Whether the USG2000 and USG5000 can restrict that only certain IP addresses on the intranet can access the Internet

7

On the web UI, choose Policy > Security Policy > Policy Matching Analysis to check the policy matching information.

Other related questions:
Configuring users in a way that they can access only the HQ intranet through a private line but not the Internet on the USG2000 and USG5000 series
Configure a security policy to permit access to the desired destination network segment and block all others.

Whether the interface address of the USG2000 can be set to a private IP address to access the Internet
Yes. The Internet access is supported as long as the interface address experiences NAT.

Intranet users can only obtain IP addresses through DHCP for Internet access on S series switches
Intranet users can only obtain IP addresses through DHCP for Internet access on S series switches excluding the S1700. The configuration procedure is as follows: 1. Configure a switch as the DHCP server. For details 2. Configure DHCP snooping. See the following DHCP snooping configuration. [HUAWEI] dhcp snooping enable [HUAWEI] interface GigabitEthernet2/0/0 //Enable the Layer 3 interface that is automatically assigned an IP address. [HUAWEI-GigabitEthernet2/0/0] dhcp snooping trusted //Configure the interface as the trusted interface. [HUAWEI-GigabitEthernet2/0/0] dhcp snooping enable //Enable DHCP snooping. [HUAWEI-GigabitEthernet2/0/0] ip source check user-bind enable //To prevent IP packets of unauthorized users from entering the external network through the switch, you can enable the IP packet check function on an interface or in a VLAN. After the IP packet check function is enabled, only the IP packets matching entries in the binding table are forwarded. After DHCP snooping is enabled, a dynamic binding table is generated. [HUAWEI-GigabitEthernet2/0/0] arp anti-attack check user-bind enable //After ARP packet check is enabled, the switch checks all the ARP packets passing through an interface or a VLAN against the binding table. Only the ARP packets matching the binding table are forwarded. [HUAWEI-GigabitEthernet2/0/0] quit [HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 //If users want to configure static IP addresses for Internet access, a static binding table must be configured.

Method used to check whether intranet servers can access the Internet on the USG6000 series
You can view session entries on the USG6000 series or perform ping tests to check whether intranet servers can access the Internet.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top