1、一、建立实验拓扑,准备好实验环境
1、首先安装华为eNSP模拟器
2、打开模拟器
2、二、配置模拟器
1、打开模拟器添加两台电脑和一台防火墙
2、配置防火墙的接口地址
在这里我用的CRT连接模拟器的防火墙
配置如下
<SRG>sys
22:05:35 2017/02/02
Enter system view, return user view with Ctrl+Z.
[SRG]int g0/0/1
22:05:44 2017/02/02
[SRG-GigabitEthernet0/0/1]
[SRG-GigabitEthernet0/0/1]
[SRG-GigabitEthernet0/0/1]ip add 192.168.1.1 255.255.255.0
22:06:09 2017/02/02
[SRG-GigabitEthernet0/0/1]dis th
22:06:12 2017/02/02
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
#
return
[SRG-GigabitEthernet0/0/1]quit
22:06:28 2017/02/02
[SRG]int g0/0/2
22:06:33 2017/02/02
[SRG-GigabitEthernet0/0/2]ip add 2.2.2.1 255.255.255.0
22:06:47 2017/02/02
[SRG-GigabitEthernet0/0/2]dis th
22:06:50 2017/02/02
#
interface GigabitEthernet0/0/2
ip address 2.2.2.1 255.255.255.0
#
return
[SRG-GigabitEthernet0/0/2]quit
22:06:54 2017/02/02
[SRG]
3、三、配置防火墙的安全区域
[USG]firewall zone trust
[USG-zone-trust]add interface GigabitEthernet 1/0/0
[USG-zone-trust]quit
[USG]firewall zone untrust
[USG-zone-untrust]add interface GigabitEthernet 1/0/1
[USG-zone-untrust]quit
4、四、配置防火墙的域间包过滤
[USG] security-policy
[USG-policy-security] rule name source_nat
[USG-policy-security-rule-source_nat] source-addresss 192.168.1.0 24
[USG-policy-security-rule-source_nat] source-zone trust
[USG-policy-security-rule-source_nat] destination-zone untrust
[USG-policy-security-rule-source_nat] action permit
5、五、配置防火墙的NAT
[USG] nat address-group 1
[USG-nat-address-group-1] section 2.2.2.2 2.2.2.5
[USG] nat-policy
[USG-policy-nat] rule name source_nat
[USG-policy-nat-rule-source_nat] destination-address 2.2.2.10 24
[USG-policy-nat-rule-source_nat] source-address 192.168.1.0 24
[USG-policy-nat-rule-source_nat] source-zone trust
[USG-policy-nat-rule-source_nat] destination-zone untrust
[USG-policy-nat-rule-source_nat] action nat address-group 1
6、六、检查结果
ping两台电脑的地址是否能通信
