虚拟系统配置案例

安全策略要求：
1、只存在一个公网IP地址，公司内网所有部门都需要借用同一个接口访问外网
2、财务部禁止访问Internet，研发部门只有部分员工可以访问Internet，行政部门全部可以访问互联网
3、为三个部门的虚拟系统分配相同的资源类

基础配置

[FW1]vsys enable   ---开启虚拟系统
[FW1-resource-class-r1]resource-item-limit bandwidth 2 outbound
[FW1-resource-class-r1]resource-item-limit session reserved-number 500 maximum 1000
[FW1-resource-class-r1]resource-item-limit user reserved-number 100
[FW1-resource-class-r1]resource-item-limit policy reserved-number 200

[FW1]dis resource global-resource —查看剩余公共资源，根据剩余资源进行划分

[FW1]vsys name vsysa   ---创建虚拟系统，名称为vsysa
[FW1-vsys-vsysa]assign resource-class r1   ---设定使用的资源类
[FW1-vsys-vsysa]assign interface GigabitEthernet 1/0/1   ---将接口划入虚拟系统

[FW1]switch vsys vsysa   ---切换到vsysa系统中
<FW1-vsysa>sys
Enter system view, return user view with Ctrl+Z.
[FW1-vsysa]aaa
[FW1-vsysa-aaa]manager-user admin@@vsysa   ---创建vsysa虚拟系统管理员，@@为固定，前为用户名，后为虚拟系统名称
[FW1-vsysa-aaa-manager-user-admin@@vsysa]password   ---配置密码，需要输入两遍，密码没有回显Enter Password:Confirm Password:
[FW1-vsysa-aaa-manager-user-admin@@vsysa]level 15   ---设定权限	
[FW1-vsysa-aaa-manager-user-admin@@vsysa]service-type web telnet ssh   ----设定登录服务，一般选择ssh和web即可
Warning: The user access modes include Telnet or FTP, so security risks exist.
[FW1-vsysa-aaa-manager-user-admin@@vsysa]q	
[FW1-vsysa-aaa]bind manager-user admin@@vsysa role system-admin  ---定义admin@@vsysa用户为系统管理员

静态路由配置

nat策略配置
[FW1]security-policy
[FW1-policy-security]rule name to-internet
[FW1-policy-security-rule-to-internet]source-zone trust 	
[FW1-policy-security-rule-to-internet]destination-zone untrust 
[FW1-policy-security-rule-to-internet]action permit 
[FW1-policy-security-rule-to-internet]q
[FW1-policy-security]q
[FW1]nat-policy 
[FW1-policy-nat]rule name nat1
[FW1-policy-nat-rule-nat1]source-zone trust 
[FW1-policy-nat-rule-nat1]egress-interface GigabitEthernet 1/0/0
[FW1-policy-nat-rule-nat1]source-address 10.3.0.0 16
[FW1-policy-nat-rule-nat1]action source-nat easy-ip 

虚拟系统配置

[FW1]switch vsys vsysa
[FW1-vsysa]int g1/0/1
[FW1-vsysa-GigabitEthernet1/0/1]ip add 10.3.0.254 24
[FW1-vsysa-GigabitEthernet1/0/1]q
[FW1-vsysa]interface Virtual-if 1
[FW1-vsysa-Virtual-if1]ip add 172.16.1.1 24
[FW1-vsysa-Virtual-if1]q[FW1-vsysa]firewall zone trust 
[FW1-vsysa-zone-trust]add int g 1/0/1
[FW1-vsysa]firewall zone untrust 
[FW1-vsysa-zone-untrust]add int Virtual-if 1
[FW1-vsysa-zone-untrust]q
[FW1-vsysa]ip route-static 0.0.0.0 0 public 	
[FW1-vsysa]ip address-set ip_add01 type object
[FW1-vsysa-object-address-set-ip_add01]add range 10.3.0.1 10.3.0.10
[FW1-vsysa-object-address-set-ip_add01]q
[FW1-vsysa]security-policy 
[FW1-vsysa-policy-security]rule name to-internet
[FW1-vsysa-policy-security-rule-to_internet]source-zone trust 
[FW1-vsysa-policy-security-rule-to_internet]destination-zone untrust 
[FW1-vsysa-policy-security-rule-to_internet]source-address address-set ip_add01
[FW1-vsysa-policy-security-rule-to_internet]action permit 

[FW1-vsysb]int g 1/0/2
[FW1-vsysb-GigabitEthernet1/0/2]ip add 10.3.1.254 24
[FW1-vsysb]int Virtual-if 2
[FW1-vsysb-Virtual-if2]ip add 172.16.2.1 24
[FW1-vsysb-Virtual-if2]q
[FW1-vsysb]firewall zone trust 
[FW1-vsysb-zone-trust]add int g 1/0/2
[FW1-vsysb]firewall zone untrust 	
[FW1-vsysb-zone-untrust]add int Virtual-if 2
[FW1-vsysb]ip route-static 0.0.0.0 0 public 

[FW1-vsysc]int g 1/0/3
[FW1-vsysc-GigabitEthernet1/0/3]ip add 10.3.2.254 24
[FW1-vsysc]int Virtual-if 3
[FW1-vsysc-Virtual-if3]ip add 172.16.3.1 24
[FW1-vsysc]firewall zone trust 
[FW1-vsysc-zone-trust]add int g 1/0/3
[FW1-vsysc]firewall zone untrust 
[FW1-vsysc-zone-untrust]add int Virtual-if 3
[FW1-vsysc]ip route-static 0.0.0.0 0 public [FW1-vsysc]security-policy 
[FW1-vsysc-policy-security]rule name to-internet	
[FW1-vsysc-policy-security-rule-to-internet]source-zone trust 
[FW1-vsysc-policy-security-rule-to-internet]destination-zone untrust 
[FW1-vsysc-policy-security-rule-to-internet]source-address 10.3.2.0 24
[FW1-vsysc-policy-security-rule-to-internet]action permit 

测试