1. Experimental topology
2. Experimental steps
Step 1 Complete the configuration of the uplink and downlink service interfaces of USG6330-1. Configure the IP address of each interface and add it to the corresponding security zone.
<USG> system-view
[USG6000V1]sysname USG6330-1
[USG6330-1] interface GigabitEthernet 1/0/1
[USG6330-1-GigabitEthernet1/0/1] ip address 10.1.2.1 255.255.255.0
[USG6330-1-GigabitEthernet1/0/1] quit
[USG6330-1] interface GigabitEthernet 1/0/4
[USG6330-1-GigabitEthernet1/0/4] ip address 40.1.1.1 255.255.255.0
[USG6330-1-GigabitEthernet1/0/4] quit
[USG6330-1] firewall zone trust
[USG6330-1-zone-trust] add interface GigabitEthernet 1/0/1
[USG6330-1-zone-trust] quit
[USG6330-1] firewall zone untrust
[USG6330-1-zone-untrust] add interface GigabitEthernet 1/0/4
[USG6330-1-zone-untrust] quit
Step 2 Configure interzone forwarding policies in the Trust zone and Untrust zone.
[USG6330-1]security-policy
[USG6330-1-policy-security] rule name policy_sec
[USG6330-1-policy-security-rule-policy_sec] source-zone trust
[USG6330-1-policy-security-rule-policy_sec] destination-zone untrust
[USG6330-1-policy-security-rule-policy_sec] action permit
[USG6330-1-policy-security-rule-policy_sec] quit
Step 3 Configure the NAT address pool, the public network address range is 2.2.2.2-2.2.2.5.
[USG6330-1]nat address-group natpool
[USG6330-1-address-group-natpool]section 2.2.2.2 2.2.2.5
Step 4 Configure NAT policy.
[USG6330-1]nat-policy
[USG6330-1-policy-nat]rule name source_nat
[USG6330-1-policy-nat-rule-source_nat]destination-zone untrust
[USG6330-1-policy-nat-rule-source_nat]source-zone trust
[USG6330-1-policy-nat-rule-source_nat]action nat address-group natpool
Step 5 Configure the Switch.
Add the three interfaces of the two Switches to the same VLAN, which is fine by default.