故障描述
无
故障分析
无
处理过程
一、包过滤方面
1、允许192.168.0.2访问222.100.1.1。
V3平台配置命令,基于1条ACL规则:
[USG]acl 3001
[USG-acl-adv-3001]rule permit ip source 192.168.0.2 0 destination 222.100.1.1 0
[USG]firewall interzone trust untrust
[USG-interzone-trust-untrust]packet-filter 3001 outbound
V5平台配置命令,基于1条策略:
[USG]policy interzone trust untrust outbound
[USG-policy-interzone-trust-untrust-outbound]policy 10
[USG-policy-interzone-trust-untrust-outbound-10]policy source 192.168.0.2 0
[USG-policy-interzone-trust-untrust-outbound-10]action permit
[USG-policy-interzone-trust-untrust-outbound-10]policy destination 222.100.1.1 0
[USG-policy-interzone-trust-untrust-outbound-10]quit
[USG-policy-interzone-trust-untrust-outbound]policy 10 enable #可选,默认启用
2、允许内网访问互联网的www服务、ftp服务、udp 7000端口,其余全部禁止。
V3平台配置命令,基于4条ACL规则:
[USG]acl 3002
[USG-acl-adv-3002]rule permit tcp source 192.168.0.0 0.0.0.255 destination-port eq www
[USG-acl-adv-3002]rule permit tcp source 192.168.0.0 0.0.0.255 destination-port eq 21
[USG-acl-adv-3002]rule permit udp source 192.168.0.0 0.0.0.255 destination-port eq 7000
[USG-acl-adv-3002]rule deny ip
[USG]firewall interzone trust untrust
[USG-interzone-trust-untrust]packet-filter 3002 outbound
V5平台配置命令,基于服务集和2条策略:
[USG]ip service-set test1 type object #预定义的服务中不包含UDP7000服务,在此创建一个服务。
[USG-object-service-set-test1]service protocol udp destination-port 7000
[USG]policy interzone trust untrust outbound
[USG-policy-interzone-trust-untrust-outbound]policy 11
[USG-policy-interzone-trust-untrust-outbound-11]policy service service-set http ftp test1
[USG-policy-interzone-trust-untrust-outbound-11]policy source 192.168.0.0 0.0.0.255
[USG-policy-interzone-trust-untrust-outbound-11]policy destination any
[USG-policy-interzone-trust-untrust-outbound-11]action permit
[USG-policy-interzone-trust-untrust-outbound-11]quit
[USG-policy-interzone-trust-untrust-outbound]policy 12
[USG-policy-interzone-trust-untrust-outbound]action deny
二、网络地址转换(NAT)方面
1、域间NAT
要求对192.168.0.2不做NAT,对其余主机均做NAT。
V3平台配置命令,基于2条ACL规则、地址组(接口):
[USG]ACL 2020
[USG-acl-basic-2020]rule deny source 192.168.0.2 0
[USG-acl-basic-2020]rule permit source 192.168.0.0 0.0.0.255
[USG]nat address-group 10 222.100.1.2 222.100.1.2
[USG]firewall interzone trust untrust
[USG-interzone-trust-untrust]nat outbound 2020 address-group 10
或
[USG-interzone-trust-untrust]nat outbound 2020 interface GigabitEthernet0/0/0
V5平台配置命令,基于2条策略:
[USG]nat address-group 10 222.100.1.2 222.100.1.2
[USG]nat-policy interzone trust untrust outbound
[USG-nat-policy-interzone-trust-untrust-outbound]policy 1
[USG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.2 0
[USG-nat-policy-interzone-trust-untrust-outbound-1]action no-nat
[USG-nat-policy-interzone-trust-untrust-outbound]policy 3
[USG-nat-policy-interzone-trust-untrust-outbound-3]policy source 192.168.0.0 0.0.0.255
[USG-nat-policy-interzone-trust-untrust-outbound-3]address-group 10
2、基于目的NAT,仅对到100.0.0.0 /24的情况做地址转换
[USG]ACL 3020
[USG-acl-basic-3020]rule permit ip source 192.168.0.0 0.0.0.255 destination 100.0.0.0 0.255.255.255
[USG]nat address-group 10 222.100.1.2 222.100.1.2
[USG]firewall interzone trust untrust
[USG-interzone-trust-untrust]nat outbound 3020 address-group 10
或[USG-interzone-trust-untrust]nat outbound 3020 interface GigabitEthernet0/0/0
V5平台配置命令,基于1条策略:
[USG]nat address-group 1 9.9.9.9 9.9.9.9
[USG]nat-policy zone trust
[USG-nat-policy-zone-trust-1]policy source 192.168.0.0 0.0.0.255
[USG-nat-policy-zone-trust-1]policy destination 100.0.0.0 0.255.255.255
[USG-nat-policy-zone-trust-1]address-group 1
[USG-nat-policy-zone-trust-1]action source-nat
3、域内NAT
V3平台配置命令,基于含1条规则ACL、地址组:
[USG]nat address-group 1 9.9.9.9 9.9.9.9
[USG]ACL 2020
[USG-acl-basic-2020]rule permit source 192.168.0.0 0.0.0.255
[USG]firewall zone trust
[USG-zone-trust]nat 2020 address-group 1
V5平台配置命令,基于1条策略:
[USG]nat address-group 1 9.9.9.9 9.9.9.9
[USG]nat-policy zone trust
[USG-nat-policy-zone-trust-1]policy source 192.168.0.0 0.0.0.255
[USG-nat-policy-zone-trust-1]address-group 1
[USG-nat-policy-zone-trust-1]action source-nat
建议/总结
USG2000/5100系列V100R003为V3平台。V100R005为V5平台,USG5300 V100R002为V3平台,V100R003为V5平台