客户网络描述:
使用华为防火墙USG6000作为出口设备,替代之前旧的路由器;防火墙作为客户端和服务器的网关,并映射服务器80端口为8081供外部访问。
网络拓扑:
防火墙关键配置
1.创建地址池
ip pool bangong
gateway-list 172.16.101.254
network 172.16.101.0 mask 255.255.255.0
excluded-ip-address 172.16.101.200 172.16.101.253
dns-list 223.5.5.5 114.114.114.114
dhcp enable //开启dhcp
2.接口配置地址
interface GigabitEthernet0/0/0
undo shutdown
ip address 172.16.200.254 255.255.255.0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 172.16.101.254 255.255.255.0
dhcp select global
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 211.1.1.2 255.255.255.252
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet0/0/0
#
ip route-static 0.0.0.0 0.0.0.0 211.1.1.1
3.创建安全策略
security-policy
rule name tr-un-internet
source-zone trust
destination-zone untrust
action permit
rule name trust-dmz-sever
source-zone trust
destination-zone dmz
action permit
rule name trust-local
source-zone trust
destination-zone local
action permit
rule name local-any
source-zone local
action permit
rule name un-dmz-server
source-zone untrust
destination-zone dmz
destination-address 172.16.200.1 mask 255.255.255.255 //可以指定访问哪台服务器
service http
action permit
4.开启trust访问互联网的NAT转换
nat-policy
rule name tr-un-internet
source-zone trust
destination-zone untrust
action source-nat easy-ip
5.开启服务器映射端口
nat server 0 protocol tcp global 211.1.1.2 8081 inside 172.16.200.1 www