USG防火(huǒ)牆V3平台與V5平台配置命令比較

故障描述

　　無

故障分(fēn)析

　　無

處理(lǐ)過程

一(yī)、包過濾方面
1、允許192.168.0.2訪問(wèn)222.100.1.1。
V3平台配置命令，基于1條ACL規則：
[USG]acl 3001
[USG-acl-adv-3001]rule permit ip s₽π ₽ource 192.168.0.2 0 destination 222.©§✘¥100.1.1 0
[USG]firewall interzo₽£ne trust untrust
[USG-interzone-trust-untrus<♦§t]packet-filter 3001 λ∏outbound

V5平台配置命令，基于1條策略：
[USG]policy interzone trus‌↔t untrust outbound
[USG-policy-interzone←λ-trust-untrust-outbou™♣nd]policy 10
[USG-policy-interzone-trust-untrust- ©Ω‌outbound-10]policy source 1ε≤εΩ92.168.0.2 0
[USG-policy-interzone-trust-untrus↔÷φt-outbound-10]action permiλ☆t
[USG-policy-interzone-trust-untru♦εst-outbound-10]policy destination 22♣ ≠2.100.1.1 0
[USG-policy-interzone-trust-untru ★↕st-outbound-10]quit
[USG-policy-interzone-t→×rust-untrust-outbound]policy 10 ena♠¥∑ ble #可(kě)選，默認啓用(y‌παòng)

2、允許內(nèi)網訪問(wèn)互聯網的(de)www服務、ftp服務∑♥、udp 7000端口,其餘全部禁止。
V3平台配置命令，基于4條ACL規則：
[USG]acl 3002
[USG-acl-adv-3002]rule‍‌π< permit tcp source 192.168.δε0.0 0.0.0.255 destina©¶tion-port eq www
[USG-acl-adv-3002]rule permit tcp so ↓ ∏urce 192.168.0.0 0.0.0.255 d♠↔estination-port eq 21
[USG-acl-adv-3002]rule ♥¥αpermit udp source 192.168.0.0 0.0.0.2→≤↑≤55 destination-port eq 7000
[USG-acl-adv-3002]rule ® deny ip
[USG]firewall interzone trust untrust↕→
[USG-interzone-trust-untrus±πλt]packet-filter 3002 out♥↑bound

V5平台配置命令，基于服務集和(hé)2條策略：
[USG]ip service-set test1 type oφ★§bject #預定義的(de)服務中不(bù)包含U ±DP7000服務，在此創建一(yī)個(gè)服務。
[USG-object-service-set-test1]se‌§"€rvice protocol udp d©÷εestination-port 7000
[USG]policy interzone trust untrus"∞∞☆t outbound
[USG-policy-interzone-trust✘§•-untrust-outbound]policy 11
[USG-policy-interzone-trust-untru‍♣♣st-outbound-11]policy service servi§β∑ce-set http ftp test1
[USG-policy-interzone-trust-untru✔‍≈≥st-outbound-11]polic↑α&y source 192.168.0.0 0.0.0.255
[USG-policy-interzone-trust-untr§←"φust-outbound-11]policy destination ®¶£Ωany
[USG-policy-interzone-trust-un↕φtrust-outbound-11]action permit
[USG-policy-interzone-trust-unt≠₩rust-outbound-11]quit
[USG-policy-interzone-tr©™¥™ust-untrust-outbound]policy 12
[USG-policy-interzone-trust≠₽¥®-untrust-outbound]action deny

