华为三层交换机与防火墙对接上网配置

1.配置基本IP地址 2.untrust区域连通性配置 [AR1-GigabitEthernet0/0/0]ip add 20.1.1.2 24 [AR1-GigabitEthernet0/0/1]ip add 20.1.2.2 24 [AR1]ospf 1 [AR1-ospf-1]area 0 [AR1-ospf-1-area-0.0.0.0]network 20.1.1.0 0.0.0.255 [AR1-ospf-1-area-0.0.0.0]network 20.1.2.0 0.0.0.255 3.LSW2的配置 （1）配置下行连接PC的接口 [LSW2]vlan batch 10 20 [LSW2-GigabitEthernet0/0/1]port link-type access
[LSW2-GigabitEthernet0/0/1]port default vlan 10 [LSW2-GigabitEthernet0/0/2]port link-type access [LSW2-GigabitEthernet0/0/2]port default vlan 20 [LSW2]int Vlanif 10 [LSW2-Vlanif10]ip add 10.1.1.1 24 [LSW2-Vlanif10]int Vlanif 20 turned into UP state.ip add 10.1.2.1 24 （2）配置上行连接FW1的接口 [LSW2]vlan batch 12 [LSW2-GigabitEthernet0/0/3]port link-type access [LSW2-GigabitEthernet0/0/3]port default vlan 12 [LSW2]int Vlanif 12 [LSW2-Vlanif12]ip add 10.1.12.2 24 （3）配置缺省路由 [LSW2]ip route-static 0.0.0.0 0.0.0.0 10.1.12.1 （4）配置DHCP服务器 [LSW2]interface Vlanif 10 [LSW2-Vlanif10]dhcp select interface [LSW2-Vlanif10]dhcp server dns-list 114.114.114.114 8.8.8.8 [LSW2]int Vlanif 20 [LSW2-Vlanif20]dhcp select interface [LSW2-Vlanif20]dhcp server dns-list 114.114.114.114 8.8.8.8 4.配置FW1 （1）配置连接交换机的接口 [FW1-GigabitEthernet1/0/1]ip add 10.1.12.1 24 （2）配置上行接口的IP地址 [FW1-GigabitEthernet1/0/2]ip add 20.1.1.1 24 （3）配置缺省路由和回程路由 [FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.2 [FW1]ip route-static 10.1.0.0 255.255.0.0 10.1.12.2 （4）配置安全区域 [FW1]firewall zone trust [FW1-zone-trust]add interface g1/0/1 [FW1]firewall zone untrust [FW1-zone-untrust]add interface g1/0/2 （5）配置安全策略，允许域间互访 [FW1]security-policy [FW1-policy-security]rule name policy1 [FW1-policy-security-rule-policy1]source-zone trust [FW1-policy-security-rule-policy1]destination-zone untrust [FW1-policy-security-rule-policy1]source-address 10.1.0.0 16 [FW1-policy-security-rule-policy1]action permit （6）配置PAT地址池，开启允许端口地址转换 [FW1]nat address-group add_group1
[FW1-address-group-add_group1]mode pat [FW1-address-group-add_group1]route enable [FW1-address-group-add_group1]section 0 20.1.1.1 20.1.1.1 （7）配置源PAT策略，实现私网指定网段访问公网时自动进行源地址转换 [FW1]nat-policy [FW1-policy-nat]rule name nat_policy1 [FW1-policy-nat-rule-nat_policy1]source-zone trust [FW1-policy-nat-rule-nat_policy1]destination-zone untrust [FW1-policy-nat-rule-nat_policy1]source-address 10.1.0.0 16 [FW1-policy-nat-rule-nat_policy1]action source-nat address-group add_group1 5.验证

三、