通過(guò)配置NAT和策略路由功能，可以使校園網(wǎng)用戶通過(guò)不同的方式訪問(wèn)Internet。

組網(wǎng)需求

某學(xué)校的學(xué)生用戶能夠通過(guò)教育網(wǎng)訪問(wèn)Internet，教師用戶能夠直接訪問(wèn)Internet。教育網(wǎng)分配給學(xué)校的IP地址為10.1.1.1，學(xué)校從運(yùn)營(yíng)商申請(qǐng)的IP地址為200.1.1.1。

配置思路

1、將學(xué)生用戶和教師用戶部署在Trust區(qū)域，將連接教育網(wǎng)的接口加入U(xiǎn)ntrust區(qū)域，將直接連接Internet的接口加入U(xiǎn)ntrust1區(qū)域。

2、為了使學(xué)校用戶能夠訪問(wèn)Internet，需要通過(guò)配置NAT功能將校園網(wǎng)的私網(wǎng)IP地址轉(zhuǎn)換為公網(wǎng)IP地址。即分別在Trust—Untrust域間、Trust—Untrust1域間配置NAT outbound，且各自使用出接口的IP地址作為NAT地址池的地址。

3、為了使不同用戶能夠通過(guò)不同接口訪問(wèn)Internet，需要配置策略路由，將來(lái)自學(xué)生用戶（192.168.0.0/24網(wǎng)段）的報(bào)文通過(guò)E1 3/0/0接口轉(zhuǎn)發(fā)到教育網(wǎng)，將來(lái)自教師用戶（192.168.1.0/24網(wǎng)段）的報(bào)文通過(guò)GigabitEthernet 0/0/3接口直接轉(zhuǎn)發(fā)到Internet。

操作步驟

1、配置USG各接口的IP地址，將接口加入相應(yīng)的安全區(qū)域，并配置域間包過(guò)濾規(guī)則。

配置GigabitEthernet 0/0/1接口的IP地址

system-view

[USG] interface GigabitEthernet 0/0/1

[USG-GigabitEthernet0/0/1] ip address 192.168.0.1 24

[USG-GigabitEthernet0/0/1] quit

配置GigabitEthernet 0/0/2接口的IP地址

[USG] interface GigabitEthernet 0/0/2

[USG-GigabitEthernet0/0/2] ip address 192.168.1.1 24

[USG-GigabitEthernet0/0/2] quit

配置GigabitEthernet 0/0/3接口的IP地址

[USG] interface GigabitEthernet 0/0/3

[USG-GigabitEthernet0/0/3] ip address 200.1.1.1 24

[USG-GigabitEthernet0/0/3] quit

將E1/CE1接口E1 3/0/0捆綁成串口Serial 3/0/0:0，并配置Serial 3/0/0:0接口的IP地址

[USG] controller E1 3/0/0

[USG-E1 3/0/0] channel-set 0 timeslot-list 1-10

[USG-E1 3/0/0] quit

[USG] interface Serial 3/0/0:0

[USG-Serial3/0/0:0] ip address 10.1.1.1 24

[USG-Serial3/0/0:0] quit

將連接內(nèi)網(wǎng)的接口加入Trust安全區(qū)域，將連接教育網(wǎng)的接口加入U(xiǎn)ntrust安全區(qū)域，將直接連接Internet的接口加入U(xiǎn)ntrust1安全區(qū)域

[USG] firewall zone trust

[USG-zone-trust] add interface GigabitEthernet 0/0/1

[USG-zone-trust] add interface GigabitEthernet 0/0/2

[USG-zone-trust] quit

[USG] firewall zone untrust

[USG-zone-untrust] add interface Serial 3/0/0:0

[USG-zone-untrust] quit

[USG] firewall zone name untrust1

[USG-zone-untrust1] set priority 10

[USG-zone-untrust1] add interface GigabitEthernet 0/0/3

[USG-zone-untrust1] quit

開(kāi)啟域間包過(guò)濾，保證各種業(yè)務(wù)順利進(jìn)行

[USG] firewall packet-filter default permit all

2、配置NAT功能，將校園網(wǎng)的私網(wǎng)IP地址轉(zhuǎn)換為公網(wǎng)IP地址。

創(chuàng)建全局NAT地址池0

[USG] nat address-group 0 10.1.1.1 10.1.1.1

在Trust和Untrust域間配置NAT功能，將校內(nèi)用戶的私網(wǎng)IP地址轉(zhuǎn)換為教育網(wǎng)提供的公網(wǎng)IP地址10.1.1.1

