______________________________________________________________________________________________________________
内网:
配置GigabitEthernet 0/0/1加入Trust区域 [USG5300] firewall zone trust
[USG5300-zone-untrust] add interface GigabitEthernet 0/0/1
外网:
配置GigabitEthernet 0/0/2加入Untrust区域 [USG5300] firewall zone untrust
[USG5300-zone-untrust] add interface GigabitEthernet 0/0/2
DMZ:
[USG5300] firewall zone dmz
[USG5300-zone-untrust] add interface GigabitEthernet 0/0/3 [USG5300-zone-untrust] quit
1.4.1 Trust和Untrust域间:允许内网用户访问公网
policy 1:允许源地址为10.10.10.0/24的网段的报文通过 [USG5300] policy interzone trust untrust outbound [USG5300-policy-interzone-trust-untrust-outbound] policy 1
[USG5300-policy-interzone-trust-untrust-outbound-1] policy source 10.10.10.0 0.0.0.255 [USG5300-policy-interzone-trust-untrust-outbound-1] action permit [USG5300-policy-interzone-trust-untrust-outbound-1] quit 如果是允许所有的内网地址上公网可以用以下命令:
精品资料
______________________________________________________________________________________________________________
[USG2100]firewall packet-filter default permit interzone trust untrust direction outbound //必须
1.4.2 DMZ和Untrust域间:从公网访问内部服务器
policy 2:允许目的地址为10.10.11.2,目的端口为21的报文通过 policy 3:允许目的地址为10.10.11.3,目的端口为8080的报文通过 [USG5300] policy interzone untrust dmz inbound [USG5300-policy-interzone-dmz-untrust-inbound] policy 2
[USG5300-policy-interzone-dmz-untrust-inbound-2] policy destination 10.10.11.3 0 [USG5300-policy-interzone-dmz-untrust-inbound-2] policy service service-set ftp [USG5300-policy-interzone-dmz-untrust-inbound-2] action permit [USG5300-policy-interzone-dmz-untrust-inbound-2] quit [USG5300-policy-interzone-dmz-untrust-inbound] policy 3
[USG5300-policy-interzone-dmz-untrust-inbound-3] policy destination 10.10.11.2 0 [USG5300-policy-interzone-dmz-untrust-inbound-3] policy service service-set http [USG5300-policy-interzone-dmz-untrust-inbound-3] action permit [USG5300-policy-interzone-dmz-untrust-inbound-3] quit [USG5300-policy-interzone-dmz-untrust-inbound] quit
配置内部服务器:
精品资料
______________________________________________________________________________________________________________
[USG5300] nat server protocol tcp global 220.10.10.16 8080 inside 10.10.11.2 www [USG5300] nat server protocol tcp global 220.10.10.17 ftp inside 10.10.11.3 ftp NAT
2、通过公网接口的方式
创建Trust区域和Untrust区域之间的NAT策略,确定进行NAT转换的源地址范围192.168.1.0/24网段,并且将其与外网接口GigabitEthernet 0/0/4进行绑定。 [USG] nat-policy interzone trust untrust outbound [USG-nat-policy-interzone-trust-untrust-outbound] policy 0
[USG-nat-policy-interzone-trust-untrust-outbound-0] policy source 192.168.1.0 0.0.0.255 [USG-nat-policy-interzone-trust-untrust-outbound-0] action source-nat
[USG-nat-policy-interzone-trust-untrust-outbound-0] easy-ip GigabitEthernet 0/0/4 [USG-nat-policy-interzone-trust-untrust-outbound-0] quit 3、直接在接口启用nat
如果是针对内网用户上公网做nat,需要在内网接口使用 [USG-GigabitEthernet0/0/0]nat enable
精品资料