Shulou(Shulou.com)06/01 Report--

OK, following yesterday's configuration, we need to publish the company's server for users on internet to access. The topology diagram is as follows:

In order to prevent the virus, we cannot let go of the policy between the untrust region and the dmz region:

[SRG] display firewall packet-filter default all

The status is deny.

Next, let's make some policies so that users on internet can access http, ping, and ftp on the server.

First, create a service set toserver:

[SRG] ip service-set toserver type object

Then put icmp, www (80), ftp (21) into the service set:

[SRG-object-service-set-toserver] service 0 protocol icmp

[SRG-object-service-set-toserver] service 1 protocol tcp destination-port 80

[SRG-object-service-set-toserver] service 2 protocol tcp destination-port 21

Then we start the strategy:

[SRG] policy interzone untrust dmz inbound

[SRG-policy-interzone-dmz-untrust-inbound] policy 10

[SRG-policy-interzone-dmz-untrust-inbound-10] policy service service-set toserver

[SRG-policy-interzone-dmz-untrust-inbound-10] policy destination 10.1.3.10 0

[SRG-policy-interzone-dmz-untrust-inbound-10] action permit

Then we configure the server:

Finally, let's verify:

1. Use the client9ping server address in the untrust area:

2. The function of accessing the server's http:

Since ftp has a dual-tunnel concept, the firewall turns off dual-tunnel by default, so we need to enable ftp dual-channel:

[SRG] firewall interzone untrust dmz

[SRG-interzone-dmz-untrust] detect ftp

Then verify the ftp:

If you do not enable dual-channel mode, you cannot access ftp, you can verify it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.