USG6000防火墙基础上网配置

 

 实验目的:防火墙基础联网配置,满足内网主机正常互联网访问。

一,配置接口IP地址

interface GigabitEthernet1/0/0
undo shutdown
ip address 200.1.1.2 255.255.255.0

interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.10.1 255.255.255.0
dhcp select interface  #配置基于接口的dhcp
dhcp server excluded-ip-address 192.168.10.200 192.168.10.254  #配置需要排除分配的ip地址
dhcp server lease day 0 hour 1 minute 0  #配置ip地址租期
dhcp server dns-list 8.8.8.8 114.114.114.114  #配置分配的dns地址

二,将接口加入区域

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1

firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0

 

三,配置安全策略

security-policy
rule name in_to_out
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action permit

 

四,配置NAT策略

1,配置NAT公网地址池

nat address-group internet 0
mode pat
section 0 200.1.1.2 200.1.1.6  #根据运营商实际分配的地址池来配置

 

2,配置NAT策略

nat-policy
rule name internet
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.0.0
action source-nat address-group internet  #这里调用上面配的公网地址池

 

五,配置缺省路由

ip route-static 0.0.0.0 0.0.0.0 200.1.1.1

 

实验效果:

 

posted @ 2023-03-08 08:38  局域网外  阅读(959)  评论(0编辑  收藏  举报