要求:trust能访问DMZ、untrust。
untrust能访问DMZ的WEB服务。
PC1
SERVER1
ISP
<Huawei>SYS
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname ISP
[ISP]int g0/0/0
[ISP-GigabitEthernet0/0/0]ip ad
[ISP-GigabitEthernet0/0/0]ip address 100.1.1.2 24
FW
先配置防火墙的各接口IP地址
[USG6000V1]undo info-center enable
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]undo shutdown
Info: Interface GigabitEthernet1/0/0 is not shutdown.
[USG6000V1-GigabitEthernet1/0/0]ip address 192.168.1.254 24
[USG6000V1-GigabitEthernet1/0/0]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/0]q
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]undo shutdown
Info: Interface GigabitEthernet1/0/1 is not shutdown.
[USG6000V1-GigabitEthernet1/0/1]ip address 192.168.2.254 24
[USG6000V1-GigabitEthernet1/0/1]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/1]q
[USG6000V1]int g1/0/2
[USG6000V1-GigabitEthernet1/0/2]undo shutdown
Info: Interface GigabitEthernet1/0/2 is not shutdown.
[USG6000V1-GigabitEthernet1/0/2]ip ad
[USG6000V1-GigabitEthernet1/0/2]ip address 100.1.1.254 24
[USG6000V1-GigabitEthernet1/0/2]q
把防火墙的各接口加入相对应的区域
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface g1/0/0
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface g1/0/2
[USG6000V1-zone-untrust]q
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface g1/0/1
配置NAT、安全策略,让trust能访问外网ISP运营商
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust_untrust
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust
[USG6000V1-policy-security-rule-trust_untrust]source-address 192.168.1.0 24
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-trust_untrust]action permit
[USG6000V1-policy-security-rule-trust_untrust]q
[USG6000V1-policy-security]q
[USG6000V1]nat address-group 1
[USG6000V1-address-group-1]section 0 100.1.1.10 100.1.1.20
[USG6000V1-address-group-1]mode pat
[USG6000V1-address-group-1]q
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name nat
[USG6000V1-policy-nat-rule-nat]source-zone trust
[USG6000V1-policy-nat-rule-nat]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-nat]destination-zone untrust
[USG6000V1-policy-nat-rule-nat]destination-address any
[USG6000V1-policy-nat-rule-nat]action s
[USG6000V1-policy-nat-rule-nat]action source-nat ?
address-group Indicate that the NAT mode is the NAT address group
easy-ip Indicate the action is easy-ip
static-mapping Indicate the action is static mapping
[USG6000V1-policy-nat-rule-nat]action source-nat address-group 1
[USG6000V1-policy-nat-rule-nat]q
[USG6000V1-policy-nat]q
[USG6000V1]
验证trust访问untrust
trust访问dmz
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust_dmz
[USG6000V1-policy-security-rule-trust_dmz]source-zone trust
[USG6000V1-policy-security-rule-trust_dmz]source-address 192.168.1.0 24
[USG6000V1-policy-security-rule-trust_dmz]destination-zone dmz
[USG6000V1-policy-security-rule-trust_dmz]destination-address 192.168.2.0 24
[USG6000V1-policy-security-rule-trust_dmz]action permit
验证trust 访问 dmz
启动SEVER1的HTTP服务
untrust 访问DMZ的WEB服务
[USG6000V1-policy-security]rule name untrust_dmz
[USG6000V1-policy-security-rule-untrust_dmz]source-zone untrust
[USG6000V1-policy-security-rule-untrust_dmz]destination-zone dmz
[USG6000V1-policy-security-rule-untrust_dmz]destination-address 192.168.2.0 24
[USG6000V1-policy-security-rule-untrust_dmz]action permit
[USG6000V1-policy-security-rule-untrust_dmz]q
[USG6000V1-policy-security]q
[USG6000V1]nat server p_web protocol tcp global 100.1.1.100 80 inside 192.168.2
.1 80
ISP telnet 100.1.1.100 80
查看SERVER1
完
[USG6000V1]dis cu
2022-11-18 13:33:33.510
!Software Version V500R005C10SPC300
#
sysname USG6000V1
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.2.254 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 100.1.1.254 255.255.255.0
service-manage ping permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
nat server 0 protocol tcp global 100.1.1.100 www inside 192.168.2.1 www
#
nat address-group 1 0
mode pat
section 0 100.1.1.10 100.1.1.20
#
security-policy
rule name trust_untrust
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action permit
rule name untrust_dmz
source-zone untrust
destination-zone dmz
destination-address 192.168.2.0 mask 255.255.255.0
action permit
rule name trust_dmz
source-zone trust
destination-zone dmz
action permit
#
nat-policy
rule name nat
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
action source-nat address-group 1
[USG6000V1]