透明DNS策略

实验拓扑

实验需求：

1.在企业出口防火墙上，设置一个“虚拟DNS服务器”，将内网用户的DNS设定为这个虚拟DNS服务器 的地址

2.内网用户使用不同的解析IP地址进行访问，实现流量负载分担

3.trust到untrust为内网到外网的访问

实验内容：

防火墙：

 interface GigabitEthernet 1/0/0

 ip address 192.168.1.254 24 

 interface GigabitEthernet 1/0/1

 ip address 13.0.0.1 24

 interface GigabitEthernet 1/0/2

 ip address 12.0.0.1 24 

划分安全区域：

firewall zone trust

 add interface GigabitEthernet 1/0/0

 firewall zone untrust-1

 add interface GigabitEthernet 1/0/1

 firewall zone untrust-2

 add interface GigabitEthernet 1/0/2

安全策略：

security - policy

 rule name trust_to_untrust-1

 source - zone trust

 destination - zone untrust-1

 source - address 192.168.1.0 24

 destination - address any

 service any

 action permit

 rule name trust_to_untrust-2

 source - zone trust

 destination - zone untrust-2

 source - address 192.168.1.0 24

 destination - address any

 service any

 action permit

NAT转换：

nat - address - group 1 13.0.0.2 13.0.0.10

 nat - policy

 rule name trust_to_untrust_nat

 source - zone trust

 destination - zone untrust-1

 source - address 192.168.1.0 24

 action source - nat address - group 1

 nat - address - group 2 12.0.0.2 12.0.0.10

 nat - policy

 rule name trust_to_untrust_nat

 source - zone trust

 destination - zone untrust-2

 source - address 192.168.1.0 24

 action source - nat address - group 2

认证策略：

aaa

local - user admin password cipher admin@123

local - user admin service - type telnet

user - interface vty 0 4

authentication - mode aaa