组网图形
组网需求
具体需求如下:
本举例中假设某企业从运营商ISP1和ISP2获取了如下信息:
|
项目 |
数据 |
说明 | |
|---|---|---|---|
|
地址 |
1.1.1.1/24 |
运营商ISP1分配给企业的公网地址。 |
|
|
2.2.2.2/24 |
运营商ISP2分配给企业的公网地址。 |
||
|
默认网关 |
1.1.1.254 |
运营商ISP1提供的网关地址。 |
|
|
2.2.2.254 |
运营商ISP2提供的网关地址。 |
||
|
DNS服务器地址 |
9.9.9.9 |
运营商ISP1提供的DNS服务器地址。 |
|
|
11.11.11.11 |
运营商ISP2提供的DNS服务器地址。 |
||
|
地址池地址 |
1.1.1.10-1.1.1.12 |
运营商ISP1提供的地址池地址。 |
|
|
2.2.2.10-2.2.2.12 |
运营商ISP2提供的地址池地址。 |
||
配置思路
操作步骤
# 配置接口GigabitEthernet 1/0/1的IP地址。
<FW> system-view [FW] interface GigabitEthernet 1/0/1 [FW-GigabitEthernet 1/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet 1/0/1] quit
# 配置接口GigabitEthernet 1/0/3的IP地址。
[FW] interface GigabitEthernet 1/0/3 [FW-GigabitEthernet 1/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet 1/0/3] quit
# 配置接口GigabitEthernet 1/0/7的IP地址。
[FW] interface GigabitEthernet 1/0/7 [FW-GigabitEthernet 1/0/7] ip address 2.2.2.2 24 [FW-GigabitEthernet 1/0/7] quit
# 将接口GigabitEthernet 1/0/3加入Trust区域。
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 1/0/3 [FW-zone-trust] quit
# 将接口GigabitEthernet 1/0/1加入isp1区域。
[FW] firewall zone name isp1 [FW-zone-isp1] set priority 10 [FW-zone-isp1] add interface GigabitEthernet 1/0/1 [FW-zone-isp1] quit
# 将接口GigabitEthernet 1/0/7加入isp2区域。
[FW] firewall zone name isp2 [FW-zone-isp2] set priority 20 [FW-zone-isp2] add interface GigabitEthernet 1/0/7 [FW-zone-isp2] quit
[FW] security-policy [FW-policy-security] rule name policy1 [FW-policy-security-rule-policy1] source-zone trust [FW-policy-security-rule-policy1] destination-zone isp1 [FW-policy-security-rule-policy1] source-address 10.3.0.0 24 [FW-policy-security-rule-policy1] action permit [FW-policy-security-rule-policy1] quit [FW-policy-security] rule name policy2 [FW-policy-security-rule-policy2] source-zone trust [FW-policy-security-rule-policy2] destination-zone isp2 [FW-policy-security-rule-policy2] source-address 10.3.0.0 24 [FW-policy-security-rule-policy2] action permit [FW-policy-security-rule-policy2] quit [FW-policy-security] quit
[FW] nat address-group addressgroup1 [FW-address-group-addressgroup1] mode pat [FW-address-group-addressgroup1] section 0 1.1.1.10 1.1.1.12 [FW-address-group-addressgroup1] route enable [FW-address-group-addressgroup1] quit [FW] nat address-group addressgroup2 [FW-address-group-addressgroup2] mode pat [FW-address-group-addressgroup2] section 0 2.2.2.10 2.2.2.12 [FW-address-group-addressgroup2] route enable [FW-address-group-addressgroup2] quit
[FW] nat-policy [FW-policy-nat] rule name policy_nat1 [FW-policy-nat-rule-policy_nat1] source-zone trust [FW-policy-nat-rule-policy_nat1] destination-zone isp1 [FW-policy-nat-rule-policy_nat1] source-address 10.3.0.0 24 [FW-policy-nat-rule-policy_nat1] action source-nat address-group addressgroup1 [FW-policy-nat-rule-policy_nat1] quit [FW-policy-nat] rule name policy_nat2 [FW-policy-nat-rule-policy_nat2] source-zone trust [FW-policy-nat-rule-policy_nat2] destination-zone isp2 [FW-policy-nat-rule-policy_nat2] source-address 10.3.0.0 24 [FW-policy-nat-rule-policy_nat2] action source-nat address-group addressgroup2 [FW-policy-nat-rule-policy_nat2] quit [FW-policy-nat] quit
说明:
此处假设去往1.1.2.0/24和1.1.3.0/24网段的报文经过ISP1转发,去往2.2.3.0/24和2.2.4.0/24网段的报文经过ISP2转发。这里只给出了四条静态路由的配置,具体使用时可能需指定多条静态路由,为特定目的地址配置明细路由,因此需要咨询运营商获取ISP所属网段信息。
[FW] ip route-static 1.1.2.0 24 1.1.1.254 [FW] ip route-static 1.1.3.0 24 1.1.1.254 [FW] ip route-static 2.2.3.0 24 2.2.2.254 [FW] ip route-static 2.2.4.0 24 2.2.2.254
原文:https://www.cnblogs.com/zhangwencheng/p/14676725.html