一、包過濾方面 1、允許192.168.0.2訪問222.100.1.1。 V3平臺配置命令，基于1條ACL規(guī)則： [USG]acl 3001 [USG-acl-adv-3001]rule permit ip source 192.168.0.2 0 destination 222.100.1.1 0 [USG]firewall interzone trust untrust [USG-interzone-trust-untrust]packet-filter 3001 outbound V5平臺配置命令，基于1條策略： [USG]policy interzone trust untrust outbound [USG-policy-interzone-trust-untrust-outbound]policy 10 [USG-policy-interzone-trust-untrust-outbound-10]policy source 192.168.0.2 0 [USG-policy-interzone-trust-untrust-outbound-10]action permit [USG-policy-interzone-trust-untrust-outbound-10]policy destination 222.100.1.1 0 [USG-policy-interzone-trust-untrust-outbound-10]quit [USG-policy-interzone-trust-untrust-outbound]policy 10 enable #可選，默認(rèn)啟用 2、允許內(nèi)網(wǎng)訪問互聯(lián)網(wǎng)的www服務(wù)、ftp服務(wù)、udp 7000端口,其余全部禁止。 V3平臺配置命令，基于4條ACL規(guī)則： [USG]acl 3002 [USG-acl-adv-3002]rule permit tcp source 192.168.0.0 0.0.0.255 destination-port eq www [USG-acl-adv-3002]rule permit tcp source 192.168.0.0 0.0.0.255 destination-port eq 21 [USG-acl-adv-3002]rule permit udp source 192.168.0.0 0.0.0.255 destination-port eq 7000 [USG-acl-adv-3002]rule deny ip [USG]firewall interzone trust untrust [USG-interzone-trust-untrust]packet-filter 3002 outbound V5平臺配置命令，基于服務(wù)集和2條策略： [USG]ip service-set test1 type object #預(yù)定義的服務(wù)中不包含UDP7000服務(wù)，在此創(chuàng)建一個服務(wù)。 [USG-object-service-set-test1]service protocol udp destination-port 7000 [USG]policy interzone trust untrust outbound [USG-policy-interzone-trust-untrust-outbound]policy 11 [USG-policy-interzone-trust-untrust-outbound-11]policy service service-set http ftp test1 [USG-policy-interzone-trust-untrust-outbound-11]policy source 192.168.0.0 0.0.0.255 [USG-policy-interzone-trust-untrust-outbound-11]policy destination any [USG-policy-interzone-trust-untrust-outbound-11]action permit [USG-policy-interzone-trust-untrust-outbound-11]quit [USG-policy-interzone-trust-untrust-outbound]policy 12 [USG-policy-interzone-trust-untrust-outbound]action deny 二、網(wǎng)絡(luò)地址轉(zhuǎn)換（NAT）方面 1、域間NAT 要求對192.168.0.2不做NAT，對其余主機均做NAT。 V3平臺配置命令，基于2條ACL規(guī)則、地址組（接口）: [USG]ACL 2020 [USG-acl-basic-2020]rule deny source 192.168.0.2 0 [USG-acl-basic-2020]rule permit source 192.168.0.0 0.0.0.255 [USG]nat address-group 10 222.100.1.2 222.100.1.2 [USG]firewall interzone trust untrust [USG-interzone-trust-untrust]nat outbound 2020 address-group 10 或 [USG-interzone-trust-untrust]nat outbound 2020 interface GigabitEthernet0/0/0 V5平臺配置命令，基于2條策略： [USG]nat address-group 10 222.100.1.2 222.100.1.2 [USG]nat-policy interzone trust untrust outbound [USG-nat-policy-interzone-trust-untrust-outbound]policy 1 [USG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.2 0 [USG-nat-policy-interzone-trust-untrust-outbound-1]action no-nat [USG-nat-policy-interzone-trust-untrust-outbound]policy 3 [USG-nat-policy-interzone-trust-untrust-outbound-3]policy source 192.168.0.0 0.0.0.255 [USG-nat-policy-interzone-trust-untrust-outbound-3]address-group 10 2、基于目的NAT，僅對到100.0.0.0 /24的情況做地址轉(zhuǎn)換 [USG]ACL 3020 [USG-acl-basic-3020]rule permit ip source 192.168.0.0 0.0.0.255 destination 100.0.0.0 0.255.255.255 [USG]nat address-group 10 222.100.1.2 222.100.1.2 [USG]firewall interzone trust untrust [USG-interzone-trust-untrust]nat outbound 3020 address-group 10 或[USG-interzone-trust-untrust]nat outbound 3020 interface GigabitEthernet0/0/0 V5平臺配置命令，基于1條策略： [USG]nat address-group 1 9.9.9.9 9.9.9.9 [USG]nat-policy zone trust [USG-nat-policy-zone-trust-1]policy source 192.168.0.0 0.0.0.255 [USG-nat-policy-zone-trust-1]policy destination 100.0.0.0 0.255.255.255 [USG-nat-policy-zone-trust-1]address-group 1 [USG-nat-policy-zone-trust-1]action source-nat 3、域內(nèi)NAT V3平臺配置命令，基于含1條規(guī)則ACL、地址組: [USG]nat address-group 1 9.9.9.9 9.9.9.9 [USG]ACL 2020 [USG-acl-basic-2020]rule permit source 192.168.0.0 0.0.0.255 [USG]firewall zone trust [USG-zone-trust]nat 2020 address-group 1 V5平臺配置命令，基于1條策略： [USG]nat address-group 1 9.9.9.9 9.9.9.9 [USG]nat-policy zone trust [USG-nat-policy-zone-trust-1]policy source 192.168.0.0 0.0.0.255 [USG-nat-policy-zone-trust-1]address-group 1 [USG-nat-policy-zone-trust-1]action source-nat