1 配置

2 普通二层交换机

enable
conf t 
no spanning-tree vlan 1 
int range e0/0 - 3
no shutdown
switchport mode access
switchport access vlan 1

2.1 R3

enable
conf t 
int e0/1
ip address 111.14.46.65 255.255.255.0
no shutdown

2.2 usg1

# 基础配置
system-view
icmp ttl-exceeded send

# 虚拟路由器配置
vsys enable
vsysa name vsysa
add interface giga1/0/0

## for public 根墙
### 接口
int g1/0/2
ip address 111.14.46.80 24
undo shutdown
service-manager all permit
int virtual-if 0
ip address 10.0.0.1 24

### 安全区域
firewall zone untrust
add interface giga1/0/2
firewall zone dmz
add int virtual-if 0

### 路由,这个是重点
ip route-static 10.2.11.0 24 vpn-instance vsysa

## 安全策略,简单测试,全通就好
security-policy 
rule name anypermit
action permit


## for vsysa
### 接口
interface giga1/0/0
ip address 10.2.11.254 24
interface virtual-if 1
ip address 10.0.0.2 24

### 安全区域
firewall zone trust
add interface giga1/0/0
firewall zone dmz
add interface virtual-if 1

### 路由
ip route-static 0.0.0.0 0 public

### 安全策略
security-policy 
rule name anypermit
action permit

3 参考

https://blog.51cto.com/u_13699905/2994506
https://www.jianshu.com/p/4025e5cd7616

最后修改:2023 年 11 月 02 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