防火墙easy-ip实战配置,含超超超详细的解析配置(建议多敲几遍Q^Q,快速加深理解)
上次我们讲解了防火墙easy-ip的原理及其应用,现在我们来具体实战一下进行配置。话不多说,我们现在开始~
看完之后小伙伴们记得多敲几遍熟悉一下命令配置哟。代码中的注释有详细的知识讲解。
本次我们的实验内容包括了防火墙的基础命令配置和easy-IP的配置手法,后续会继续介绍防火墙更高级的配置方法路线。喜欢的宝子们可以点个关注哟。往期博客:11–华为防火墙Easy-IP实现原理与配置全解:从“翻译官“到“流量导演“的奇幻之旅(包你看一遍全记住)
文章目录
拓扑图详解
我们可以看到防火墙的安全区域的划分,以及各个区域ip地址分配
这里我们展示一下防火墙各端口号的划分,具体如何实现的可以观看专栏往期的文章哟。
[FW]dis ip interface brief
2025-03-24 07:12:10.160
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 5
The number of interface that is DOWN in Physical is 5
The number of interface that is UP in Protocol is 5
The number of interface that is DOWN in Protocol is 5
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.0.122/24 down down
GigabitEthernet1/0/0 10.1.1.10/24 up up
GigabitEthernet1/0/1 unassigned down down
GigabitEthernet1/0/2 10.1.2.10/24 up up
GigabitEthernet1/0/3 202.100.1.10/24 up up
GigabitEthernet1/0/4 unassigned down down
GigabitEthernet1/0/5 unassigned down down
GigabitEthernet1/0/6 unassigned down down
NULL0 unassigned up up(s)
Virtual-if0 unassigned up up(s)
安全区域的划分
防火墙默认的四个安全区域,具体的划分准则请观看我们的上一期博客。11–华为防火墙Easy-IP实现原理与配置全解:从“翻译官“到“流量导演“的奇幻之旅(包你看一遍全记住)
[FW]display zone
2025-03-24 07:14:31.530
local
priority is 100
interface of the zone is (0):
#
trust
priority is 85
interface of the zone is (1):
GigabitEthernet0/0/0
#
untrust
priority is 5
interface of the zone is (0):
#
dmz
priority is 50
interface of the zone is (0):
#
实际操作
[FW]firewall zone trust # firewall zone后面接你要划分的区域
[FW-zone-trust]add in
[FW-zone-trust]add interface g
[FW-zone-trust]add interface GigabitEthernet 1/0/0
[FW-zone-trust]ds
Mar 24 2025 07:16:48 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 6, the change loop count is 0, and the maximum number of records is 4095.
[FW-zone-trust]dis th
2025-03-24 07:16:52.080
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
return
[FW-zone-trust]
[FW]firewall zone dmz
[FW-zone-dmz]add
[FW-zone-dmz]add in
[FW-zone-dmz]add interface g1/0/2
[FW-zone-dmz]dis th
2025-03-24 07:18:44.240
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
return
[FW]firewall zone untr
[FW]firewall zone untrust
[FW-zone-untrust]add inter
[FW-zone-untrust]add interface g
[FW-zone-untrust]add interface GigabitEthernet 1/0/3
[FW-zone-untrust]add inter
[FW-zone-untrust]add interface
Mar 24 2025 07:19:28 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 8, the change loop count is 0, and the maximum number of records is 4095.
[FW-zone-untrust]dis th
2025-03-24 07:19:32.890
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
#
return
[FW]display zone
2025-03-24 07:20:17.250
local
priority is 100
interface of the zone is (0):
#
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/0
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/3
#
dmz
priority is 50
interface of the zone is (1):
GigabitEthernet1/0/2
#
路由器的基本配置
这里我们将R2 ,R1 ,R3的IP地址统一设置为.1 ,对应的防火墙接口网址统一设置为 .10,确保他们处于同一个网段之下。
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]ip add 10.1.1.1 24
Mar 24 2025 15:21:42-08:00 R1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP on the interface GigabitEthernet0/0/0 has entered the UP state.
