組網(wǎng)結(jié)構(gòu)

TIM截圖20181130171558.jpg

pc1 到 pc4 使用dhcp獲取IP地址,pc5 地址為192.168.50.2

LSW1 開啟dhcp 沽讹，并配置vlan 1 接口ip為192.169.10.2 ，連接FW1接口G1/0/1

LSW2 開啟dhcp ，并配置vlan 1 接口ip為192.169.20.2 ，連接FW1接口G1/0/2

LSW3 開啟dhcp ，并配置vlan 1 接口ip為192.169.30.2 ，連接FW1接口G1/0/3

LSW4 開啟dhcp ，并配置vlan 1 接口ip為192.169.40.2 仅讽，連接FW1接口G1/0/4

pc5 連接FW1接口G1/0/5

在防火墻上配置

將g1/0/1 到g1/0/4 加入到防火墻trust區(qū)域，g1/0/5加入到untrust區(qū)域

[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/2
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/3
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/4
[USG6000V1-zone-trust]qu
[USG6000V1]firewall zone untrust 
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/5

配置各個接口ip地址如下：

[USG6000V1]display ip interface  b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 7
The number of interface that is DOWN in Physical is 3
The number of interface that is UP in Protocol is 7
The number of interface that is DOWN in Protocol is 3

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              192.168.0.1/24       down       down      
GigabitEthernet1/0/0              unassigned           down       down      
GigabitEthernet1/0/1              192.168.10.1/24      up         up        
GigabitEthernet1/0/2              192.168.20.1/24      up         up        
GigabitEthernet1/0/3              192.168.30.1/24      up         up        
GigabitEthernet1/0/4              192.168.40.1/24      up         up        
GigabitEthernet1/0/5              192.168.50.1/24      up         up        
GigabitEthernet1/0/6              unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Virtual-if0                       unassigned           up         up(s)     

開啟各個端口的服務(wù)

[USG6000V1]interface GigabitEthernet 1/0/1
[USG6000V1-GigabitEthernet1/0/1]service-manage all permit

配置各個區(qū)域間的互通策略

[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name untrust_trust
[USG6000V1-policy-security-rule-untrust_trust]source-zone untrust 
[USG6000V1-policy-security-rule-untrust_trust]destination-zone trust 
[USG6000V1-policy-security-rule-untrust_trust]action permit 
[USG6000V1-policy-security-rule-untrust_trust]qu
[USG6000V1-policy-security]rule name trust_untrust
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust 
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust 
[USG6000V1-policy-security-rule-trust_untrust]action permit 

開啟easy-ip

[USG6000V1]acl 3000
[USG6000V1-acl-adv-3000]rule 5 permit ip source 0.0.0.0 255.255.255.0
[USG6000V1-acl-adv-3000]qu
[USG6000V1]nat-policy 
[USG6000V1-policy-nat]rule name tointernet
[USG6000V1-policy-nat-rule-tointernet]source-zone trust 
[USG6000V1-policy-nat-rule-tointernet]egress-interface GigabitEthernet 1/0/5
[USG6000V1-policy-nat-rule-tointernet]action nat easy-ip