拓扑图
配置代码
fw1(防火墙配置:)--------------------------
sys
int g0/0/1
ip address 10.0.0.2 24
int g0/0/2
ip address 192.168.100.254 24
int g0/0/3
ip add 200.0.10.1 24
quit
(将端口加入相应区域)
firewall zone trust
add interface g0/0/1
quit
firewall zone dmz
add interface GigabitEthernet 0/0/2
quit
firewall zone untrust
add interface GigabitEthernet 0/0/3
quit
(允许区域1到区域2的数据通过 display firewall packet-filter default all 可查看 )
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone untrust dmz direction inbound
ospf
area 0
network 192.168.100.0 0.0.0.255
network 10.0.0.0 0.0.0.255
quit
quit
rip
version 2
network 200.0.10.0
(将外网rip注入到ospf)
ospf
import-route rip
(nat配置)
nat address-group 1 200.0.10.10 200.0.10.20
nat-policy interzone trust untrust outbound
policy 1
Policy source any
action source-nat
Address-group 1
(服务器静态nat)
nat server global 200.0.10.100 inside 192.168.100.1
(禁止10网段访问外网)
policy interzone trust untrust outbound
policy 0
policy source 10.0.0.0 mask 24
action deny
AR1-------------------------------------------
sys
int g0/0/0
ip add 192.168.1.254 24
int g0/0/1
ip add 10.0.0.1 24
quit
ospf
area 0
network 192.168.1.0 0.0.0.255
network 10.0.0.0 0.0.0.255
quit
quit
AR2-----------------------------------------
sys
int g0/0/0
ip add 200.0.10.2 24
int g0/0/1
ip add 200.0.20.254 24
quit
rip
version 2
network 200.0.10.0
network 200.0.20.0
验证:c1访问dmz区域
c1访问外网主机:
外网访问dmz:(dmzip经nat转换为外网地址)
外网不能访问内网
禁止10网段访问外网
本文转自 fxl风 51CTO博客,原文链接:http://blog.51cto.com/fengxiaoli/1946927
