000
[Eudemon]ACLnumber101
[Eudemon-acl-adv-101]ruledenyIP
[Eudemon]ACLnumber10
[Eudemon-acl-basic-10]rulepermitsourceany
[Eudemon]firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutbound
[Eudemon]firewallinterzonetrustuntrust
[Eudemon-interzone-trust-untrust]packet-filter101inbound
[Eudemon-interzone-trust-untrust]detectFTP
[信任]信任精灵区间检测HTTP
[信任]信任精灵区间检测java阻塞10
3、黑名单例子
[精灵]防火墙包过滤ICMP范围全球黑名单
[精灵]黑名单的使
4、多对多地址转换NAT
(1)在系统视图下定义一个可以根据需要进行分配的NAT地址池
NAT地址组数起始地址结束地址
其中,组数是标识这个地址池的编号,起始地址结束地址是地址池的起始和结束IP地址。
(2)在系统视图和ACL视图下定义一个访问控制列表
在系统视图下定义访问控制列表
ACLACL数量数[比赛秩序{config|汽车}]
在ACL视图下定义访问控制规则
规则[规则]{允许|否认}[源地址通配符|酸酸的任何][时间范围时间名称][日志]
(3)在域间视图下将访问控制列表和NAT地址池关联
NAT出站ACL号码地址组组号
5、NAT服务器配置--在内部提供一台机器供外部HTTP或者FTP
实际是将外部地址、端口映射到内部服务器上
NAT服务器协议亲型全球地址[][]global-port1global-port2主机地址[内]host-addr2主机端口
NAT服务器全球地址内部主机地址
6、简单IP配置
出站ACL号码接口接口名称
7、应用级网关ALG
解决NAT只能对IP报文头部地址和TCP/UDP头部端口进行信息转换问题,因为如ICMP/FTP协议报文数据部分包含了IP地址和端口信息,则:
(1)在系统视图下执行下列命令则使能了相应协议的ALG功能
NATALG使{FTP|H323|ICMP|RAS}
(2)在域间视图下为应用层协议配置ASPF检测
检测协议
8、精灵防火墙配置步骤
(1)防火墙组网规划
组网拓朴图(具体到网络设备物理端口的分配和连接);IP地址的分配(具体到网络设备所有IP地址的分配);防火墙上的区域划分;防火墙的地址映射关系;防火墙需要开放的策略;
(2)配置接口IP地址
配置IP地址,把各接口的IP地址配置好
#配置防火墙接口以太网0/0/0。
[精灵]以太网接口的0/0/0
[0/0]eudemon-ethernet0/退出
如为双机,需要在接口下配置VRRP
[精灵]intETH0/0/0
#在接口eth0/0/0下配置VRRP备份组1,注意虚拟IP需要和接口地址同一网段
[eudemon-ethernet0/0/0/0/0]以太网接口1
#interfaceintheeth0/0/1configurationofVRRPbackupgroup2
Note:
donotconfiguretheVRRPprioritywhenconfiguringVRRPundertheinterface
(3)configurationdomain
#configurationareadmz.
[Eudemon]firewallzonenamedmz1
[Eudemon-zone-dmz1]setpriority70
(4)dividetheinterfaceintodomains
#Ethernet1/0/0joinedthefirewallconfigurationinterfaceinDMZdomain.
[Eudemon]firewallzoneDMZ
[Eudemon-zone-dmz]addinterfaceEthernet1/0/0
[Eudemon-zone-dmz]quit
(5)configuringVRRP(twocomputers)
#createVRRPmanagementgroup1,theVRRPbackupgroupalladdedtothemanagementgroupforunifiedmanagement
[Eudemon]vrrp-group1
#inVGMPgroup,andVGMPwilljointhevirtualrouting,automaticallysortedaccordingtotheconfigurationoftherange,suchasthefollowingconfigurationwhenexecutingdisplaycurrentaddinterfaceEthernet2/0/0VRRPcanseeVRID3datatransfer-only1,VRRP1andvrrp2were1,2.
[Eudemon-vrrpgroup-1]addinterfaceEthernet0/0/0VRRPVRID1data
[Eudemon-vrrpgroup-1]addinterfaceEthernet0/0/1VRRPVRID2data
Thechannelconfiguredwiththetransfer-onlyparameterwillbethepreferredchannel,andthechangeofthestateofthechannelwillnotaffectthechangeoftheVGMPpriorityandcausestateswitching
[Eudemon-vrrpgroup-1]addinterfaceEthernet2/0/0VRRPVRID3datatransfer-only
EnableVRRPmanagementgroup,onlyenableVGMP,canbeunifiedmanagementofVRRP
[Eudemon-vrrpgroup-1]vrrpenable
Automatic#preemptionenabledVRRPmanagementgroup,toseizethedelaytimeof0secondsbydefault
[Eudemon-vrrpgroup-1]vrrppreedom
(6)configuretheVRRPgroup
WhenthefirewalldoesnotconfigurethepriorityofVGMP,thedefaultpriorityis100.WhentheallocationpriorityshouldpayattentiontodecreasingalgorithmVGMPpriority:
afterdecreasingpriority=prioritypriority/16,whenthemainfirewallfails,afterdecreasingpriorityshouldbealowerprioritythantheslavefirewall,canswitchstandby,orafirewallisstillmainlyfaultstate,leadingtobusinessinterruption.Forexample,thefollowingconfigurationafterdecreasingpriorityfor105105/16=98,soslaveshouldbethehighprioritythanfirewall.
[Eudemon-vrrpgroup-1]vrrppriority105
[Eudemon-vrrpgroup-1]quit
Thefunctionoffirewall
(7)configuringHRP
#enableHRPfunction,whentheenableHRPfunctionwilldisplayHRP_Minfrontofthe[Eudemon]fromthefirewallwillbedisplayedontheHRP_S,thedefaultisautomaticreal-timebackup.
[Eudemon]hrpenable
Theconfigurationoftheabovefirewallisbasicallythesameasthatofthemainfirewall,andonlyneedstobechanged
ChangetheIPaddressoftheinterface.
(8)verifytheconfigurationoftwocomputers
(9)configuringaddresstranslation
(10)configuringACL
Eudemon]ACLnameTODadvanced
(11)applyingACLbetweendomains
[Eudemon]firewallinterzoneDMZuntrust
[Eudemon-interzone-dmz-untrust]packet-filterTODinbound
(12)checkserviceconfiguration
Checkdoublemachinestatus:
checkwhetherdoubleswitchhasinfluenceonService
Checkconfigurationsynchronization:
checkwhethertheconfigurationofthehostandstandbymachineissynchronized,andcanbeimplementedbycomparingconfiguration
Checktheserviceisnormal:
Testbusinessisnormal
8.Maintenancecommandoffirewall
(1)显示诊断信息收集防火墙的所有信息,用于提交支持人员分析所用
(2)显示防火墙会话表V此命令用于查看防火墙连接信息表
(3)调试命令
把调试的输出显示到当前Telnet或控制台窗口方式:
同时使用终端调试和termainl监控这两个命令(在线业务禁止使用)
有调试数据包
防火墙包过滤所有区间的不信任的信任
调试、IP、ICMP调试通过的平包
IP数据包的IP数据包调试所有的调试