防火墙拨号上网

命令行下配置拨号上网的例子如下：



一、进入系统视图
sys



二、配置拨号口1


interface Dialer1
nat outbound 3100
link-protocol ppp
ppp chap user XXX
ppp chap password simple XXX
ppp pap local-user XXX password simple XXX
ppp ipcp dns admit-any
ppp ipcp dns request
ip address ppp-negotiate
dialer user username
dialer-group 1
dialer bundle 1
dialer timer idle 0
ip user-based-sharing enable
quit




三、配置拨号口2 （如果是单线路拨号上网，那么请忽略此部分配置）
interface Dialer11
nat outbound
link-protocol ppp
ppp chap user XXX
ppp chap password XXX
ppp pap local-user XXX password XXX
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1492
ip address ppp-negotiate
tcp mss 1024
dialer user username
dialer-group 11
dialer bundle 11
ip user-based-sharing enable
quit




四、配置内网接口地址
int G0/3
ip address 192.168.1.1 255.255.255.0
tcp mss 1024
dhcp server apply ip-pool vlan1
quit




五、配置dhcp地址池：
dhcp server ip-pool vlan1
network ip range 192.168.1.2 192.168.1.254
network mask 255.255.255.0
expired day 1 hour 5
gateway-list 192.168.1.1
quit




五、绑定拨号口
interface GigabitEthernet0/1
nat outbound
pppoe-client dial-bundle-number 10
quit




interface GigabitEthernet0/2 （单线路拨号上网时忽略此处配置）
nat outbound
pppoe-client dial-bundle-number 11
quit




六、配置上网路由
ip route-static 0.0.0.0 0.0.0.0 Dialer11




七、开启dns代理，开启dhcp



dns proxy enable
dhcp enable



八、系统视图配置基于用户的负载分担 （单线路拨号上网时忽略此处配置）
ip user-based-sharing enable

dialer-rule 10 ip permit
dialer-rule 11 ip permit



九、接口加入到安全域里 （内网接口添加到trust区域，外网口添加到Untrust区域）

zone name Trust

import interface GigabitEthernet0/2

quit



zone name Untrust id 4

import interface GigabitEthernet0/1

quit



十、保存配置

save