实验 7 防火墙SNAT

实验 7 防火墙SNAT

请将其中的17替换为你自己的

拓扑 SNAT.zip

IP地址表

PC	IP地址	子网掩码	网关
PC_1	192.168.17.254	255.255.255.0	192.168.17.1
PC_2	172.31.0.254	255.255.0.0	172.31.0.1

Server	IP地址	子网掩码	网关
Server1	12.2.2.254	255.255.255.0	12.2.2.1

FW	接口	IP地址	掩码长度
FW1	GigabitEthernet1/0/1	192.168.17.1	24
FW1	GigabitEthernet1/0/2	172.31.0.1	16
FW1	GigabitEthernet1/0/0	17.1.1.1	24

AR1	接口	IP地址	掩码长度
AR1	GigabitEthernet0/0/0	17.1.1.2	24
AR1	GigabitEthernet0/0/1	12.2.2.1	24

各设备地址如上所述

FW

[USG6000V1]firewall zone trust 
[USG6000V1-zone-trust]a  i g 1/0/1
[USG6000V1-zone-trust]a  i g 1/0/2
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust 
[USG6000V1-zone-untrust]a i g 1/0/0
[USG6000V1-zone-untrust]q
[USG6000V1]ip route-static 0.0.0.0 0 17.1.1.2
[USG6000V1]security-policy 
[USG6000V1-policy-security]rule n nat
[USG6000V1-policy-security-rule-nat]source-zone trust 
[USG6000V1-policy-security-rule-nat]destination-zone untrust 
[USG6000V1-policy-security-rule-nat]source-address 192.168.17.0 24
[USG6000V1-policy-security-rule-nat]source-address 172.31.0.0 16
[USG6000V1-policy-security-rule-nat]act p
[USG6000V1-policy-security-rule-nat]q
[USG6000V1-policy-security]q
[USG6000V1]nat address-group group
[USG6000V1-address-group-group]mode pat
[USG6000V1-address-group-group]section 17.1.1.1 17.1.1.1
[USG6000V1-address-group-group]q
[USG6000V1]nat-policy 
[USG6000V1-policy-nat]rule name nat
[USG6000V1-policy-nat-rule-nat]source-zone trust 
[USG6000V1-policy-nat-rule-nat]destination-zone untrust 
[USG6000V1-policy-nat-rule-nat]action source-nat address-group group