[R1-GigabitEthernet0/0/0]q
[R1]ip rou
[R1]ip route-
[R1]ip route-static 0.0.0.0 0.0.0.0 10.1.1.10
#这条命令是在华为路由器(R1)上配置了一条静态默认路由,具体解释如下:
命令结构:
ip route-static 0.0.0.0 0.0.0.0 10.1.1.10
0.0.0.0 0.0.0.0:
表示默认路由(所有目标网络和子网掩码均为 0.0.0.0/0)。
当路由器没有更具体的路由匹配数据包的目的地时,会使用这条路由转发流量。
10.1.1.10:
是下一跳地址,即路由器会将匹配默认路由的流量发送到这个 IP 地址。
该地址通常是相邻路由器(如 ISP 网关或核心路由器)的接口 IP。
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip add 202.100.1.1 24
Mar 24 2025 15:26:37-08:00 R2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP on the interface GigabitEthernet0/0/0 has entered the UP state.
[R2-GigabitEthernet0/0/0]q
[R2]ip rou
[R2]ip route-
[R2]ip route-static 0.0.0.0 0.0.0.0 202.100.1.10
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ip add 10.1.2.1 24
Mar 24 2025 15:29:12-08:00 R3 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP on the interface GigabitEthernet0/0/0 has entered the UP state.
[R3-GigabitEthernet0/0/0]q
[R3]ip route-static 0.0.0.0 0.0.0.0 10.2.1.10
防火墙安全策略配置
现在我们处理好了基本配置,但是任然无法ping通,用R3为例
[R3]ping 202.100.1.10
PING 202.100.1.10: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 202.100.1.10 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
这是因为我们缺少了防火墙的安全策略配置
[FW]security-policy
[FW-policy-security]rule name local->trust # rule name 后面接名称,可以任意选择
[FW-policy-security-rule-local->trust]sou
[FW-policy-security-rule-local->trust]source-z
[FW-policy-security-rule-local->trust]source-zone local
[FW-policy-security-rule-local->trust]source-zone local
Mar 24 2025 07:37:29 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 9, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->trust]source-zone loc
[FW-policy-security-rule-local->trust]source-zone local
[FW-policy-security-rule-local->trust]des
[FW-policy-security-rule-local->trust]destination-zone
Mar 24 2025 07:37:39 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 10, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->trust]destination-zone tr
[FW-policy-security-rule-local->trust]destination-zone trust
[FW-policy-security-rule-local->trust]
Mar 24 2025 07:37:49 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 11, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->trust]des
[FW-policy-security-rule-local->trust]destination-a
[FW-policy-security-rule-local->trust]destination-address 10.1.1.0 24
这里我们的源地址可以不写,但是目标地址需要我们确认一下是10.1.1.0 24 网段
[FW-policy-security-rule-local->trust]
Mar 24 2025 07:38:19 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 12, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->trust]ac
[FW-policy-security-rule-local->trust]action p
[FW-policy-security-rule-local->trust]action permit
[FW-policy-security-rule-local->trust]dsi
Mar 24 2025 07:38:49 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 13, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->trust]dis th
2025-03-24 07:38:53.010
#
rule name local->trust
source-zone local
destination-zone trust
destination-address 10.1.1.0 mask 255.255.255.0
action permit
#
return
这样一来我们就可以ping通了
[FW-policy-security-rule-local->trust]ping 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=89 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=11 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=11 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=14 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/27/89 ms
以此为例,我们进行下面的配置
[FW-policy-security]rule name local->dmz
[FW-policy-security-rule-local->dmz]
Mar 24 2025 07:44:29 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 14, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->dmz]des
[FW-policy-security-rule-local->dmz]destination-zone dmz
[FW-policy-security-rule-local->dmz]so
[FW-policy-security-rule-local->dmz]source-
Mar 24 2025 07:44:39 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 15, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->dmz]source-z
[FW-policy-security-rule-local->dmz]source-zone lo
[FW-policy-security-rule-local->dmz]source-zone local
[FW-policy-security-rule-local->dmz]de
[FW-policy-security-rule-local->dmz]destination-zone a
[FW-policy-security-rule-local->dmz]destination-zone
Mar 24 2025 07:44:49 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 16, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->dmz]destination-add
[FW-policy-security-rule-local->dmz]destination-address 10.1.2.0 24
[FW-policy-security-rule-local->dmz]actio
[FW-policy-security-rule-local->dmz]action p
[FW-policy-security-rule-local->dmz]action permit
[FW-policy-security-rule-local->dmz]dis th
2025-03-24 07:45:06.200
#
rule name local->dmz
source-zone local
destination-zone dmz
destination-address 10.1.2.0 mask 255.255.255.0
action permit
#
return
[FW-policy-security-rule-local->dmz]
Mar 24 2025 07:45:09 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 18, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security]rule name local->untrust
[FW-policy-security-rule-local->untrust]des
