链接01|链接02
链接03

防火墙nat的配置实验

  • admin 发布于 2025-06-08
  • 分类:ccna
  • 评论(0)
优质老薛主机推荐:15%终身付款折扣:xwseo15 25%首次付款折扣 : xwseo115 点击下图进入购买

防火墙nat的配置实验

实验目标:
1.源nat(内网能够访问公网)
2。内网服务器可以被公共网访问

配置思路如下:

1.防火墙的nat配置
1.区域,接口,ip配置
2.公网路由配置
3.nat配置
4.安全策略配置
5.黑洞路由

防火墙账号:
用户名:admin
密码:Admin@1234

[USG6000V1]dis security-policy rule all
2025-06-07 13:07:58.470
Total:1
RULE ID RULE NAME STATE ACTION HITS
——————————————————————————-
0 default enable deny 0
—————————————————————————

nat-policy
rule name to-isp
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action source-nat easy-ip

防火墙配置如下:

<USG6000V1>dis cu
2025-06-07 14:34:27.300
!Software Version V500R005C10SPC300
#
sysname USG6000V1
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.20.1 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 11.1.1.1 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 11.1.1.254
ip route-static 11.1.1.0 255.255.255.0 NULL0
#
firewall detect ftp
#
nat server 0 protocol tcp global 11.1.1.100 www inside 192.168.20.10 www
nat server 1 protocol tcp global 11.1.1.100 ftp inside 192.168.20.20 ftp
#
security-policy
rule name to-isp
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action permit
rule name untrust-to-dmz
source-zone untrust
destination-zone dmz
destination-address 192.168.20.0 mask 255.255.255.0
service ftp
service http
action permit
#
nat-policy
rule name to-isp
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action source-nat easy-ip

AR1路由器配置如下:

<AR1>dis cu
[V200R003C00]
#
sysname AR1
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 122.1.1.254 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 11.1.1.254 255.255.255.0

验证现象:

1.内网能够访问公网

2.内网访问外网防火墙做了nat,出口做的是easyip:11.1.1.1

3.ftp访问验证

4.1外网可以正常访问到内网的这台ftp服务器。

4.2外网可以正常访问内网映射的web服务器。

5.黑洞路由

分享到:更多 ()
标签:

相关推荐