单臂防火墙NAT及PING通internet

注意：

1.防火墙配置1024M内存，交换机 768M，避免内存不足引起一些问题

2.配置后异常，对各设备进行关机再启动

PC机测PING

telnet 内部 SSH服务

telnet 交换机 23端口

####相关命令

#交换机

system-view

sysname SW

telnet server enable

line vty 0 4

authentication-mode scheme

user-role network-admin

quit

local-user admin

password simple gh2023meng

service-type telnet

authorization-attribute user-role network-admin

interface Vlan-interface 1

ip address 192.168.30.3 255.255.255.0

quit

ip route-static 0.0.0.0 0 192.168.30.1

save

#FW1防火墙

sysname FW1

telnet server enable

vlan 30

interface Vlan-interface30

ip address 192.168.30.1 255.255.255.0

nat hairpin enable

interface GigabitEthernet1/0/3

port link-mode route

combo enable copper

ip address 192.168.137.2 255.255.255.0

nat outbound counting

nat server protocol tcp global 192.168.137.2 10001 inside 192.168.30.3 23 rule ServerRule_1

nat server protocol tcp global 192.168.137.2 10002 inside 192.168.30.10 8000 rule ServerRule_2

nat server protocol tcp global 192.168.137.2 10003 inside 192.168.30.10 22 rule ServerRule_3

security-zone name Local

security-zone name Trust

import interface Vlan-interface30

import interface GigabitEthernet1/0/4 vlan 30

security-zone name Untrust

import interface GigabitEthernet1/0/3

ip route-static 0.0.0.0 0 192.168.137.1

security-policy ip

rule 1 name Untrust_Trust_1_IPv4

action pass

source-zone Untrust

destination-zone Trust

rule 2 name Untrust_Local_2_IPv4

action pass

source-zone Untrust

destination-zone Local

rule 3 name Local_Untrust_3_IPv4

action pass

source-zone Local

destination-zone Untrust

rule 4 name Trust_Untrust_4_IPv4

action pass

source-zone Trust

destination-zone Untrust

rule 5 name Trust_Local_5_IPv4

action pass

source-zone Trust

destination-zone Local

rule 6 name Local_Trust_6_IPv4

action pass

source-zone Local

destination-zone Trust