[FW-policy-security-rule-local->untrust]destination-zone
Mar 24 2025 07:46:29 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 19, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->untrust]destination-zone un
[FW-policy-security-rule-local->untrust]destination-zone untrust
[FW-policy-security-rule-local->untrust]sou
[FW-policy-security-rule-local->untrust]source-zon
[FW-policy-security-rule-local->untrust]source-zone loca
[FW-policy-security-rule-local->untrust]source-zone local
[FW-policy-security-rule-local->untrust]des
Mar 24 2025 07:46:39 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 21, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->untrust]des
[FW-policy-security-rule-local->untrust]destination-add
[FW-policy-security-rule-local->untrust]destination-address 202.100.1.0 24
[FW-policy-security-rule-local->untrust]
Mar 24 2025 07:46:49 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 22, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->untrust]action p
[FW-policy-security-rule-local->untrust]action permit
[FW-policy-security-rule-local->untrust]dis th
2025-03-24 07:46:55.750
#
rule name local->untrust
source-zone local
destination-zone untrust
destination-address 202.100.1.0 mask 255.255.255.0
action permit
#
return
[FW-policy-security-rule-local->untrust]
Mar 24 2025 07:46:59 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 23, the change loop count is 0, and the maximum number of records is 4095.
现在就有小伙伴问了,这样会不会太麻烦了呢?
别急,来看我们合三为一
[FW-policy-security-rule-local->all]de
Mar 24 2025 07:48:59 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 24, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->all]sou
[FW-policy-security-rule-local->all]source-z
[FW-policy-security-rule-local->all]source-zone local
[FW-policy-security-rule-local->all]des
[FW-policy-security-rule-local->all]destination-zone dmz
Mar 24 2025 07:49:09 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 25, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->all]destination-zone dmz trust un
[FW-policy-security-rule-local->all]destination-zone dmz trust untrust
[FW-policy-security-rule-local->all]soure
[FW-policy-security-rule-local->all]des
Mar 24 2025 07:49:19 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 26, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->all]des
[FW-policy-security-rule-local->all]destination-ad
[FW-policy-security-rule-local->all]souc
[FW-policy-security-rule-local->all]sou
[FW-policy-security-rule-local->all]source-zon
[FW-policy-security-rule-local->all]source-zone local
[FW-policy-security-rule-local->all]de
Mar 24 2025 07:49:39 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 27, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->all]destina
[FW-policy-security-rule-local->all]destination-add
[FW-policy-security-rule-local->all]destination-address 10.1.1.0 24
[FW-policy-security-rule-local->all]destination-address 10.1.2.0 24
[FW-policy-security-rule-local->all]destination-address 10.1.2.0 24
Mar 24 2025 07:49:59 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 29, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->all]destination-address 202.100.1.0 24
[FW-policy-security-rule-local->all]
Mar 24 2025 07:50:09 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 30, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->all]action p
[FW-policy-security-rule-local->all]action permit
[FW-policy-security-rule-local->all]dis th
2025-03-24 07:50:18.140
#
rule name local->all
source-zone local
destination-zone dmz
destination-zone trust
destination-zone untrust
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.2.0 mask 255.255.255.0
destination-address 202.100.1.0 mask 255.255.255.0
action permit
#
return
[FW-policy-security-rule-local->all]
Mar 24 2025 07:50:19 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 31, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-local->all]
easy-ip的转换
现在我们想要让R1访问R2,将R1的IP地址转化成防火墙上面的公网IP,具体原理可以看我们的往期博客,
制定安全区域的流量放行策略
[FW]security-policy
[FW-policy-security]rule name trust->untrust
[FW-policy-security-rule-trust->untrust]sou
[FW-policy-security-rule-trust->untrust]source-zon
[FW-policy-security-rule-trust->untrust]source-zone
Mar 24 2025 07:59:49 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 32, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-trust->untrust]source-zone tru
[FW-policy-security-rule-trust->untrust]source-zone trust
[FW-policy-security-rule-trust->untrust]des
[FW-policy-security-rule-trust->untrust]destination-zone un
[FW-policy-security-rule-trust->untrust]destination-zone untrust
[FW-policy-security-rule-trust->untrust]sou
[FW-policy-security-rule-trust->untrust]source-ad
Mar 24 2025 07:59:59 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 34, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-trust->untrust]source-add
[FW-policy-security-rule-trust->untrust]source-address 10.1
^
Error: Wrong parameter found at '^' position.
