华为USG5500防火墙配置NAT

实验要求：

1. 按照拓扑图部署网络环境，使用USG5500防火墙，将防火墙接口加入相应的区域，添加区域访问规则使内网trust区域可以访问DMZ区域的web服务器和untrust区域的web服务器。

2. 在防火墙上配置easy-ip，使trust区域主机能够访问untrust区域的服务器。

3. 在防火墙配置nat server，使untrust区域的客户端能够通过目标地址转换访问DMZ区域的服务器。

1. 启动设备

2.. 配置IP地址

3. 配置默认路由条目

SRG\]ip route-static 0.0.0.0 0.0.0.0 30.0.0.2 **4.** **配置HTTP服务器** **5.** **将防火墙接口加入相应的区域** \[SRG\]firewall zone trust \[SRG-zone-trust\]add interface g0/0/1 \[SRG-zone-trust\]q \[SRG\]firewall zone dmz \[SRG-zone-dmz\]add interface g0/0/2 \[SRG-zone-dmz\]q \[SRG\]firewall zone untrust \[SRG-zone-untrust\]add interface g0/0/3 \[SRG-zone-untrust\]q **6.** **给防火墙配置trust访问DMZ区域，trust访问untrust区域** \[SRG\]policy interzone trust dmz outbound \[SRG-policy-interzone-trust-dmz-outbound\]policy 1 \[SRG-policy-interzone-trust-dmz-outbound-1\]policy source 192.168.10.0 mask 24 \[SRG-policy-interzone-trust-dmz-outbound-1\]action permit \[SRG-policy-interzone-trust-dmz-outbound-1\]q \[SRG-policy-interzone-trust-dmz-outbound\]q \[SRG\]policy interzone trust untrust outbound \[SRG-policy-interzone-trust-untrust-outbound\]policy 1 \[SRG-policy-interzone-trust-untrust-outbound-1\]policy source any \[SRG-policy-interzone-trust-untrust-outbound-1\]action permit \[SRG-policy-interzone-trust-untrust-outbound-1\]q \[SRG-policy-interzone-trust-untrust-outbound\]q **7.** **配置防火墙的easy-ip** \[SRG\]nat-policy interzone trust untrust outbound \[SRG-nat-policy-interzone-trust-untrust-outbound\]policy 1 \[SRG-nat-policy-interzone-trust-untrust-outbound-1\]policy source any \[SRG-nat-policy-interzone-trust-untrust-outbound-1\]action source-nat \[SRG-nat-policy-interzone-trust-untrust-outbound-1\]easy-ip g0/0/3 \[SRG-nat-policy-interzone-trust-untrust-outbound-1\]q \[SRG-nat-policy-interzone-trust-untrust-outbound\]q **8.** **配置untrust访问DMZ区域** \[SRG\]policy interzone untrust dmz inbound \[SRG-policy-interzone-dmz-untrust-inbound\]policy 1 \[SRG-policy-interzone-dmz-untrust-inbound-1\]policy source any \[SRG-policy-interzone-dmz-untrust-inbound-1\]policy destination 192.168.20.2 0 \[SRG-policy-interzone-dmz-untrust-inbound-1\]action permit \[SRG-policy-interzone-dmz-untrust-inbound-1\]q \[SRG-policy-interzone-dmz-untrust-inbound\]q **9.** **设置nat规则** \[SRG\]nat server protocol tcp global interface g0/0/3 www inside 192.168.20.2 www **验证：** **Client1ping** **通Server1(192.168.20.2)和访问Server1的HTTP服务** ![](https://i-blog.csdnimg.cn/direct/e531bca45c224fe58479a061a95d26d0.png)![](https://i-blog.csdnimg.cn/direct/97aba9587eb64037ae4aafc7aa2f3e7c.png) **Client1ping** **通Server2(40.0.0.2)和访问Server2的HTTP服务** ![](https://i-blog.csdnimg.cn/direct/de06d0aa40e44e49b4b0dbae99cd1ff3.png)![](https://i-blog.csdnimg.cn/direct/11db3ed6d0d24e4e99a0438ed8dd98f5.png) **使用Wireshark抓取防火墙G0/0/3接口** **分别使用Client1和Client2pingServer2(40.0.0.2)，发现地址进行了转换** ![](https://i-blog.csdnimg.cn/direct/1412f7afe6854a22b5bd4653fb179235.png) **使用Client3访问DMZ区域的HTTP服务器Server1(192.168.20.2)，在访问时使用的是防火墙的G0/0/3接口IP** ![](https://i-blog.csdnimg.cn/direct/d5b3b7cb356f4c21b6a37e4ec6f8f643.png)