4.第317行,策略的配置:
policy from \ rule id 4 action permit disable
src-addr \车管所\
dst-addr \ service \ exit
rule id 1 action permit disable
src-addr \ dst-addr \车管所\ service \ exit
rule id 2 action permit src-addr \
dst-addr \ service \ exit
就是“车管所”这个地址薄的机器可以访问\这个子网下的机器(192.168.11.*),反过来一样可以;还有个any到any。
这里我们启用的是any到any。
四.风顺检测站防火墙的配置:
1.第86行,地址薄的配置:
address \车管所\
reference-zone \
range 10.137.186.1 10.137.186.254 exit
address \
reference-zone \ ip 192.168.12.3/24
range 192.168.12.15 192.168.12.25 range 192.168.12.100 192.192.12.103
exit
address \
reference-zone \
range 10.137.186.1 10.137.186.254 range 10.137.185.1 10.137.185.254 range 10.136.46.17 10.136.46.50 exit
这里配了3个地址薄。\车管所\的地址是“ 10.137.186.1 10.137.186.254”; \的地址有192.168.12.3/24、 192.168.12.15 192.168.12.25、 192.168.12.100 192.192.12.103这三个;
\有10.137.186.1 10.137.186.254、 10.137.185.1 10.137.185.254和10.136.46.17 10.136.46.50三个。u
但“车管所”那个地址薄是包含在“cgs”那个地址薄中的,所以是多余的,在“策略”截图中可看到并没用启用“车管所”这个地址。
2.第305行,接口的配置:
interface ethernet0/0 zone \
ip address 10.137.186.97 255.255.255.0 manage ssh manage telnet manage ping manage snmp manage http manage https exit
interface ethernet0/1 zone \
ip address 192.168.12.1 255.255.255.0 manage telnet manage ssh manage ping manage http manage https manage snmp exit
设置了ethernet0/0口的IP是10.137.186.97 255.255.255.0,ethernet0/1的IP是 192.168.12.1 255.255.255.0
3.第328行,虚拟路由的配置:
ip vrouter \
snatrule id 1 from \ ip route 10.137.186.0/24 192.168.201.1 ip route 10.136.46.0/24 10.137.186.249 ip route 10.137.185.0/24 10.137.186.249 exit
其中“snatrule id 1 from \”是“防火墙”--“NAT”--“源NAT”的配置:
“ip route 10.137.186.0/24 192.168.201.1
ip route 10.136.46.0/24 10.137.186.249 ip route 10.137.185.0/24 10.137.186.249”
设置了要访问的IP段和需要跳转的网关。10.137.185.0/24 10.137.186.249这个配上了,应该是没什么用的。因为本防火墙的IP是10.137.186.97,跟支队车管所IP在同一网段,可直接访问,不用设置虚拟路由。若本防火墙的IP是公安局等与支队车管所的IP不在同一网段(例如:10.137.42.61),在这里可加一条“ip route 10.137.186.0/24 10.137.42.61”。