防火墙ACL控制与NAT转换

1、NAT转换

 

[SRG]firewall p d p interzone trust untrust direction outbound

[SRG]firewall p d p interzone trust dmz dir out

[SRG]firewall p d p interzone dmz untrust dir out

[SRG]ip route-s 0.0.0.0 0.0.0.0 1.1.1.2

设置trust到untrust区域的NAT策略：

[SRG]nat-policy interzone trust untrust outbound

策略ID号：

[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1

设置源地址：

[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source any

启用原地址转换功能：

[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat

设置转换类型为easy-ip，指定转换目标接口：

[SRG-nat-policy-interzone-trust-untrust-outbound-1]easy-ip GigabitEthernet0/0/3

[SRG-nat-policy-interzone-trust-untrust-outbound-1]quit

[SRG-nat-policy-interzone-trust-untrust-outbound]quit

2、防火墙控制策略

[SRG]policy interzone trust untrust outbound

[SRG-policy-interzone-trust-untrust-outbound]policy 1

[SRG-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.2 0

[SRG-policy-interzone-trust-untrust-outbound-1]policy destination any

[SRG-policy-interzone-trust-untrust-outbound-1]action permit

[SRG-policy-interzone-trust-untrust-outbound-1]quit

[SRG-policy-interzone-trust-untrust-outbound]policy 2

[SRG-policy-interzone-trust-untrust-outbound-2]policy source 192.168.10.3 0

[SRG-policy-interzone-trust-untrust-outbound-2]policy destination 2.1.1.2 0

[SRG-policy-interzone-trust-untrust-outbound-2]action deny

[SRG-policy-interzone-trust-untrust-outbound-2]quit

[SRG-policy-interzone-trust-untrust-outbound]quit

3、防火墙配置服务器发布

[SRG]firewall packet-filter default permit all

[SRG]nat server protocol tcp global interface g0/0/3 80 inside 192.168.20.2 80

4、防火墙单臂+聚合+双出口策略路由

 

防火墙配置：

[SRG]int  eth1

[SRG-Eth-Trunk1] undo  portswitch

[SRG-Eth-Trunk1]int eth1.1

[SRG-Eth-Trunk1.1]description vlan10

[SRG-Eth-Trunk1.1]vlan-type dot1q 10

[SRG-Eth-Trunk1.1]ip add 192.168.10.1 24

[SRG-Eth-Trunk1.1]int eth1.2

[SRG-Eth-Trunk1.2]description vlan20

[SRG-Eth-Trunk1.2]vlan-type dot1q 20

[SRG-Eth-Trunk1.2]ip add 192.168.20.1 24

[SRG-Eth-Trunk1.2]quit

[SRG]firewall zone trust

 [SRG-zone-trust]add int eth1.1

 [SRG-zone-trust]add int eth1.2

[SRG-zone-trust]firewall zone untrust

 [SRG-zone-untrust]add int g0/0/2

[SRG-zone-untrust]add interface GigabitEthernet0/0/3

[SRG-zone-untrust]quit

[SRG]policy interzone  trust untrust outbound

[SRG-policy-interzone-trust-untrust-outbound]policy 1

[SRG-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255

[SRG-policy-interzone-trust-untrust-outbound-2]policy source 192.168.20.0 0.0.0.255

[SRG-policy-interzone-trust-untrust-outbound-1]action permit

[SRG-policy-interzone-trust-untrust-outbound-1]quit

[SRG]nat-policy interzone trust untrust outbound

[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1

[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255

[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat

[SRG-nat-policy-interzone-trust-untrust-outbound-1]easy-ip g0/0/2

[SRG-nat-policy-interzone-trust-untrust-outbound-1]quit

[SRG-nat-policy-interzone-trust-untrust-outbound]policy 2

[SRG-nat-policy-interzone-trust-untrust-outbound-2]policy source 192.168.20.0 0.0.0.255

[SRG-nat-policy-interzone-trust-untrust-outbound-2]action source-nat

[SRG-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/3

[SRG-nat-policy-interzone-trust-untrust-outbound-2]quit

[SRG-nat-policy-interzone-trust-untrust-outbound]quit

[SRG]acl number 3001

[SRG-acl-adv-3001]rule permit ip source 192.168.10.0 0.0.0.255

[SRG-acl-adv-3001]quit

[SRG]acl number 3002

[SRG-acl-adv-3002]rule permit ip source 192.168.20.0 0.0.0.255

[SRG-acl-adv-3002]quit

[SRG]policy-based-route hehe permit  node 5

[SRG-policy-based-route-hehe-5]if-match acl 3001

[SRG-policy-based-route-hehe-5]apply  ip-address next-hop 1.1.1.2

[SRG-policy-based-route-hehe-5]quit

[SRG]policy-based-route hehe permit node 10

[SRG-policy-based-route-hehe-10]if-match acl 3002

[SRG-policy-based-route-hehe-10]apply ip-address next-hop 2.1.1.2

[SRG-policy-based-route-hehe-10]quit

[SRG]ip-link check enable

[SRG]ip-link 1 destination 1.1.1.2 interface g0/0/2

[SRG]ip-link 2 destination 2.1.1.2 interface g0/0/3

[SRG]display ip-link

[SRG]ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 track ip-link 1

[SRG]ip route-static 0.0.0.0 0.0.0.0 2.1.1.2 track ip-link 2

路由器配置接口地址与路由表