一,基本拓扑
二,DHCP配置过程
- 配置防火墙F1090接口ip 地址如下,其它接口配置类似略
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.10.254 255.255.255.0
dhcp server apply ip-pool dhcp
#
- 配置DHCP服务
- 开启DHCP服务
#
dhcp enable
#
- 配置DHCP地址池
#
dhcp server ip-pool dhcp
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
address range 192.168.10.100 192.168.10.200
dns-list 192.168.10.254
forbidden-ip 192.168.10.1
#
- 在接口上应用DHCP地址池
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.10.254 255.255.255.0
dhcp server apply ip-pool dhcp
#三,防火墙区域配置
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/2
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
#
security-zone name Management
#
scheduler logfile size 16
#
四,安全策略配置
#
security-policy ip
rule 0 name L-T
action pass
source-zone local
destination-zone trust
rule 1 name T-L
action pass
source-zone trust
destination-zone local
rule 2 name T_to_Unt
action pass
source-zone trust
destination-zone untrust
#
五,NAT策略配置
#
nat policy
rule name Nat
#
nat global-policy
rule name Nat
source-zone trust
destination-zone untrust
source-ip subnet 192.168.10.0 24
action snat easy-ip
#
六,验证测试
- DHCP获取地址正常,Wireshark抓包DHCP交互报如下
- 客户端成功获取dhcp地址:192.168.10.100
- Nat验证测试
- PC_2去ping 8.8.8.8 通信正常
- 查看NAT映射表如下:
- display nat session brief
H3C 如何查看日志信息:https://www.hao0564.com/5058.html