首先规划和配置IP地址
在防火墙开启DHCP服务,创建地址池,并关联到防火墙的内部端口
[SRG]dhcp server ip-pool 188
[SRG-dhcp-188]network 192.168.1.0 mask 24
[SRG-dhcp-188]gateway-list 192.168.1.1
[SRG-dhcp-188]qu
然后在pc1上ipconfig,已经可以自动获得IP地址
在AR1上配置telnet服务器
[Huawei]ip route-static 0.0.0.0 0.0.0.0 192.168.1.1
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):tel123
[Huawei-ui-vty0-4]qu
AR3配置
[Huawei]ip route-static 0.0.0.0 0.0.0.0 202.101.10.1
AR4配置
[Huawei]ip route-static 0.0.0.0 0.0.0.0 192.168.2.1
AR2配置
[Huawei]rip
[Huawei-rip-1]version 2
[Huawei-rip-1]network 202.101.12.0
[Huawei-rip-1]network 202.101.10.0
[Huawei-rip-1]network 202.101.15.0
防火墙配置
[SRG]ip route-static 0.0.0.0 0.0.0.0 202.101.12.2
[SRG]firewall zone trust
[SRG-zone-trust]add in g0/0/1
[SRG-zone-trust]qu
[SRG]firewall zone untrust
[SRG-zone-untrust]add in g0/0/0
[SRG-zone-untrust]qu
[SRG]policy interzone local untrust inbound
[SRG-policy-interzone-local-untrust-inbound]policy 1
[SRG-policy-interzone-local-untrust-inbound-1]action permit
[SRG-policy-interzone-local-untrust-inbound-1]policy service service-set icmp
[SRG-policy-interzone-local-untrust-inbound-1]policy service service-set telnet
[SRG-policy-interzone-local-untrust-inbound-1]policy service service-set ftp
[SRG-policy-interzone-local-untrust-inbound-1]policy service service-set http
[SRG-policy-interzone-local-untrust-inbound-1]qu
[SRG-policy-interzone-local-untrust-inbound]qu
[SRG]firewall packet-filter default permit interzone trust untrust direction out bound ##开启trust到untrust的默认行为为允许
Warning:Setting the default packet filtering to permit poses security risks. You
are advised to configure the security policy based on the actual data flows. Ar
e you sure you want to continue?[Y/N]y
[SRG]nat address-group 1 202.101.12.1 202.101.12.1
[SRG]nat-policy interzone trust untrust outbound
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1
[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat
[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.1.0 mask 24
[SRG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1
[SRG-nat-policy-interzone-trust-untrust-outbound-1]qu
[SRG-nat-policy-interzone-trust-untrust-outbound]qu
[SRG]nat server 0 protocol tcp global interface GigabitEthernet 0/0/0 2323 inside 192.168.1.23 telnet
[SRG]nat server 1 protocol tcp global interface GigabitEthernet 0/0/1 ftp inside 192.168.1.21 ftp
[SRG]nat server 2 protocol tcp global 202.101.12.1 www inside 192.168.1.80 www
[SRG]policy interzone trust untrust inbound
[SRG-policy-interzone-trust-untrust-inbound]policy 1
[SRG-policy-interzone-trust-untrust-inbound-1]action permit
[SRG-policy-interzone-trust-untrust-inbound-1]policy service service-set telnet
[SRG-policy-interzone-trust-untrust-inbound-1]policy service service-set ftp
[SRG-policy-interzone-trust-untrust-inbound-1]policy service service-set http
[SRG-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.1.23 0
[SRG-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.1.21 0
[SRG-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.1.80 0
[SRG-policy-interzone-trust-untrust-inbound-1]qu
[SRG-policy-interzone-trust-untrust-inbound]qu
AR3配置
[Huawei]acl 2001
[Huawei-acl-basic-2001]rule 5 permit source 192.168.2.0 0.0.0.255
[Huawei-acl-basic-2001]qu
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]nat outbound 2001
AR5配置
[Huawei]ip route-static 0.0.0.0 0.0.0.0 202.101.15.1
防火墙配置
[SRG]policy interzone trust untrust inbound
[SRG-policy-interzone-trust-untrust-inbound]policy 1
[SRG-policy-interzone-trust-untrust-inbound-1]policy source 202.101.10.2 0
[SRG-policy-interzone-trust-untrust-inbound-1]qu
[SRG-policy-interzone-trust-untrust-inbound]qu