一、实验拓扑
二、配置ip
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 13.0.0.3 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 100.1.1.254 24
[R2-GigabitEthernet0/0/1]int g0/0/2
[R2-GigabitEthernet0/0/2]ip add 110.1.1.254 24
[R3]int g0/0/0
[R3-GigabitEthernet0/0/0]ip add 12.0.0.2 24
[R3-GigabitEthernet0/0/0]int g0/0/1
[R3-GigabitEthernet0/0/1]ip add 210.1.1.254 24
[R3-GigabitEthernet0/0/1]int g0/0/2
[R3-GigabitEthernet0/0/2]ip add 200.1.1.254 24
[FW1]int g0/0/0
[FW1-GigabitEthernet0/0/0]service-manage all permit
[FW1-GigabitEthernet0/0/0]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 192.168.1.254 24
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 13.0.0.1 24
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 12.0.0.1 24
三、划分安全区域
四、配置真实DNS服务器
[FW1]slb enable
[FW1]slb
[FW1-slb]group 0 dns
[FW1-slb-group-0]metric roundrobin
[FW1-slb-group-0]rserver 0 rip 100.1.1.1 port 53
[FW1-slb-group-0]rserver 1 rip 200.1.1.1 port 53
五、创建虚拟DNS服务器
[FW1]slb
[FW1-slb]vserver 0 dns
[FW1-slb-vserver-0]vip 10.10.10.10
[FW1-slb-vserver-0]group dns
六、配置dns服务器透明代理功能
[FW]dns-transparent-policy
[FW-policy-dns]dns transparent-proxy enable
七、防火墙对应接口绑定要代理的服务器IP
[FW]dns-transparent-policy
[FW-policy-dns]dns server bind interface GigabitEthernet 1/0/1 preferred 100.1.1.1
[FW-policy-dns]dns server bind interface GigabitEthernet 1/0/2 preferred 200.1.1.1
八、透明代理策略
[FW]dns-transparent-policy
[FW-policy-dns]rule name dns_polic
[FW-policy-dns-rule-dns_polic]source-address 192.168.1.0 24
[FW-policy-dns-rule-dns_polic]enable
[FW-policy-dns-rule-dns_polic]action tpdns
九、安全策略
十、nat策略
创建地址池
配置nat策略
[FW]nat-policy
[FW-policy-nat]rule name polic1
[FW-policy-nat-rule-polic1]source-zone trust
[FW-policy-nat-rule-polic1]destination-zone untrust_1
[FW-policy-nat-rule-polic1]source-address 192.168.1.0 mask 255.255.255.0
[FW-policy-nat-rule-polic1]action source-nat address-group 1
配置安全策略
测试
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
