组网需求
如图1所示,FW作为出口网关,实现内部网络中的PC接入Internet。网络规划如下:
- 内部网络中的PC部署在10.3.0.0/24网段,管理员手动设置各个PC的IPv4地址。
- FW使用静态IPv4地址连接内部网络。
- FW作为DHCP Client,向DHCP Server(运营商设备)获得IPv4地址、DNS地址后,实现接入Internet。
操作步骤
- 配置接口IP地址并将其加入安全区域
<FW> system-view
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-GigabitEthernet0/0/3] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 0/0/3
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit- 配置DNS Proxy功能。
[FW] dns proxy enable
[FW] dns resolve
[FW] dns server unnumbered interface GigabitEthernet0/0/1- 配置接口GigabitEthernet 0/0/1作为DHCP Client。
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] ip address dhcp-alloc
[FW-GigabitEthernet0/0/1] quit- 配置安全策略,允许内部网络中的PC访问Internet。
[FW] security-policy
[FW-security-policy] rule name policy_sec_1
[FW-security-policy-sec_policy_1] source-address 10.3.0.0 mask 255.255.255.0
[FW-security-policy-sec_policy_1] source-zone trust
[FW-security-policy-sec_policy_1] destination-zone untrust
[FW-security-policy-sec_policy_1] action permit
[FW-security-policy-sec_policy_1] quit
[FW-security-policy] quit
[FW-security-policy] rule name policy_sec_2
[FW-security-policy-sec_policy_2] source-address 10.3.0.0 mask 255.255.255.0
[FW-security-policy-sec_policy_2] source-zone trust
[FW-security-policy-sec_policy_2] destination-zone local
[FW-security-policy-sec_policy_2] action permit
[FW-security-policy-sec_policy_2] quit
[FW-security-policy] quit
[FW-security-policy] rule name policy_sec_3
[FW-security-policy-sec_policy_3] source-address 10.3.0.0 mask 255.255.255.0
[FW-security-policy-sec_policy_3] source-zone local
[FW-security-policy-sec_policy_3] destination-zone untrust
[FW-security-policy-sec_policy_3] action permit
[FW-security-policy-sec_policy_3] quit
[FW-security-policy] quit- 配置NAT策略,在内部网络中的PC使用私网地址访问Internet时进行地址转换。
[FW] nat-policy
[FW-policy-nat] rule name policy_nat_1
[FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 mask 255.255.255.0
[FW-policy-nat-rule-policy_nat_1] source-zone trust
[FW-policy-nat-rule-policy_nat_1] egress-interface GigabitEthernet 0/0/1
[FW-policy-nat-rule-policy_nat_1] action source-nat easy-ip
[FW-policy-nat-rule-policy_nat_1] quit
[FW-policy-nat] quit结果验证
- 检查接口GigabitEthernet 0/0/1(上行链路)的状态。
a.选择“网络 > 接口”。
b.查看接口的物理状态/IPv4状态是否为Up,连接类型是否为DHCP,是否获取了IPv4地址。 - 检查内部网络中PC是否能通过域名访问Internet。若能访问,则表示配置成功。否则,请检查配置。
