如圖1所示，某企業(yè)在網(wǎng)絡(luò)邊界處部署了FW作為安全網(wǎng)關(guān)，并分別從運(yùn)營(yíng)商ISP1和ISP2處購買了寬帶上網(wǎng)服務(wù)，實(shí)現(xiàn)內(nèi)部網(wǎng)絡(luò)接入Internet的需求。

具體需求如下：

• 研發(fā)部門和市場(chǎng)部門中的PC可以通過運(yùn)營(yíng)商ISP1和ISP2訪問Internet，要求去往特定目的地址的流量必須經(jīng)由相應(yīng)的運(yùn)營(yíng)商來轉(zhuǎn)發(fā)。

• 當(dāng)一條鏈路出現(xiàn)故障時(shí)，流量可以被及時(shí)切換到另一條鏈路上，避免業(yè)務(wù)中斷。

本舉例中假設(shè)某企業(yè)從運(yùn)營(yíng)商ISP1和ISP2獲取了如下信息，這些信息僅供舉例使用，實(shí)際配置時(shí)請(qǐng)從當(dāng)?shù)剡\(yùn)營(yíng)商獲取。

操作步驟

1. 配置接口IP地址和安全區(qū)域，完成網(wǎng)絡(luò)基本參數(shù)配置。
   

   #?配置接口GigabitEthernet 0/0/1的IP地址。
<FW>?system-view
[FW]?interface?GigabitEthernet?0/0/1
[FW-GigabitEthernet?0/0/1]?ip?address?1.1.1.1?24
[FW-GigabitEthernet?0/0/1]?quit

#?配置接口GigabitEthernet 0/0/3的IP地址。
[FW]?interface?GigabitEthernet?0/0/3
[FW-GigabitEthernet?0/0/3]?ip?address?10.3.0.1?24
[FW-GigabitEthernet?0/0/3]?quit

#?配置接口GigabitEthernet 0/0/7的IP地址。
[FW]?interface?GigabitEthernet?0/0/7
[FW-GigabitEthernet?0/0/7]?ip?address?2.2.2.2?24
[FW-GigabitEthernet?0/0/7]?quit

#?將接口GigabitEthernet 0/0/3加入Trust區(qū)域。
[FW]?firewall?zone?trust
[FW-zone-trust]?add?interface?GigabitEthernet?0/0/3
[FW-zone-trust]?quit

#?將接口GigabitEthernet 0/0/1加入isp1區(qū)域。
[FW]?firewall?zone?name?isp1
[FW-zone-isp1]?set?priority?10
[FW-zone-isp1]?add?interface?GigabitEthernet?0/0/1
[FW-zone-isp1]?quit

#?將接口GigabitEthernet 0/0/7加入isp2區(qū)域。
[FW]?firewall?zone?name?isp2
[FW-zone-isp2]?set?priority?20
[FW-zone-isp2]?add?interface?GigabitEthernet?0/0/7
[FW-zone-isp2]?quit


2. 配置安全策略，允許私網(wǎng)指定網(wǎng)段與Internet進(jìn)行報(bào)文交互。
   

   [FW]?security-policy
[FW-policy-security]?rule?name?policy1
[FW-policy-security-rule-policy1]?source-zone?trust
[FW-policy-security-rule-policy1]?destination-zone?isp1
[FW-policy-security-rule-policy1]?source-address?10.3.0.0?24
[FW-policy-security-rule-policy1]?action?permit
[FW-policy-security-rule-policy1]?quit
[FW-policy-security]?rule?name?policy2
[FW-policy-security-rule-policy2]?source-zone?trust
[FW-policy-security-rule-policy2]?destination-zone?isp2
[FW-policy-security-rule-policy2]?source-address?10.3.0.0?24
[FW-policy-security-rule-policy2]?action?permit
[FW-policy-security-rule-policy2]?quit
[FW-policy-security]?quit


3. 配置NAT地址池。
   

   [FW]?nat?address-group?addressgroup1
[FW-address-group-addressgroup1]?mode?pat
[FW-address-group-addressgroup1]?section?0?1.1.1.10?1.1.1.12
[FW-address-group-addressgroup1]?route?enable
[FW-address-group-addressgroup1]?quit
[FW]?nat?address-group?addressgroup2
[FW-address-group-addressgroup2]?mode?pat
[FW-address-group-addressgroup2]?section?0?2.2.2.10?2.2.2.12
[FW-address-group-addressgroup2]?route?enable
[FW-address-group-addressgroup2]?quit


4. 配置源NAT策略，實(shí)現(xiàn)私網(wǎng)指定網(wǎng)段訪問Internet時(shí)自動(dòng)進(jìn)行源地址轉(zhuǎn)換。
   

   [FW]?nat-policy
[FW-policy-nat]?rule?name?policy_nat1
[FW-policy-nat-rule-policy_nat1]?source-zone?trust
[FW-policy-nat-rule-policy_nat1]?destination-zone?isp1
[FW-policy-nat-rule-policy_nat1]?source-address?10.3.0.0?24
[FW-policy-nat-rule-policy_nat1]?action?source-nat?address-group?addressgroup1
[FW-policy-nat-rule-policy_nat1]?quit
[FW-policy-nat]?rule?name?policy_nat2
[FW-policy-nat-rule-policy_nat2]?source-zone?trust
[FW-policy-nat-rule-policy_nat2]?destination-zone?isp2
[FW-policy-nat-rule-policy_nat2]?source-address?10.3.0.0?24
[FW-policy-nat-rule-policy_nat2]?action?source-nat?address-group?addressgroup2
[FW-policy-nat-rule-policy_nat2]?quit
[FW-policy-nat]?quit


5. 配置靜態(tài)路由。
   

   [FW]?ip?route-static?1.1.2.0?24?1.1.1.254
[FW]?ip?route-static?1.1.3.0?24?1.1.1.254
[FW]?ip?route-static?2.2.3.0?24?2.2.2.254
[FW]?ip?route-static?2.2.4.0?24?2.2.2.254