网络组网图:
网络规划:办公网VLAN:10,IP地址段:192.168.10.0/24,网关192.168.10.254
生产网络VLAN:20,IP地址段:192.168.20.0/24,网关192.168.20.254
生产服务器地址段:172.16.1.1/24 网关:172.16.1.254
核心交换机接口IP:GE 0/0/24:192.168.200.1/24 loopback0 1.1.1.1/32
防火墙:GE 1/0/0:192.168.200.2/24 Trust区域;GE 1/0/1:192.168.100.2/24 UNtrust区域
GE 1/0/6 172.16.1.254/24 loopback0 2.2.2.2/32
出口路由器:GE 0/0/0 192.168.100.1/24 GE 0/0/1 202.1.1.1/24对接运营商网络 loopback0 3.3.3.3/32
AR2模拟运营商网络路由器,loopback 0:114.114.114.114
Client模拟Internet网络中任一用户。
交换机、防护墙、路由器设备适用OSPF动态路由协议。
实验目标:
1) 实现生产网络可以访问Internet网络。
2) 实现办公网络中PC1可以访问Internet网络,PC2不可以访问Internet网络。
3) 实现生产PC可以访问生产服务器80端口,办公PC不可以访问生产服务器。
4) 生产服务器80端口映射到Internet 8080端口,公网用户可以通过202.1.1.1:8080访问到内网服务器80端口。
数据配置如下:
设备配置:
交换机配置:
sysname Huawei
#
vlan batch 10 20 200
dhcp enable
interface Vlanif10
ip address 192.168.10.254 255.255.255.0
dhcp select interface
dhcp server lease day 0 hour 8 minute 0
dhcp server dns-list 8.8.8.8
#
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 200
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 1 router-id 1.1.1.1
silent-interface Vlanif10
silent-interface Vlanif20
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.200.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 192.168.200.2
防火墙配置:
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.200.2 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.100.2 255.255.255.0
#
interface GigabitEthernet1/0/6
undo shutdown
ip address 172.16.1.254 255.255.255.0
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/6
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.100.0 0.0.0.255
network 192.168.200.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
#
security-policy
rule name trust-untrust
source-zone trust
destination-zone untrust
source-address 192.168.10.1 mask 255.255.255.255
source-address 192.168.20.0 mask 255.255.255.0
action permit
rule name trust-dmz
source-zone trust
destination-zone dmz
source-address 192.168.20.0 mask 255.255.255.0
action permit
rule name untrust-dmz
source-zone untrust
destination-zone dmz
destination-address 172.16.1.1 mask 255.255.255.255
action permit
#
路由器配置:
acl number 2000
rule 10 permit source 192.168.10.0 0.0.0.255
rule 15 permit source 192.168.20.0 0.0.0.255
rule 20 permit source 172.16.1.1 0
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 202.1.1.1 255.255.255.0
nat server protocol tcp global current-interface 8080 inside 172.16.1.1 www
nat outbound 2000
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 192.168.100.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.1.1.2
验证配置: