基于区域策略的防火墙

配置基于区域策略的防火墙

拓扑图

地址表

配置静态路由使其能ping通

Router1(config)#ip route 10.14.2.0 255.255.255.0 10.14.1.2

Router1(config)#ip route 10.14.13.0 255.255.255.0 10.14.1.2

Router2(config)#ip route 10.14.13.0 255.255.255.0 10.14.2.3

Router2(config)#ip route 10.14.11.0 255.255.255.0 10.14.1.1

Router3(config)#ip route 10.14.1.0 255.255.255.0 10.14.2.2

Router3(config)#ip route 10.14.11.0 255.255.255.0 10.14.2.2

在R3创建区域防火墙

Router3(config)#zone security IN-ZONE

Router3(config-sec-zone)#zone security OUT-ZONE

Router3(config-sec-zone)#ex

Router3(config)#access-list 101 permit ip 10.14.13.0 0.0.0.255 any

Router3(config)#class-map type inspect match-all IN-NET-CLASS-MAP

Router3(config-cmap)#match access-group 101

Router3(config-cmap)#ex

Router3(config)#policy-map type inspect IN-2-OUT-PMAP

Router3(config-pmap)#class type inspect IN-NET-CLASS-MAP

Router3(config-pmap-c)#inspect

%No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected

Router3(config-pmap-c)#

Router3(config-pmap-c)#ex

Router3(config-pmap)#ex

Router3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE

Router3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP

Router3(config-sec-zone-pair)#ex

Router3(config)#int f0/0

Router3(config-if)#zone-member security IN-ZONE

Router3(config-if)#ex

Router3(config)#int s0/0/1

Router3(config-if)#zone-member security OUT-ZONE

Router3(config-if)#ex

Router3(config)#ex

Router3#

%SYS-5-CONFIG_I: Configured from console by console

Router3#show policy-map type inspect zone-pair sessions

Zone-pair: IN-2-OUT-ZPAIR

然后登陆pc-ad的网页的同时查看R3的命令

R3# show policy-map type inspect zone-pair sessions

 Zone-pair: IN-ZONE-OUT-ZONE

  Service-policy inspect : IN-2-OUT-PMAP

    Class-map: IN-NET-CLASS-MAP (match-all)

    Match: access-group 101

    Inspect

    Established Sessions

Session 139142400 (10.14.13.3:1027)=>(10.14.11.3:80)

http:tcp SIS_OPEN

基于区域策略的防火墙

原文：https://www.cnblogs.com/tyrr/p/10946766.html