1.配置基本的IP地址和FW1上的区域
[PPPoE server-GigabitEthernet0/0/0]ip add 20.1.1.2 24
[FW1-GigabitEthernet1/0/1]ip add 10.1.1.1 24
[FW1-GigabitEthernet1/0/0]ip add 20.1.1.1 24
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/1
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/0
2.配置DHCP server
[FW1]dhcp enable
[FW1-GigabitEthernet1/0/1]dhcp select interface
[FW1-GigabitEthernet1/0/1]dhcp server ip-range 10.1.1.1 10.1.1.254
[FW1-GigabitEthernet1/0/1]dhcp server dns-list 9.9.9.9
[FW1-GigabitEthernet1/0/1]dhcp server gateway-list 10.1.1.1
3.配置外网接口通过PPPoE方式获得IP地址和DNS Server地址
[FW1]dialer-rule 1 ip permit
[FW1]interface Dialer 1
[FW1-Dialer1]link-protocol ppp
[FW1-Dialer1]dialer user ppp
[FW1-Dialer1]ip address ppp-negotiate
[FW1-Dialer1]ppp ipcp dns admit-any
[FW1-Dialer1]dialer-group 1
[FW1-Dialer1]dialer bundle 1
[FW1-Dialer1]ppp pap local-user abc password cipher ABCabc@123
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface Dialer 1
[FW1]interface g1/0/0
[FW1-GigabitEthernet1/0/0]pppoe-client dial-bundle-number 1 ipv4
4.配置安全策略
[FW1]security-policy
[FW1-policy-security]rule name sec_policy1
[FW1-policy-security-rule-sec_policy1]source-zone trust
[FW1-policy-security-rule-sec_policy1]source-address 10.1.1.0 24
[FW1-policy-security-rule-sec_policy1]destination-zone untrust
[FW1-policy-security-rule-sec_policy1]action permit
5.配置NAT策略,因为接口通过拨号获得IP地址,每次拨号获得的IP地址可能不同,所以配置采用Easy IP方式的NAT策略
[FW1]nat-policy
[FW1-policy-nat]rule name nat_policy1
[FW1-policy-nat-rule-nat_policy1]source-zone trust
[FW1-policy-nat-rule-nat_policy1]source-address 10.1.1.0 24
[FW1-policy-nat-rule-nat_policy1]egress-interface Dialer 1
[FW1-policy-nat-rule-nat_policy1]action source-nat easy-ip
6.配置缺省路由
[FW1] ip route-static 0.0.0.0 0.0.0.0 Dialer 1
7.验证
(1)查看FW1上的Dialer 1接口是否分配到IP地址,分配到IP地址说明FW已经成功接入Internet
[FW1]display ip interface brief
(2)在内部网络中的PC上通过ipconfig /all命令检查网卡是否正确分配到私网地址和DNS地址
(3)检查内部网络中的PC是否能通过域名访问Internet,若能访问,则表示配置成功