目录
■防火墙配置
▲实验
配置要求
①防火墙接口的IP地址如拓扑所示,将接口划入相应的安全区域。
②内网主机PC1可以主动访问Internet,但Internet无法主动访问PC1。
③出口防火墙进行NAT,NAT公网地址池100.1.1.10-100.1.1.20。
④Internet可以通过公网地址100.1.1.100/24访问目的地址为192.168.2.100/24 的内部Web服务。
- Internet
<Huawei>system-view
[Huawei]sysname Internet
[Internet]interface GigabitEthernet 0/0/0
[Internet-GigabitEthernet0/0/0]ip add 100.1.1.2 24
[Internet-GigabitEthernet0/0/0]quit
[Internet]
- Firewall
<USG6000V1>system-view
[USG6000V1]]sysname Firewall
[Firewall]
[Firewall]interface GigabitEthernet 1/0/1
[Firewall-GigabitEthernet1/0/1]ip address 192.168.1.254 24
[Firewall-GigabitEthernet1/0/1]quit
[Firewall] linterface GigabitEthernet 1/0/2
[Firewall-GigabitEthernet1/0/2]ip address 192.168.2.254 24
[Firewall-GigabitEthernet1/0/2]quit
[Firewall] interface GigabitEthernet 1/0/3
[Firewall-GigabitEthernet1/0/3]ip address 100.1.1.1 24
[Firewall-GigabitEthernet1/0/3]quit
[Firewall]
[Firewall]firewall zone untrust
[Firewall-zone-untrust]add interface GigabitEthernet 1/0/3
[Firewall-zone-untrust]quit
[Firewall]
[Firewall]firewall zone trust
[Firewall-zone-trust]add interface GigabitEthernet 1/0/1
[Firewall-zone-trust]quit
[Firewall]firewall zone dmz
[Firewall-zone-dmz] add interface GigabitEthernet 1/0/2
[Firewall-zone-dmz]quit
[Firewall]
[Firewall]security-policy
[Firewall-policy-security]rule name trust_to_untrust
[Firewall-policy-security-rule-trust_to_untrust]source-zone trust
[Firewall-policy-security-rule-trust_to_untrust]destination-zone untrust
[Firewall-policy-security-rule-trust_to_untrust]source-address 192.168.1.0 24
[Firewall-policy-security-rule-trust_to_untrust]destination-address any
[Firewall-policy-security-rule-trust_to_untrust]action permit
[Firewall-policy-security-rule-trust_to_untrust]quit
[Firewall]
# 配置NAT地址池,开启端口转换。
[Firewall] nat address-group addressgroupl
[Firewall-address-qroup-addressgroup1]mode pat
[Firewall-address-group-addressgroupl]section 0 100.1.1.10 100.1.1.20
[Firewall-address-group-addresagroupl]quit
[Firewall]
# 配置源NAT策略1,实现私网指定网段访问Internet时自动进行源地址转换。
[Firewall] nat-policy
[Firewall-policy-nat] rule name policy_natl
[Firewall-policy-nat-rule-policy natl] source-zone trust
[Firewall-policy-nat-rule-policy natl] destination-zone untrust
[Firewall-policy-nat-rule-policy natl] source-address 192.168.1.0 24
[Firewall-policy-nat-rule-policy natl] destination-address any
[Firewall-policy-nat-rule-policy natl] action source-nat address-group addressgroup1
[Firewall]security-policy
[Firewall-policy-security]rule name trust_to_dmz
[Firewall-policy-security-rule-trust_to_dmz]source-zone trust
[Firewall-policy-security-rule-trust_to_dmz]destination-zone dmz
[Firewall-policy-security-rule-trust_to_dmz]action permit
[Firewall-policy-security-rule-trust_to_dmz]quit
# 配置NAT Server功能,把内网Web服务映射到公网地址。
[Firewall] nat server policy_web protocol tcp global 100.1.1.100 80 inside 192.168.2.100 80
[Firewall] display firewall session table
[Firewall]security-policy
[Firewall-policy-security]rule name untrust_to_dmz
[Firewall-policy-security-rule-untrust_to_dmz]source-zone untrust
[Firewall-policy-security-rule-untrust_to_dmz]destination-zone dmz
[Firewall-policy-security-rule-untrust_to_dmz]destination-address 192.168.2.100 32
[Firewall-policy-security-rule-untrust_to_dmz]action permit
至此,本文的内容就结束了。