一、网络拓扑图
二、基本配置
2.1 交换机LSW1配置
配置VLAN——配置端口类型——配置VLANIF——配置OSPF
The device is running!
[sw1]
[sw1]int g0/0/2
[sw1-GigabitEthernet0/0/2]po
[sw1-GigabitEthernet0/0/2]port-l
[sw1-GigabitEthernet0/0/2]port-lt
[sw1-GigabitEthernet0/0/2]port l
[sw1-GigabitEthernet0/0/2]port link-t
[sw1-GigabitEthernet0/0/2]port link-type a
[sw1-GigabitEthernet0/0/2]port link-type access
[sw1-GigabitEthernet0/0/2]po
[sw1-GigabitEthernet0/0/2]port de
[sw1-GigabitEthernet0/0/2]port default v
[sw1-GigabitEthernet0/0/2]port default vlan 10
[sw1-GigabitEthernet0/0/2]int g0/0/3
[sw1-GigabitEthernet0/0/3]po
[sw1-GigabitEthernet0/0/3]port l
[sw1-GigabitEthernet0/0/3]port link-t a
[sw1-GigabitEthernet0/0/3]port link-t access
[sw1-GigabitEthernet0/0/3]p de v 20
[sw1-GigabitEthernet0/0/3]int g0/0/1
[sw1-GigabitEthernet0/0/1]p l a
[sw1-GigabitEthernet0/0/1]p d v 100
[sw1-GigabitEthernet0/0/1]q
[sw1]int v 10
[sw1-Vlanif10]ip ad
[sw1-Vlanif10]ip address 192.168.1.100 24
[sw1-Vlanif10]int v 20
[sw1-Vlanif20]ip ad
[sw1-Vlanif20]ip address 192.168.2.100 24
[sw1-Vlanif20]int v 100
[sw1-Vlanif100]ip ad 192.168.100.1 24
[sw1-Vlanif100]q
[sw1]ospf 1
[sw1-ospf-1]area 0
[sw1-ospf-1-area-0.0.0.0]netw
[sw1-ospf-1-area-0.0.0.0]network 0.0.0.0 0.0.0.0
[sw1-ospf-1-area-0.0.0.0]q
[sw1-ospf-1]si
[sw1-ospf-1]silent-interface g0/0/2
[sw1-ospf-1]silent-interface g0/0/3
2.2 防护墙配置
<USG6000V1>sy
Enter system view, return user view with Ctrl+Z.
[USG6000V1]
<USG6000V1>undo ter mo
Info: Current terminal monitor is off.
<USG6000V1>sy
Enter system view, return user view with Ctrl+Z.
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip ad 192.168.100.2 24
[USG6000V1-GigabitEthernet1/0/0]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip ad 202.1.1.1 24
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]fir z t
[USG6000V1]fir z trust
[USG6000V1-zone-trust]add int g1/0/0
[USG6000V1-zone-trust]q
[USG6000V1]fi
[USG6000V1]firewall z
[USG6000V1]firewall zone u
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]ad
[USG6000V1-zone-untrust]add int g1/0/1
[USG6000V1-zone-untrust]q
[USG6000V1]se
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name 1
[USG6000V1-policy-security-rule-1]se
[USG6000V1-policy-security-rule-1]so
[USG6000V1-policy-security-rule-1]source-z
[USG6000V1-policy-security-rule-1]source-zone trust
[USG6000V1-policy-security-rule-1]de
[USG6000V1-policy-security-rule-1]destination-zone un
[USG6000V1-policy-security-rule-1]destination-zone untrust
[USG6000V1-policy-security-rule-1]act
[USG6000V1-policy-security-rule-1]action permit
[USG6000V1-policy-security-rule-1]
[USG6000V1]ip route-static 0.0.0.0 0 202.1.1.2 //配置一条默认路由
[USG6000V1-ospf-1]default-route-advertise //把默认路由发给邻居
2.3 公网路由器配置
sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy r1
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ip ad 202.1.1.2 24
Jul 28 2020 21:33:47-08:00 r1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[r1-GigabitEthernet0/0/0]int g0/0/1
[r1-GigabitEthernet0/0/1]ip ad 100.0.0.100 24
Jul 28 2020 21:34:04-08:00 r1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[r1-GigabitEthernet0/0/1]
2.4 防火墙NAT配置
[USG6000V1]nat address-group 111 //配置地址池
[USG6000V1-address-group-111]mode no-p
[USG6000V1-address-group-111]mode no-pat gl
[USG6000V1-address-group-111]mode no-pat global //禁止端口转换
[USG6000V1-address-group-111]section 202.1.1.10 202.1.1.20 //配置IP池
[USG6000V1-address-group-111]q
[USG6000V1]nat-p
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name 111 //配置nat策略
[USG6000V1-policy-nat-rule-111]so
[USG6000V1-policy-nat-rule-111]source-z
[USG6000V1-policy-nat-rule-111]source-zone t
[USG6000V1-policy-nat-rule-111]source-zone trust
[USG6000V1-policy-nat-rule-111]de
[USG6000V1-policy-nat-rule-111]desz
[USG6000V1-policy-nat-rule-111]de
[USG6000V1-policy-nat-rule-111]des
[USG6000V1-policy-nat-rule-111]destination-zone un
[USG6000V1-policy-nat-rule-111]destination-zone untrust
[USG6000V1-policy-nat-rule-111]so
[USG6000V1-policy-nat-rule-111]source-a
[USG6000V1-policy-nat-rule-111]source-address 192.168.1.0 m
[USG6000V1-policy-nat-rule-111]source-address 192.168.1.0 mask 255.255.255.0
[USG6000V1-policy-nat-rule-111]action sou
[USG6000V1-policy-nat-rule-111]action source-nat ad
[USG6000V1-policy-nat-rule-111]action source-nat address-group 111 //私网转公网IP
Info: The current source conversion address pool type is no-pat, and if some bu
sinesses of the same user do not need to do NAT, please create a new rule with N
AT type No-nat, otherwise the user's business will be NAT.
[USG6000V1-policy-nat-rule-111]
三、实验结果
PC1ping通PC3
使用display firewall session table v命令