华为ENSP模拟器模拟防火墙的源NAT实验

eNSP

win7-64

SecureCRT

一、建立实验拓扑，准备好实验环境1、首先安装华为eNSP模拟器2、打开模拟器

二、配置模拟器1、打开模拟器添加两台电脑和一台防火墙2、配置防火墙的接口地址在这里我用的CRT连接模拟器的防火墙配置如下sys22:05:35  2017/02/02Enter system view, return user view with Ctrl+Z.[SRG]int g0/0/122:05:44  2017/02/02[SRG-GigabitEthernet0/0/1][SRG-GigabitEthernet0/0/1][SRG-GigabitEthernet0/0/1]ip add 192.168.1.1 255.255.255.022:06:09  2017/02/02[SRG-GigabitEthernet0/0/1]dis th22:06:12  2017/02/02#interface GigabitEthernet0/0/1 ip address 192.168.1.1 255.255.255.0 #return[SRG-GigabitEthernet0/0/1]quit22:06:28  2017/02/02[SRG]int g0/0/222:06:33  2017/02/02[SRG-GigabitEthernet0/0/2]ip add 2.2.2.1 255.255.255.022:06:47  2017/02/02[SRG-GigabitEthernet0/0/2]dis th22:06:50  2017/02/02#interface GigabitEthernet0/0/2 ip address 2.2.2.1 255.255.255.0 #return[SRG-GigabitEthernet0/0/2]quit22:06:54  2017/02/02[SRG]

三、配置防火墙的安全区域[USG]firewall zone trust [USG-zone-trust]add interface GigabitEthernet 1/0/0 [USG-zone-trust]quit[USG]firewall zone untrust   [USG-zone-untrust]add interface GigabitEthernet 1/0/1[USG-zone-untrust]quit

四、配置防火墙的域间包过滤[USG] security-policy[USG-policy-security] rule name source_nat[USG-policy-security-rule-source_nat] source-addresss 192.168.1.0 24[USG-policy-security-rule-source_nat] source-zone trust [USG-policy-security-rule-source_nat] destination-zone untrust[USG-policy-security-rule-source_nat] action permit

五、配置防火墙的NAT[USG] nat address-group 1[USG-nat-address-group-1] section 2.2.2.2 2.2.2.5[USG] nat-policy [USG-policy-nat] rule name source_nat[USG-policy-nat-rule-source_nat] destination-address 2.2.2.10 24[USG-policy-nat-rule-source_nat] source-address 192.168.1.0 24[USG-policy-nat-rule-source_nat] source-zone trust[USG-policy-nat-rule-source_nat] destination-zone untrust[USG-policy-nat-rule-source_nat] action nat address-group 1

六、检查结果ping两台电脑的地址是否能通信

防火墙的端口 默认是禁ping的， 进入端口 service-manage ping permit

注意命令大小写