1.配置基本IP地址
2.untrust区域连通性配置
[AR1-GigabitEthernet0/0/0]ip add 20.1.1.2 24
[AR1-GigabitEthernet0/0/1]ip add 20.1.2.2 24
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 20.1.1.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 20.1.2.0 0.0.0.255
3.LSW2的配置
(1)配置下行连接PC的接口
[LSW2]vlan batch 10 20
[LSW2-GigabitEthernet0/0/1]port link-type access
[LSW2-GigabitEthernet0/0/1]port default vlan 10
[LSW2-GigabitEthernet0/0/2]port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 20
[LSW2]int Vlanif 10
[LSW2-Vlanif10]ip add 10.1.1.1 24
[LSW2-Vlanif10]int Vlanif 20
turned into UP state.ip add 10.1.2.1 24
(2)配置上行连接FW1的接口
[LSW2]vlan batch 12
[LSW2-GigabitEthernet0/0/3]port link-type access
[LSW2-GigabitEthernet0/0/3]port default vlan 12
[LSW2]int Vlanif 12
[LSW2-Vlanif12]ip add 10.1.12.2 24
(3)配置缺省路由
[LSW2]ip route-static 0.0.0.0 0.0.0.0 10.1.12.1
(4)配置DHCP服务器
[LSW2]interface Vlanif 10
[LSW2-Vlanif10]dhcp select interface
[LSW2-Vlanif10]dhcp server dns-list 114.114.114.114 8.8.8.8
[LSW2]int Vlanif 20
[LSW2-Vlanif20]dhcp select interface
[LSW2-Vlanif20]dhcp server dns-list 114.114.114.114 8.8.8.8
4.配置FW1
(1)配置连接交换机的接口
[FW1-GigabitEthernet1/0/1]ip add 10.1.12.1 24
(2)配置上行接口的IP地址
[FW1-GigabitEthernet1/0/2]ip add 20.1.1.1 24
(3)配置缺省路由和回程路由
[FW1]ip route-static 0.0.0.0 0.0.0.0 20.1.1.2
[FW1]ip route-static 10.1.0.0 255.255.0.0 10.1.12.2
(4)配置安全区域
[FW1]firewall zone trust
[FW1-zone-trust]add interface g1/0/1
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface g1/0/2
(5)配置安全策略,允许域间互访
[FW1]security-policy
[FW1-policy-security]rule name policy1
[FW1-policy-security-rule-policy1]source-zone trust
[FW1-policy-security-rule-policy1]destination-zone untrust
[FW1-policy-security-rule-policy1]source-address 10.1.0.0 16
[FW1-policy-security-rule-policy1]action permit
(6)配置PAT地址池,开启允许端口地址转换
[FW1]nat address-group add_group1
[FW1-address-group-add_group1]mode pat
[FW1-address-group-add_group1]route enable
[FW1-address-group-add_group1]section 0 20.1.1.1 20.1.1.1
(7)配置源PAT策略,实现私网指定网段访问公网时自动进行源地址转换
[FW1]nat-policy
[FW1-policy-nat]rule name nat_policy1
[FW1-policy-nat-rule-nat_policy1]source-zone trust
[FW1-policy-nat-rule-nat_policy1]destination-zone untrust
[FW1-policy-nat-rule-nat_policy1]source-address 10.1.0.0 16
[FW1-policy-nat-rule-nat_policy1]action source-nat address-group add_group1
5.验证