Configuring users in a way that they can access only the HQ intranet through a private line but not the Internet on the USG2000 and USG5000 series

8

Configure a security policy to permit access to the desired destination network segment and block all others.

Other related questions:
Whether the USG2000 and USG5000 can restrict that only certain IP addresses on the intranet can access the Internet
On the web UI, choose Policy > Security Policy > Policy Matching Analysis to check the policy matching information.

Intranet users can only obtain IP addresses through DHCP for Internet access on S series switches
Intranet users can only obtain IP addresses through DHCP for Internet access on S series switches excluding the S1700. The configuration procedure is as follows: 1. Configure a switch as the DHCP server. For details 2. Configure DHCP snooping. See the following DHCP snooping configuration. [HUAWEI] dhcp snooping enable [HUAWEI] interface GigabitEthernet2/0/0 //Enable the Layer 3 interface that is automatically assigned an IP address. [HUAWEI-GigabitEthernet2/0/0] dhcp snooping trusted //Configure the interface as the trusted interface. [HUAWEI-GigabitEthernet2/0/0] dhcp snooping enable //Enable DHCP snooping. [HUAWEI-GigabitEthernet2/0/0] ip source check user-bind enable //To prevent IP packets of unauthorized users from entering the external network through the switch, you can enable the IP packet check function on an interface or in a VLAN. After the IP packet check function is enabled, only the IP packets matching entries in the binding table are forwarded. After DHCP snooping is enabled, a dynamic binding table is generated. [HUAWEI-GigabitEthernet2/0/0] arp anti-attack check user-bind enable //After ARP packet check is enabled, the switch checks all the ARP packets passing through an interface or a VLAN against the binding table. Only the ARP packets matching the binding table are forwarded. [HUAWEI-GigabitEthernet2/0/0] quit [HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 //If users want to configure static IP addresses for Internet access, a static binding table must be configured.

Can users make outgoing calls through private lines configured for the U1900 if these users are not configured with private lines?
No.

Configuring intranet users to access a public address on the USG2000/5000
Configuring intranet users to access a public address on the USG2000/5000 as follows: Search for Example for Configuring Address Pool-based NAPT and NAT Server in USG2000/5000 Product Documentation.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top