[F]security-zone name trust 进入trust组
[F-security-zone-trust]import interface GigabitEthernet 1/0/1 将接口加入trust组
[F]security-zone name untrust
[F-security-zone-untrust]import interface GigabitEthernet 1/0/2
[F]acl advanced 3000 创建匹配组的ACL
[F-acl-ipv4-adv-3000]rule permit ip
[F]zone-pair security source trust destination untrust 源组trust 到目的组untrust
[F-zone-pair-security-Management-Local]packet-filter 3000 匹配ACL3000
[F]zone-pair security source untrust destination trust 源组untrust 到目的组trust
[F-zone-pair-security-Local-Management]packet-filter 3000 匹配ACL3000
NTP配置
[F]acl basic 2000
[F-acl-ipv4-basic-2000]rule 0 permit source 192.168.2.0 0.0.0.255 定义内网匹配段
[F-acl-ipv4-basic-2000]rule 0 permit source 192.168.3.0 0.0.0.255
[F]nat address-group 10 创建NAT组
[F-address-group-10]address 192.168.1.10 192.168.1.25 外网分配IP地址池源10到25
关联
[F]int g1/0/3 进入连接外部网络的接口
[F-GigabitEthernet1/0/3]nat outbound 2000 address-group 10 no-pat 抓取ACL2000内匹配的流量通过ANT,地址池为10
[F]ip route-table 192.168.2.0 255.255.255.0 192.168.1.1
[F]ip route-table 192.168.3.0 255.255.255.0 192.168.1.1
[M1]ip route-table 0.0.0.0 0.0.0.0 192.168.1.2
如果想要防火墙的接口能被ping通(连通就可以配置路由协议与其他设备互动了)
security-zone name Trust
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/1
#
acl advanced 3000
rule 0 permit ip
#
zone-pair security source Local destination Trust
packet-filter 3000
zone-pair security source Trust destination Local
packet-filter 3000
#
