组网结构
pc1 到 pc4 使用dhcp获取IP地址,pc5 地址为192.168.50.2
LSW1 开启dhcp ,并配置vlan 1 接口ip为192.169.10.2 ,连接FW1接口G1/0/1
LSW2 开启dhcp ,并配置vlan 1 接口ip为192.169.20.2 ,连接FW1接口G1/0/2
LSW3 开启dhcp ,并配置vlan 1 接口ip为192.169.30.2 ,连接FW1接口G1/0/3
LSW4 开启dhcp ,并配置vlan 1 接口ip为192.169.40.2 ,连接FW1接口G1/0/4
pc5 连接FW1接口G1/0/5
在防火墙上配置
将g1/0/1 到g1/0/4 加入到防火墙trust区域,g1/0/5加入到untrust区域
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/2
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/3
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/4
[USG6000V1-zone-trust]qu
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/5
配置各个接口ip地址如下:
[USG6000V1]display ip interface b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 7
The number of interface that is DOWN in Physical is 3
The number of interface that is UP in Protocol is 7
The number of interface that is DOWN in Protocol is 3
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.0.1/24 down down
GigabitEthernet1/0/0 unassigned down down
GigabitEthernet1/0/1 192.168.10.1/24 up up
GigabitEthernet1/0/2 192.168.20.1/24 up up
GigabitEthernet1/0/3 192.168.30.1/24 up up
GigabitEthernet1/0/4 192.168.40.1/24 up up
GigabitEthernet1/0/5 192.168.50.1/24 up up
GigabitEthernet1/0/6 unassigned down down
NULL0 unassigned up up(s)
Virtual-if0 unassigned up up(s)
开启各个端口的服务
[USG6000V1]interface GigabitEthernet 1/0/1
[USG6000V1-GigabitEthernet1/0/1]service-manage all permit
配置各个区域间的互通策略
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name untrust_trust
[USG6000V1-policy-security-rule-untrust_trust]source-zone untrust
[USG6000V1-policy-security-rule-untrust_trust]destination-zone trust
[USG6000V1-policy-security-rule-untrust_trust]action permit
[USG6000V1-policy-security-rule-untrust_trust]qu
[USG6000V1-policy-security]rule name trust_untrust
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-trust_untrust]action permit
开启easy-ip
[USG6000V1]acl 3000
[USG6000V1-acl-adv-3000]rule 5 permit ip source 0.0.0.0 255.255.255.0
[USG6000V1-acl-adv-3000]qu
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name tointernet
[USG6000V1-policy-nat-rule-tointernet]source-zone trust
[USG6000V1-policy-nat-rule-tointernet]egress-interface GigabitEthernet 1/0/5
[USG6000V1-policy-nat-rule-tointernet]action nat easy-ip