USG6000配置

组网结构

TIM截图20181130171558.jpg

pc1 到 pc4 使用dhcp获取IP地址,pc5 地址为192.168.50.2

LSW1 开启dhcp ，并配置vlan 1 接口ip为192.169.10.2 ，连接FW1接口G1/0/1

LSW2 开启dhcp ，并配置vlan 1 接口ip为192.169.20.2 ，连接FW1接口G1/0/2

LSW3 开启dhcp ，并配置vlan 1 接口ip为192.169.30.2 ，连接FW1接口G1/0/3

LSW4 开启dhcp ，并配置vlan 1 接口ip为192.169.40.2 ，连接FW1接口G1/0/4

pc5 连接FW1接口G1/0/5

在防火墙上配置

将g1/0/1 到g1/0/4 加入到防火墙trust区域，g1/0/5加入到untrust区域

[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/2
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/3
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/4
[USG6000V1-zone-trust]qu
[USG6000V1]firewall zone untrust 
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/5

配置各个接口ip地址如下：

[USG6000V1]display ip interface  b
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
(E): E-Trunk down
The number of interface that is UP in Physical is 7
The number of interface that is DOWN in Physical is 3
The number of interface that is UP in Protocol is 7
The number of interface that is DOWN in Protocol is 3

Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              192.168.0.1/24       down       down      
GigabitEthernet1/0/0              unassigned           down       down      
GigabitEthernet1/0/1              192.168.10.1/24      up         up        
GigabitEthernet1/0/2              192.168.20.1/24      up         up        
GigabitEthernet1/0/3              192.168.30.1/24      up         up        
GigabitEthernet1/0/4              192.168.40.1/24      up         up        
GigabitEthernet1/0/5              192.168.50.1/24      up         up        
GigabitEthernet1/0/6              unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Virtual-if0                       unassigned           up         up(s)     

开启各个端口的服务

[USG6000V1]interface GigabitEthernet 1/0/1
[USG6000V1-GigabitEthernet1/0/1]service-manage all permit

配置各个区域间的互通策略

[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name untrust_trust
[USG6000V1-policy-security-rule-untrust_trust]source-zone untrust 
[USG6000V1-policy-security-rule-untrust_trust]destination-zone trust 
[USG6000V1-policy-security-rule-untrust_trust]action permit 
[USG6000V1-policy-security-rule-untrust_trust]qu
[USG6000V1-policy-security]rule name trust_untrust
[USG6000V1-policy-security-rule-trust_untrust]source-zone trust 
[USG6000V1-policy-security-rule-trust_untrust]destination-zone untrust 
[USG6000V1-policy-security-rule-trust_untrust]action permit 

开启easy-ip

[USG6000V1]acl 3000
[USG6000V1-acl-adv-3000]rule 5 permit ip source 0.0.0.0 255.255.255.0
[USG6000V1-acl-adv-3000]qu
[USG6000V1]nat-policy 
[USG6000V1-policy-nat]rule name tointernet
[USG6000V1-policy-nat-rule-tointernet]source-zone trust 
[USG6000V1-policy-nat-rule-tointernet]egress-interface GigabitEthernet 1/0/5
[USG6000V1-policy-nat-rule-tointernet]action nat easy-ip