-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
1. Project topology
Security zone configuration as shown in figure 1-1,
PcA IP: 192.168.0.100/24 FW IP 192.168.0.1 G1/0/1/24 interface
FIG. 1-1 safety area configuration
2. The project practice environment for
A firewall SecPath, a PC (HCL) is added to select the host software,
Job configuration firewall makes two hosts each
(1) in figure 1-1, configure host IP address, name and a firewall configuration interface IP address,
[H3C] sysname FW//configure the firewall name
(FW)
Configuration interface IP address
(FW) interface GigabitEthernet1/0/1//into the interface view
The IP address 192.168.. 1 255.255.255.0
The quit
//disp current - configuration interface GigabitEthernet 1/0/1 the command to view the corresponding interface configuration information,
(2) the configure security area,
Display area of a firewall:
(FW) disp security zone//view security domain command
Name: Local
Members:
None
Name: Trust
Members:
None
Name: the DMZ
Members:
None
Name: Untrust
Members:
None
Name: Management
Members:
To add 1/0 configuration interface G/1 Management area:
(FW) security - zone into safe domain name Management//view
The import interface GigabitEthernet1/0/1
The quit
(3) verify connectivity:
PCA piing FW
Ping 192.168.0.1
View the results not
Why not? We have a look at the current configuration will be found that the default rules without t,
(4) the default rules and changes to security policy again to verify connectivity,
(FW) security policy IP//into the security policy view
Rule 1 name guanli//guanli defined rules, 1 for ID, have uniqueness,
The action pass//action as defined by the
The source - zone Management//define the source security domain
Destination - zone Local//define target security domain
The quit
Verify connectivity:
PCA piing FW
Ping 192.168.0.1
* -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
I'll do it according to the case but no IP security policy - this command, which is my problem