AR220路由器、USG3000防火墙的NAT及过滤配置
一、路由器AR220的NAT配置
1.定义ACL2000
acl 2000
rule normal perimit source 192.168.0.0 0.0.255.255
rule normal deny source any
quit
2.配置端口F0/0
interface Ethernet 0
ip address 192.168.0.1 255.255.255.0
quit
3.应用NAT到端口
interface Ethernet1
ip address 59.41.221.100 255.255.255.0
nat outbound 2000 interface
quit
4.设置静态路由
ip route-static 0.0.0.0 0.0.0.0 59.74.221.254
二、USG3000的ACL以及过滤设置
1.配置ACL3000
acl number 3000
rule permit tcp destination-port eq www
rule permit tcp destination-port eq fttp
rule permit tcp destination-port eq ftp-data
2.配置ACL2000
acl number 2010
rule deny source 2.2.2.1 0.0.0.0
rule permit source any
3.设置过滤规则
firewall interzone trust untrust
packet-filter 3000 outbound
detect ftp
detect http
detect java-blocking 2010