二、網絡地(dì)址轉換（NAT）方面
1、域間(jiān)NAT
要(yào)求對(duì)192.168.0.2不(Ω>≈£bù)做(zuò)NAT，對(duì)其♦₩€餘主機(jī)均做(zuò)NAT。
V3平台配置命令，基于2條ACL規則、地(dì)址組（接口）:
[USG]ACL 2020
[USG-acl-basic-2020]rule deny source 1 ♥♠92.168.0.2 0
[USG-acl-basic-2020]rule permit source ₽∏≠π192.168.0.0 0.0.0.255
[USG]nat address-group 10 2¶>22.100.1.2 222.100.1≥‌™.2
[USG]firewall interzone truφε∑st untrust
[USG-interzone-trust-untrust]nat outbo✘±✔∑und 2020 address-gro§βup 10
或
[USG-interzone-trust-untrust]na‍∞αt outbound 2020 interface GigabitEthern φ£et0/0/0

V5平台配置命令，基于2條策略：
[USG]nat address-group 10 2εγΩ∏22.100.1.2 222.100.1.₩∑2
[USG]nat-policy interzone trust unt£≤πrust outbound
[USG-nat-policy-inte$♣‍αrzone-trust-untrust-outbound]poπ↕Ωlicy 1
[USG-nat-policy-interzone-t∑≠rust-untrust-outbound-1]policy s>λource 192.168.0.2 0
[USG-nat-policy-interzone→≈Ω-trust-untrust-outbo≠♠und-1]action no-nat
[USG-nat-policy-interzone-tru♠π÷♥st-untrust-outbound]polic® y 3
[USG-nat-policy-inter ☆>zone-trust-untrust-outbound-3]policy s♣$ource 192.168.0.0 0.0.0.255
[USG-nat-policy-inteγ¥α÷rzone-trust-untrust-outbound≈✘Ω£-3]address-group 10

2、基于目的(de)NAT，僅對(duì)到(dà≈©≈o)100.0.0.0 /24的(de)情況做(zuò♠←☆ )地(dì)址轉換
[USG]ACL 3020
[USG-acl-basic-3020]rule permitδ•¶♦ ip source 192.168σ♣"™.0.0 0.0.0.255 destinatio↔±↕≈n 100.0.0.0 0.255.255.2σ↑→55
[USG]nat address-group 10 222.100.1.∏¥≥₽2 222.100.1.2
[USG]firewall interzone trust €✘→☆untrust
[USG-interzone-trust-untrust]nat o€±÷÷utbound 3020 address-group 1 ∑‌≈0
或[USG-interzone-trust-untrus§∞t]nat outbound 3020 interface GigabitE♦₹thernet0/0/0

V5平台配置命令，基于1條策略：
[USG]nat address-group 1 9.9.9.9 ₩☆∞9.9.9.9
[USG]nat-policy zone trust
[USG-nat-policy-zone-trust-1]policy so≤£urce 192.168.0.0 0.0.0.255
[USG-nat-policy-zone-trust₩¶-1]policy destination 1σ∏&00.0.0.0 0.255.255.25≤→5
[USG-nat-policy-zone-trust-1]a♣₽♠♠ddress-group 1
[USG-nat-policy-zone-trust-1]♦"≥✘action source-nat

3、域內(nèi)NAT
V3平台配置命令，基于含1條規則ACL、地(dì)址組:
[USG]nat address-group 1 ≥↓α♣9.9.9.9 9.9.9.9
[USG]ACL 2020
[USG-acl-basic-2020]∞δ₹rule permit source 192.168.0.0 0✘‌>.0.0.255
[USG]firewall zone trus→∏±₹t
[USG-zone-trust]nat 2020 addre®→×ss-group 1

V5平台配置命令，基于1條策略：
[USG]nat address-group 1 9."♥♣π9.9.9 9.9.9.9
[USG]nat-policy zone trust
[USG-nat-policy-zone-tr‍₩↑ust-1]policy source 1∏•92.168.0.0 0.0.0.255
[USG-nat-policy-zone-trust-1]address©α↑-group 1
[USG-nat-policy-zone-tΩ±rust-1]action source-nat

建議(yì)/總結

　　USG2000/5100系列V100R003為(wè ×i)V3平台。V100R005為(wèi¥★¥ )V5平台，USG5300 V100R002為(wèiλ ‌)V3平台，V100R003為(wèi)δ×π☆V5平台