USG防火墙修改默认规则及放行telnet 流量实验（华为usg防火墙配置命令加详细解说）

USG防火墙修改默认规则及放行telnet 流量实验（华为usg防火墙配置命令加详细解说）

开启虚拟终端服务

[R1]user-interface vty 0 4 [R1-ui-vty0-4]set authentication password[R1-ui-vty0-4]set authentication password cipher 666[R1-ui-vty0-4]user privilege level 3

R2的配置 [R2]interface e0/0/0[R2-Ethernet0/0/0]ip add 192.168.1.2 24[R2-Ethernet0/0/0]q[R2]ip route-static 192.168.2.0 24 192.168.1.1

[R2]user-interface vty 0 4[R2-ui-vty0-4]authentication-mode password [R2-ui-vty0-4]set authentication password cipher 666[R2-ui-vty0-4]user privilege level 3

防火墙配置配置接口地址：interface GigabitEthernet0/0/0ip address 192.168.2.1 255.255.255.0

interface GigabitEthernet0/0/1ip address 192.168.1.1 255.255.255.0

创建区域outside,设置优先级30, 并把接口G0/0/1加入到该区域firewall zone name outsideset priority 30add interface GigabitEthernet0/0/1

查看区域默认策略[SRG]display policy interzone local outside outbound policy interzone local outside outboundfirewall default packet-filter is permit

检测能否ping 通外部的路由器。是可以的。

更改默认策略

[SRG]firewall packet-filter default deny interzone local outside direction outbound

检测能否ping 通外部的路由器。是不可以的，还原默认策略[SRG]firewall packet-filter default permit interzone local outside direction outbound

检验 R1和R2能否 telnet 和ping 通 ，结果应该是不通。怎么可以让R1telnet到R2上 并且ping 通，要放行trust 和outside 之间outbound方向流量 ，如下 ：放行outbound 方向telnet 和ICMP的流量[SRG]policy interzone trust outside outbound

[SRG-policy-interzone-trust-outside-outbound]policy 1

[SRG-policy-interzone-trust-outside-outbound-1]policy source 192.168.2.2 0

[SRG-policy-interzone-trust-outside-outbound-1]policy destination 192.168.1.2 0[SRG-policy-interzone-trust-outside-outbound-1]policy service service-set icmp telnet [SRG-policy-interzone-trust-outside-outbound-1]action permit

[SRG-policy-interzone-trust-outside-outbound-1]q[SRG-policy-interzone-trust-outside-outbound]q

用R1 去telnet R2，成功登录后来 在防火墙上查看会话表[SRG]display firewall session tableCurrent Total Sessions : 1icmp ×××:public --> public 192.168.2.2:53419-->192.168.1.2:2048[SRG]display firewall session table09:46:55 2018/05/11Current Total Sessions : 0

请思考如何放行outside的主机telnet 到内部的路由器上？？？？

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。