不知道今晚幾個朋友脫單成功了,先恭喜脫單成功的朋友^_^。
前幾篇文章裡有寫了NAT,有寫了防火牆,有寫了單臂路由。今天這篇將三者結合一下,也不要太複雜。有交換機有vlan,有防火牆有域策略,再加個NAT地址轉換。
如上圖,三層交換機S5700和防火牆USG5500對接,使用戶PC1和PC2可以實現上網功能。交換機是三層交換機,可以完成跨網段數據轉發。
配置思路:
1、交換機作為用戶的網關,實現三層轉發。同時作為DHCP服務器,為用戶分配IP地址。
2、 防火牆通過NAT轉換,使用戶可以訪問外網。
交換機Switch配置文件:
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname Switch
[Switch]vlan batch 10 20
[Switch]int g0/0/2 //配置PC1相連端口
[Switch-GigabitEthernet0/0/2]port link-type access
[Switch-GigabitEthernet0/0/2]port default vlan 10
[Switch-GigabitEthernet0/0/2]quit
[Switch]int gigabitethernet0/0/3 //配置PC2連接端口
[Switch-GigabitEthernet0/0/3]port link-type access
[Switch-GigabitEthernet0/0/3]port default vlan 20
[Switch-GigabitEthernet0/0/3]quit
[Switch]int vlanif 10
[Switch-Vlanif10]ip address 192.168.10.1 24 //配置PC1網關
[Switch-Vlanif10]quit
[Switch]int Vlanif 20
[Switch-Vlanif20]ip address 192.168.20.1 24 //配置PC2網關
[Switch-Vlanif20]quit
[Switch]vlan batch 100
[Switch]int g0/0/1 //配置連接防火牆的接口和對應的VLANIF接口
[Switch-GigabitEthernet0/0/1]port link-type access
[Switch-GigabitEthernet0/0/1]port default vlan 100
[Switch-GigabitEthernet0/0/1]quit
[Switch]int vlanif 100
[Switch-Vlanif100]ip address 192.168.100.2 24
[Switch-Vlanif100]quit
[Switch]ip route-static 0.0.0.0 0.0.0.0 192.168.100.1 //配置缺省路由
[Switch]dhcp enable
[Switch]int vlanif 10
[Switch-Vlanif10]dhcp select int //使能DHCP服務
[Switch-Vlanif10]dhcp server dns-list 218.85.157.99 218.85.152.99 //自動分配的主從DNS服務器
[Switch-Vlanif10]quit
[Switch]int vlanif 20
[Switch-Vlanif20]dhcp select int
[Switch-Vlanif20]dhcp server dns-list 218.85.157.99 218.85.152.99
[Switch-Vlanif20]quit
防火牆USG配置文件:
[SRG]sysname USG
[USG]interface g0/0/1
[USG-GigabitEthernet0/0/1]ip address 192.168.100.1 255.255.255.0 //配置連接交換機的接口對應的IP地址
[USG-GigabitEthernet0/0/1]quit
[USG]interface g0/0/2
[USG-GigabitEthernet0/0/2]ip address 200.0.0.2 255.255.255.0 //配置連接公網的接口對應的IP地址
[USG-GigabitEthernet0/0/2]quit
[USG]ip route-static 0.0.0.0 0.0.0.0 200.0.0.1 //配置缺省路由
[USG]ip route-static 192.168.0.0 255.255.0.0 192.168.100.2 //配置回城路由
[[USG]firewall zone trust //配置Trust可信任域並開啟域間策略
[USG-zone-trust]add interface g0/0/1 //將防火牆的G0/0/1口加入Trust域
[USG-zone-trust]quit
[USG]firewall zone untrust //配置非可信任Untrust域並開啟域間策略
[USG-zone-untrust]add interface g0/0/2 //將防火牆的G0/0/2口加入Untrust域
[USG-zone-untrust]quit
[USG]firewall packet-filter default permit all //開啟所有域的域空間策略
Warning:Setting the default packet filtering to permit poses security risks. You
are advised to configure the security policy based on the actual data flows. Ar
e you sure you want to continue?[Y/N]y
[USG]nat address-group 1 200.0.0.2 200.0.0.2 //配置NAT地址池
[USG]nat-policy interzone trust untrust outbound
[USG-nat-policy-interzone-trust-untrust-outbound]policy 1
[USG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.0 0.0.255.255 //NAT轉換對象是192.168.0.0網段的內網IP地址
[USG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat
[USG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1
[USG-nat-policy-interzone-trust-untrust-outbound-1]quit
[USG-nat-policy-interzone-trust-untrust-outbound]quit
測試結果
PC1與PC2成功DHCP到所在VLAN的IP和DNS地址
PC1PC2成功ping通公網PC
閱讀更多 KB小網管 的文章