1、一、建立实验拓扑,准备好实验环境1、首先安装华为eNSP模拟器2、打开模拟器
2、二、配置模拟器1、打开模拟器添加两台电脑和一台防火墙2、配置防火墙的接口地址在这里我用的CRT连接模拟器的防火墙配置如下<SRG>sys22:05:35 2017/02/02Enter system view, return user view with Ctrl+Z.[SRG]int g0/0/122:05:44 2017/02/02[SRG-GigabitEthernet0/0/1][SRG-GigabitEthernet0/0/1][SRG-GigabitEthernet0/0/1]ip add 192.168.1.1 255.255.255.022:06:09 2017/02/02[SRG-GigabitEthernet0/0/1]dis th22:06:12 2017/02/02#interface GigabitEthernet0/0/1ip address 192.168.1.1 255.255.255.0#return[SRG-GigabitEthernet0/0/1]quit22:06:28 2017/02/02[SRG]int g0/0/222:06:33 2017/02/02[SRG-GigabitEthernet0/0/2]ip add 2.2.2.1 255.255.255.022:06:47 2017/02/02[SRG-GigabitEthernet0/0/2]dis th22:06:50 2017/02/02#interface GigabitEthernet0/0/2ip address 2.2.2.1 255.255.255.0#return[SRG-GigabitEthernet0/0/2]quit22:06:54 2017/02/02[SRG]
3、三、配置防火墙的安全区域[USG]firewall zone trust[USG-zone-trust]add interface GigabitEthernet 1/0/0[USG-zone-trust]quit[USG]firewall zone untrust [USG-zone-untrust]add interface GigabitEthernet 1/0/1[USG-zone-untrust]quit
4、四、配置防火墙的域间包过滤[USG] security-policy[USG-policy-security] rule name source_nat[USG-policy-security-rule-source_nat] source-addresss 192.168.1.0 24[USG-policy-security-rule-source_nat] source-zone trust[USG-policy-security-rule-source_nat] destination-zone untrust[USG-policy-security-rule-source_nat] action permit
5、五、配置防火墙的NAT[USG] nat address-group 1[USG-nat-address-group-1] section 2.2.2.2 2.2.2.5[USG] nat-policy[USG-policy-nat] rule name source_nat[USG-policy-nat-rule-source_nat] destination-address 2.2.2.10 24[USG-policy-nat-rule-source_nat] source-address 192.168.1.0 24[USG-policy-nat-rule-source_nat] source-zone trust[USG-policy-nat-rule-source_nat] destination-zone untrust[USG-policy-nat-rule-source_nat] action nat address-group 1
6、六、检查结果ping两台电脑的地址是否能通信
