通过DHCP接入互联网
通过DHCP接入互联网
设备作为DHCP Client,通过DHCP协议向DHCP Server(运营商设备)申请IPv4地址,实现接入Internet。
组网需求
如图1所示,FW作为出口网关,实现内部网络中的PC接入Internet。网络规划如下:
- 内部网络中的PC部署在10.3.0.0/24网段,管理员手动设置各个PC的IPv4地址。
- FW使用静态IPv4地址连接内部网络。
- FW作为DHCP Client,向DHCP Server(运营商设备)获得IPv4地址、DNS地址后,实现接入Internet。
配置思路
- 在FW的接口GigabitEthernet 1/0/1上开启DHCP Client,从DHCP Server获取IPv4地址、DNS服务器的地址。
- 在FW上配置接口GigabitEthernet 1/0/3的IPv4地址,连接内部网络。
- 在FW上配置安全策略和NAT策略(Easy-IP方式)。
- 内部网络中PC的网关、DNS服务器设置为10.3.0.1。本举例只介绍FW的配置过程,PC的配置过程略。
设备从DHCP Server处获得IPv4地址后,通常DHCP Server也会发给DHCP Client缺省路由。下一跳地址为运营商的设备。所以此组网下,无需额外配置缺省路由。
操作步骤
- 配置接口IP地址并将其加入安全区域。
<FW> system-view [FW] interface GigabitEthernet 1/0/3 [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 24 [FW-GigabitEthernet1/0/3] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 1/0/3 [FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 1/0/1 [FW-zone-untrust] quit
- 配置DNS Proxy功能。
[FW] dns proxy enable [FW] dns resolve [FW] dns server unnumbered interface GigabitEthernet1/0/1
- 配置接口GigabitEthernet 1/0/1作为DHCP Client。
[FW] interface GigabitEthernet 1/0/1 [FW-GigabitEthernet1/0/1] ip address dhcp-alloc [FW-GigabitEthernet1/0/1] quit
- 配置安全策略,允许内部网络中的PC访问Internet。
[FW] security-policy [FW-security-policy] rule name policy_sec_1 [FW-security-policy-sec_policy_1] source-address 10.3.0.0 mask 255.255.255.0 [FW-security-policy-sec_policy_1] source-zone trust [FW-security-policy-sec_policy_1] destination-zone untrust [FW-security-policy-sec_policy_1] action permit [FW-security-policy-sec_policy_1] quit [FW-security-policy] quit [FW-security-policy] rule name policy_sec_2 [FW-security-policy-sec_policy_2] source-address 10.3.0.0 mask 255.255.255.0 [FW-security-policy-sec_policy_2] source-zone trust [FW-security-policy-sec_policy_2] destination-zone local [FW-security-policy-sec_policy_2] action permit [FW-security-policy-sec_policy_2] quit [FW-security-policy] quit [FW-security-policy] rule name policy_sec_3 [FW-security-policy-sec_policy_3] source-address 10.3.0.0 mask 255.255.255.0 [FW-security-policy-sec_policy_3] source-zone local [FW-security-policy-sec_policy_3] destination-zone untrust [FW-security-policy-sec_policy_3] action permit [FW-security-policy-sec_policy_3] quit [FW-security-policy] quit
- 配置NAT策略,在内部网络中的PC使用私网地址访问Internet时进行地址转换。
[FW] nat-policy [FW-policy-nat] rule name policy_nat_1 [FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 mask 255.255.255.0 [FW-policy-nat-rule-policy_nat_1] source-zone trust [FW-policy-nat-rule-policy_nat_1] egress-interface GigabitEthernet 1/0/1 [FW-policy-nat-rule-policy_nat_1] action source-nat easy-ip [FW-policy-nat-rule-policy_nat_1] quit [FW-policy-nat] quit
配置脚本
# dns resolve dns server unnumbered interface GigabitEthernet1/0/1 # dns proxy enable # interface GigabitEthernet1/0/1 undo shutdown ip address dhcp-alloc # interface GigabitEthernet1/0/3 ip address 10.3.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet1/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/1 # security-policy rule name policy_sec_1 source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit # security-policy rule name policy_sec_2 source-zone trust destination-zone local source-address 10.3.0.0 24 action permit # security-policy rule name policy_sec_3 source-zone local destination-zone untrust source-address 10.3.0.0 24 action permit # nat-policy rule name policy_nat_1 source-zone trust egress-interface GigabitEthernet1/0/1 source-address 10.3.0.0 24 action source-nat easy-ip # return
阅读剩余
版权声明:
作者:SE_YT
链接:https://www.cnesa.cn/2172.html
文章版权归作者所有,未经允许请勿转载。
THE END
0
打赏
分享
二维码
海报
发表评论
赶快来坐沙发