1.配置内网IP地址
[FW1-GigabitEthernet1/0/1]ip add 10.1.1.1 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit //接口放行ping命令,以便测试
2.配置外网IP地址及其互通
[FW1-GigabitEthernet1/0/2]ip add 20.1.1.1 24
[FW1-GigabitEthernet1/0/2]service-manage ping permit
[AR1-GigabitEthernet0/0/0]ip add 20.1.1.2 24
[AR1-GigabitEthernet0/0/1]ip add 30.1.1.2 24
[AR1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.1
3.配置防火墙区域
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface g1/0/1
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface g1/0/2
此时服务器可以ping通防火墙相关接口
4.配置服务器负载均衡
[FW1]slb //进入服务器负载均衡配置
[FW1-slb]group 0 server001 //建立服务器组
[FW1-slb-group-0]metric weight-roundrobin //负载均衡算法为加权轮询
[FW1-slb-group-0]health-check type icmp //服务器健康检查协议为icmp
[FW1-slb-group-0]rserver 0 rip 10.1.1.2 weight 16 //配置实服务器及其权重
[FW1-slb-group-0]rserver 1 rip 10.1.1.3 weight 32
[FW1-slb-group-0]rserver 2 rip 10.1.1.4 weight 16
[FW1-slb]vserver 0 server001 //创建虚拟服务器
[FW1-slb-vserver-0]vip 10.1.1.100 //配置虚拟IP地址
[FW1-slb-vserver-0]protocol any
[FW1-slb-vserver-0]group server001 //关联实服务器组
5.配置安全检查及出接口带宽
[FW1]healthcheck name out_health
[FW1-healthcheck-out_health]destination 20.1.1.2 interface g1/0/2 protocol icmp
[FW1-GigabitEthernet1/0/2]healthcheck out_health
[FW1-GigabitEthernet1/0/2]gateway 20.1.1.2
[FW1-GigabitEthernet1/0/2]bandwidth ingress 50000 threshold 90
[FW1-GigabitEthernet1/0/2]bandwidth egress 50000 threshold 90
5.配置nat server
[FW1]nat server server001 protocol tcp global 20.1.1.1 ftp inside 10.1.1.100 ftp
6.配置安全策略
[FW1]security-policy
[FW1-policy-security]rule name server001
[FW1-policy-security-rule-server001]source-zone untrust
[FW1-policy-security-rule-server001]destination-zone dmz
[FW1-policy-security-rule-server001]destination-address 10.1.1.0 24
[FW1-policy-security-rule-server001]action permit
6.验证
查看健康检查
在PC上访问服务器时查看防火墙会话表项
