87586,HCL上的防火墙1060
问题描述:
为什么我在HCL模拟器上用防火墙配置DHCP,并且配置了域策略。手动配置IP地址可以ping通防火墙, 主机不能自动获取到IP地址,我用路由器,使用相同配置都可以
组网及组网描述:
主要配置如下:
# version 7.1.064, Alpha 7164
# sysname FW1 # context Admin id 1
# telnet server enable
# dhcp enable
dhcp server forbidden-ip 172.16.0.1
# xbar load-single
password-recovery enable
lpu-type f-series
# vlan 1
# dhcp server ip-pool 1
gateway-list 172.16.0.1
network 172.16.0.0 mask 255.255.0.0
dns-list
# interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 172.16.0.1 255.255.0.0
# interface GigabitEthernet1/0/1
port link-mode route
combo enable copper ip address 192.168.0.1 255.255.255.0
# security-zone name Local
# security-zone name Trust
import interface GigabitEthernet1/0/0
# zone-pair security source Local destination Trust
packet-filter 2000
最佳答案
需要两条域间策略,local--trust和trust--local。以下是我学习时做的实验,可以参考
配置思路:正常表示上图 加粗表示下图
1、在FW上划分区域,并加入接口:
[fw-security-zone-Trust]import interface GigabitEthernet1/0/0
[fw-security-zone-DMZ]import interface GigabitEthernet1/0/1
[DHCP-security-zone-Trust]import interface GigabitEthernet1/0/0
2、配置ACL匹配业务流:
[dhcpServer-acl-ipv4-basic-2000] rule 10 permit source 0.0.0.0 0
[dhcpServer-acl-ipv4-basic-2001] rule 10 permit source 192.168.1.0 0.0.0.255
[dhcpServer-acl-ipv4-basic-2002] rule 10 permit source 192.168.2.0 0.0.0.255
[DHCP-acl-ipv4-basic-2002] rule 10 permit source 192.168.2.0 0.0.0.255
3、配置DHCP服务:
[dhcpServer]dhcp enable
[dhcpServer-dhcp-pool-1]gateway-list 192.168.1.254
[dhcpServer-dhcp-pool-1]network 192.168.1.0 24
[dhcpServer]ip route-static 0.0.0.0 0 192.168.2.1
[fw]dhcp enable
[fw-GigabitEthernet1/0/1]dhcp select relay
[fw-GigabitEthernet1/0/0]dhcp relay source-address 192.168.2.254
[DHCP]dhcp enable
[DHCP-dhcp-pool-1]gateway-list 192.168.1.254
[DHCP-dhcp-pool-1]network 192.168.1.0 24
[DHCP]ip route-static 0.0.0.0 0 192.168.2.1
[relay]dhcp enable
[relay-GigabitEthernet0/0]dhcp select relay
[relay-GigabitEthernet0/0]dhcp relay source-address 192.168.2.254
4、配置域间策略:
[dhcpServer-zone-pair-security-Trust-Local]packet-filter 2000
[dhcpServer-zone-pair-security-Local-Trust]packet-filter 2001
[dhcpServer-zone-pair-security-DMZ-Local]packet-filter 2002
[dhcpServer-zone-pair-security-Local-DMZ]packet-filter 2002
[DHCP-zone-pair-security-Trust-Local]packet-filter 2002
[DHCp-zone-pair-security-Local-Trust]packet-filter 2002
在策略中把trust到local也放通测试下看看
还是不行
zhiliao_87586 发表时间:
