华为防火墙小型企业边界网关配置实例

标签：网关 小型企业 GigabitEthernet0 防火墙 192.168 255.255 source trunk interface

组网及规划：

华为USG6000作为边界网关实现企业内部网络出口，防火墙实现内部网络NAT功能实现访问Internet功能

实现公司财务部门访问内网服务器。

办公网络不能访问内网服务器，

办公室及财务部均可以访问外网。

外部网络可以通过NatServer实现外部网络通过8080端口访问内网服务器80端口。

网络规划：办公网地址段：192.168.10.0/24 VLAN：10

财务地址段：192.168.20.0/24 VLAN：20

服务器地址段：192.168.200.0/24

运营商固定IP地址：202.1.1.1/24

网络组网见下图：

 

办公接入交换机配置：

sysname BanGong

#

vlan batch 10

#

interface Eth-Trunk1

port link-type trunk

port trunk allow-pass vlan 10

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 10

interface GigabitEthernet0/0/23

eth-trunk 1

#

interface GigabitEthernet0/0/24

eth-trunk 1

财务接入交换机配置：

sysname CaiWu

#

vlan batch 20

interface Eth-Trunk1

port link-type trunk

port trunk allow-pass vlan 20

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 20

interface GigabitEthernet0/0/23

eth-trunk 1

#

interface GigabitEthernet0/0/24

eth-trunk 1

#

核心交换机配置：

sysname SW

#

undo info-center enable

#

vlan batch 10 20 100

#

interface Vlanif10

ip address 192.168.10.254 255.255.255.0

#

interface Vlanif20

ip address 192.168.20.254 255.255.255.0

#

interface Vlanif100

ip address 192.168.100.1 255.255.255.0

#

interface Eth-Trunk1

port link-type trunk

port trunk allow-pass vlan 10

#

interface Eth-Trunk2

port link-type trunk

port trunk allow-pass vlan 20

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 100

# 

interface GigabitEthernet0/0/21

eth-trunk 2

#

interface GigabitEthernet0/0/22

eth-trunk 2

#

interface GigabitEthernet0/0/23

eth-trunk 1

#

interface GigabitEthernet0/0/24

eth-trunk 1

#

ip route-static 0.0.0.0 0.0.0.0 192.168.100.2

#

防火墙配置：

acl number 2000

rule 5 permit source 192.168.10.0 0.0.0.255

#

interface GigabitEthernet0/0/0

undo shutdown

ip address 202.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/0

undo shutdown

ip address 192.168.100.2 255.255.255.0

#

interface GigabitEthernet1/0/1

undo shutdown

ip address 192.168.200.254 255.255.255.0

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet1/0/0

#

firewall zone untrust

set priority 5

add interface GigabitEthernet0/0/0

#

firewall zone dmz

set priority 50

add interface GigabitEthernet1/0/1

#

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 202.1.1.2

ip route-static 192.168.10.0 255.255.255.0 192.168.100.1

ip route-static 192.168.20.0 255.255.255.0 192.168.100.1

#

nat server 0 protocol tcp global 202.1.1.1 8080 inside 192.168.200.1 www

#

security-policy

rule name policy_ses_1

source-zone trust

destination-zone untrust

source-address 192.168.10.0 mask 255.255.255.0

action permit

rule name policy_ses_2

source-zone trust

destination-zone dmz

source-address 192.168.20.0 mask 255.255.255.0

action permit

rule name policy_ses_3

source-zone trust

destination-zone untrust

source-address 192.168.20.0 mask 255.255.255.0

action permit

rule name Untrust_DMA

source-zone untrust

destination-zone dmz

destination-address 192.168.200.1 mask 255.255.255.255

action permit

#

nat-policy

rule name policy_nat_1

source-zone trust

egress-interface GigabitEthernet0/0/0

source-address 192.168.10.0 mask 255.255.255.0

action source-nat easy-ip

rule name policy_nat_2

source-zone trust

egress-interface GigabitEthernet0/0/0

source-address 192.168.20.0 mask 255.255.255.0

action source-nat easy-ip

验证配置：办公PC可以访问Internet，不能访内网问服务器。 

 财务PC:可以访问Internet，也可以访问内网服务器。 

 外网PC可以通过NATSERVER实现访问内网服务器： 

标签：网关,小型企业,GigabitEthernet0,防火墙,192.168,255.255,source,trunk,interface
From： https://www.cnblogs.com/speednet/p/16928368.html