[FW-policy-security-rule-trust->untrust]source-address 10.1.1.0 24
[FW-policy-security-rule-trust->untrust]dest
[FW-policy-security-rule-trust->untrust]destination-add
[FW-policy-security-rule-trust->untrust]destination-address
Mar 24 2025 08:00:29 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 35, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-trust->untrust]destination-address 202.100.1.0 24
[FW-policy-security-rule-trust->untrust]
Mar 24 2025 08:00:39 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 36, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-trust->untrust]action p
[FW-policy-security-rule-trust->untrust]action permit
[FW-policy-security-rule-trust->untrust]
Mar 24 2025 08:00:49 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 37, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-security-rule-trust->untrust]dis th
2025-03-24 08:01:06.110
#
rule name trust->untrust
source-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 202.100.1.0 mask 255.255.255.0
action permit
#
return
这里发现我们的R1可以顺利地访问到R2
查看防火墙的session table ,发现预想中的结果
[FW]display firewall session table
2025-03-24 08:05:11.970
Current Total Sessions : 1
icmp VPN: public --> public 10.1.1.1:52907 --> 202.100.1.1:2048
这里我们的原地址并没有发生转换,存在一个暴露的风险。
nat-policy的制定
[FW]nat-policy
[FW-policy-nat]dis th
2025-03-24 08:07:49.780
#
nat-policy
#
return
[FW-policy-nat]rule name trust->untrust-easyip
[FW-policy-nat-rule-trust->untrust-easyip]soure
Mar 24 2025 08:08:19 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 38, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-nat-rule-trust->untrust-easyip]source-zone trust
[FW-policy-nat-rule-trust->untrust-easyip]destination-zone untrust
[FW-policy-nat-rule-trust->untrust-easyip]
Mar 24 2025 08:08:59 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 40, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-nat-rule-trust->untrust-easyip]sour
[FW-policy-nat-rule-trust->untrust-easyip]source-add
[FW-policy-nat-rule-trust->untrust-easyip]source-address 10.1.1.0 24
[FW-policy-nat-rule-trust->untrust-easyip]
Mar 24 2025 08:09:19 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 41, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-nat-rule-trust->untrust-easyip]destina
[FW-policy-nat-rule-trust->untrust-easyip]destination-add
[FW-policy-nat-rule-trust->untrust-easyip]destination-address 202.100.1
^
Error: Wrong parameter found at '^' position.
[FW-policy-nat-rule-trust->untrust-easyip]destination-address 202.100.1.0 24
[FW-policy-nat-rule-trust->untrust-easyip]
Mar 24 2025 08:09:39 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 42, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-nat-rule-trust->untrust-easyip]actio
[FW-policy-nat-rule-trust->untrust-easyip]action sou
[FW-policy-nat-rule-trust->untrust-easyip]action source-nat es
[FW-policy-nat-rule-trust->untrust-easyip]action source-nat ea
下面这一步是直接配置source-nat转换,采用了easy -IP 形式
[FW-policy-nat-rule-trust->untrust-easyip]action source-nat easy-ip
[FW-policy-nat-rule-trust->untrust-easyip]dsi th
^
Error: Unrecognized command found at '^' position.
[FW-policy-nat-rule-trust->untrust-easyip]d
Mar 24 2025 08:10:19 FW DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 43, the change loop count is 0, and the maximum number of records is 4095.
[FW-policy-nat-rule-trust->untrust-easyip]dis th
2025-03-24 08:10:23.720
#
rule name trust->untrust-easyip
source-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 202.100.1.0 mask 255.255.255.0
action source-nat easy-ip
#
return
再次让R1 ping R2
查看我们的session table ,有如下结果
中间括号里面的是转换后的地址,和防火墙的端口地址一致,但是用了不同端口
扫一扫
4321
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
