华为USG5500防火墙配置NAT

实验要求：

1. 按照拓扑图部署网络环境，使用USG5500防火墙，将防火墙接口加入相应的区域，添加区域访问规则使内网trust区域可以访问DMZ区域的web服务器和untrust区域的web服务器。

2. 在防火墙上配置easy-ip，使trust区域主机能够访问untrust区域的服务器。

3. 在防火墙配置nat server，使untrust区域的客户端能够通过目标地址转换访问DMZ区域的服务器。

1. 启动设备

2.. 配置IP地址

3. 配置默认路由条目

[SRG]ip route-static 0.0.0.0 0.0.0.0 30.0.0.2

4. 配置HTTP服务器

5. 将防火墙接口加入相应的区域

[SRG]firewall zone trust

[SRG-zone-trust]add interface g0/0/1

[SRG-zone-trust]q

[SRG]firewall zone dmz

[SRG-zone-dmz]add interface g0/0/2

[SRG-zone-dmz]q

[SRG]firewall zone untrust

[SRG-zone-untrust]add interface g0/0/3

[SRG-zone-untrust]q

6. 给防火墙配置trust访问DMZ区域，trust访问untrust区域

[SRG]policy interzone trust dmz outbound

[SRG-policy-interzone-trust-dmz-outbound]policy 1

[SRG-policy-interzone-trust-dmz-outbound-1]policy source 192.168.10.0 mask 24

[SRG-policy-interzone-trust-dmz-outbound-1]action permit

[SRG-policy-interzone-trust-dmz-outbound-1]q

[SRG-policy-interzone-trust-dmz-outbound]q

[SRG]policy interzone trust untrust outbound

[SRG-policy-interzone-trust-untrust-outbound]policy 1

[SRG-policy-interzone-trust-untrust-outbound-1]policy source any

[SRG-policy-interzone-trust-untrust-outbound-1]action permit

[SRG-policy-interzone-trust-untrust-outbound-1]q

[SRG-policy-interzone-trust-untrust-outbound]q

7. 配置防火墙的easy-ip

[SRG]nat-policy interzone trust untrust outbound

[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1

[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source any

[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat

[SRG-nat-policy-interzone-trust-untrust-outbound-1]easy-ip g0/0/3

[SRG-nat-policy-interzone-trust-untrust-outbound-1]q

[SRG-nat-policy-interzone-trust-untrust-outbound]q

8. 配置untrust访问DMZ区域

[SRG]policy interzone untrust dmz inbound

[SRG-policy-interzone-dmz-untrust-inbound]policy 1

[SRG-policy-interzone-dmz-untrust-inbound-1]policy source any

[SRG-policy-interzone-dmz-untrust-inbound-1]policy destination 192.168.20.2 0

[SRG-policy-interzone-dmz-untrust-inbound-1]action permit

[SRG-policy-interzone-dmz-untrust-inbound-1]q

[SRG-policy-interzone-dmz-untrust-inbound]q

9. 设置nat规则

[SRG]nat server protocol tcp global interface g0/0/3 www inside 192.168.20.2 www

验证：

Client1ping 通Server1(192.168.20.2)和访问Server1的HTTP服务

Client1ping 通Server2(40.0.0.2)和访问Server2的HTTP服务

使用Wireshark抓取防火墙G0/0/3接口

分别使用Client1和Client2pingServer2(40.0.0.2)，发现地址进行了转换

使用Client3访问DMZ区域的HTTP服务器Server1(192.168.20.2)，在访问时使用的是防火墙的G0/0/3接口IP