[USG] nat-policy interzone trust untrust outbound

[USG-nat-policy-interzone-trust-untrust-outbound] policy 1

[USG-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.0 0.0.255.255

[USG-nat-policy-interzone-trust-untrust-outbound-1] action source-nat

[USG-nat-policy-interzone-trust-untrust-outbound-1] address-group 0

[USG-nat-policy-interzone-trust-untrust-outbound-1] quit

[USG-nat-policy-interzone-trust-untrust-outbound] quit

創(chuàng)建全局NAT地址池1

[USG] nat address-group 1 200.1.1.1 200.1.1.1

在Trust和Untrust1域間配置NAT功能，將校內(nèi)用戶的私網(wǎng)IP地址轉(zhuǎn)換為運(yùn)營(yíng)商提供的公網(wǎng)IP地址200.1.1.1

[USG] nat-policy interzone trust untrust1 outbound

[USG-nat-policy-interzone-trust-untrust1-outbound] policy 1

[USG-nat-policy-interzone-trust-untrust1-outbound-1] policy source 192.168.0.0 0.0.255.255

[USG-nat-policy-interzone-trust-untrust1-outbound-1] action source-nat

[USG-nat-policy-interzone-trust-untrust1-outbound-1] address-group 1

[USG-nat-policy-interzone-trust-untrust1-outbound-1] quit

[USG-nat-policy-interzone-trust-untrust1-outbound] quit

3、配置策略路由功能，使來(lái)自不同用戶的報(bào)文通過(guò)不同接口轉(zhuǎn)發(fā)。

定義ACL2001匹配源地址為192.168.0.0/24的報(bào)文，ACL2002匹配源地址為 192.168.1.0/24的報(bào)文

[USG] acl number 2001

[USG-acl-basic-2001] rule permit source 192.168.0.0 0.0.0.255

[USG-acl-basic-2001] quit

[USG] acl number 2002

[USG-acl-basic-2002] rule permit source 192.168.1.0 0.0.0.255

[USG-acl-basic-2002] quit

定義策略路由abc的5號(hào)節(jié)點(diǎn)，使源地址為192.168.0.0/24的報(bào)文從接口Serial 3/0/0:0轉(zhuǎn)發(fā)

[USG] policy-based-route abc permit node 5

[USG-policy-based-route-abc-5] if-match acl 2001

[USG-policy-based-route-abc-5] apply output-interface Serial 3/0/0:0

[USG-policy-based-route-abc-5] quit

定義策略路由abc的10號(hào)節(jié)點(diǎn)，使源地址為192.168.1.0/24的報(bào)文從接口GigabitEthernet 0/0/3轉(zhuǎn)發(fā)

[USG] policy-based-route abc permit node 10

[USG-policy-based-route-abc-10] if-match acl 2002

[USG-policy-based-route-abc-10] apply ip-address next-hop 200.1.1.2

[USG-policy-based-route-abc-10] quit

在接口GigabitEthernet 0/0/1上應(yīng)用定義的策略abc，處理此接口接收的報(bào)文

[USG] interface GigabitEthernet 0/0/1

[USG-GigabitEthernet0/0/1] ip policy-based-route abc

[USG-GigabitEthernet0/0/1] quit

在接口GigabitEthernet 0/0/2上應(yīng)用定義的策略abc，處理此接口接收的報(bào)文

[USG] interface GigabitEthernet 0/0/2

[USG-GigabitEthernet0/0/2] ip policy-based-route abc

[USG-GigabitEthernet0/0/2] quit