如图1所示,某企业在网络边界处部署了DeviceA作为安全网关,并从运营商处购买了宽带上网服务,实现内部网络接入Internet的需求。
- 配置各个接口IP地址并将其加入对应的安全区域。
<HUAWEI> system-view [HUAWEI] sysname DeviceA [DeviceA] interface 10ge 0/0/1 [DeviceA-10GE0/0/1] ip address 1.1.1.1 255.255.255.0 [DeviceA-10GE0/0/1] quit [DeviceA] interface 10ge 0/0/2 [DeviceA-10GE0/0/2] ip address 10.3.0.1 255.255.255.0 [DeviceA-10GE0/0/2] quit [DeviceA] firewall zone untrust [DeviceA-zone-untrust] add interface 10ge 0/0/1 [DeviceA-zone-untrust] quit [DeviceA] firewall zone trust [DeviceA-zone-trust] add interface 10ge 0/0/2 [DeviceA-zone-trust] quit
- 配置安全策略,允许内部网络中的PC访问Internet。
[DeviceA] security-policy [DeviceA-policy-security] rule name policy_sec_1 [DeviceA-policy-security-rule-policy_sec_1] source-address 10.3.0.0 mask 255.255.255.0 [DeviceA-policy-security-rule-policy_sec_1] source-zone trust [DeviceA-policy-security-rule-policy_sec_1] destination-zone untrust [DeviceA-policy-security-rule-policy_sec_1] action permit [DeviceA-policy-security-rule-policy_sec_1] quit [DeviceA-policy-security] quit
- 配置NAT策略,当内部网络中的PC访问Internet时进行源地址转换。
[DeviceA] nat-policy [DeviceA-policy-nat] rule name policy_nat_1 [DeviceA-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 mask 255.255.255.0 [DeviceA-policy-nat-rule-policy_nat_1] source-zone trust [DeviceA-policy-nat-rule-policy_nat_1] action source-nat easy-ip [DeviceA-policy-nat-rule-policy_nat_1] quit [DeviceA-policy-nat] quit
- 配置缺省路由,指定下一跳地址为1.1.1.254。
[DeviceA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
想要更多网工专业学习资料,可直接找我领取。(文末领取)
网工学习资源包领取 视频课程(部分示意) 实验拓扑(部分示意) |
如果需要系统深入的学习网工知识
↓ 可点赞+关注后通过下列方式领取资料↓
(没有领取门槛,主要是一个个发邮件太麻烦了)