华为防火墙USG配置

合集下载
  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。

内网:

配置GigabitEthernet 0/0/1加入Trust区域

[USG5300] firewall zone trust

[USG5300-zone-untrust] add interface GigabitEthernet 0/0/1

外网:

配置GigabitEthernet 0/0/2加入Untrust区域

[USG5300] firewall zone untrust

[USG5300-zone-untrust] add interface GigabitEthernet 0/0/2

DMZ:

[USG5300] firewall zone dmz

[USG5300-zone-untrust] add interface GigabitEthernet 0/0/3

[USG5300-zone-untrust] quit

1.4.1 Trust和Untrust域间:允许内网用户访问公网

policy 1:允许源地址为10.10.10.0/24的网段的报文通过

[USG5300] policy interzone trust untrust outbound

[USG5300-policy-interzone-trust-untrust-outbound] policy 1

[USG5300-policy-interzone-trust-untrust-outbound-1] policy source 10.10.10.0 0.0.0.255 [USG5300-policy-interzone-trust-untrust-outbound-1] action permit

[USG5300-policy-interzone-trust-untrust-outbound-1] quit

如果是允许所有的内网地址上公网可以用以下命令:

[USG2100]firewall packet-filter default permit interzone trust untrust direction outbound //必须

1.4.2 DMZ和Untrust域间:从公网访问内部服务器

policy 2:允许目的地址为10.10.11.2,目的端口为21的报文通过

policy 3:允许目的地址为10.10.11.3,目的端口为8080的报文通过

[USG5300] policy interzone untrust dmz inbound

[USG5300-policy-interzone-dmz-untrust-inbound] policy 2

[USG5300-policy-interzone-dmz-untrust-inbound-2] policy destination 10.10.11.3 0

[USG5300-policy-interzone-dmz-untrust-inbound-2] policy service service-set ftp

[USG5300-policy-interzone-dmz-untrust-inbound-2] action permit

[USG5300-policy-interzone-dmz-untrust-inbound-2] quit

[USG5300-policy-interzone-dmz-untrust-inbound] policy 3

[USG5300-policy-interzone-dmz-untrust-inbound-3] policy destination 10.10.11.2 0

[USG5300-policy-interzone-dmz-untrust-inbound-3] policy service service-set http

[USG5300-policy-interzone-dmz-untrust-inbound-3] action permit

[USG5300-policy-interzone-dmz-untrust-inbound-3] quit

[USG5300-policy-interzone-dmz-untrust-inbound] quit

配置内部服务器:

system-view

[USG5300] nat server protocol tcp global 220.10.10.16 8080 inside 10.10.11.2 www [USG5300] nat server protocol tcp global 220.10.10.17 ftp inside 10.10.11.3 ftp

NAT

2、通过公网接口的方式

创建Trust区域和Untrust区域之间的NAT策略,确定进行NAT转换的源地址范围192.168.1.0/24网段,并且将其与外网接口GigabitEthernet 0/0/4进行绑定。

[USG] nat-policy interzone trust untrust outbound

[USG-nat-policy-interzone-trust-untrust-outbound] policy 0

[USG-nat-policy-interzone-trust-untrust-outbound-0] policy source 192.168.1.0 0.0.0.255

[USG-nat-policy-interzone-trust-untrust-outbound-0] action source-nat

[USG-nat-policy-interzone-trust-untrust-outbound-0] easy-ip GigabitEthernet 0/0/4

[USG-nat-policy-interzone-trust-untrust-outbound-0] quit

3、直接在接口启用nat

如果是针对内网用户上公网做nat,需要在内网接口使用

[USG-GigabitEthernet0/0/0]nat enable

2.10 配置策略路由

配置要求:10.10.167.0走218.201.135.177,10.10.168.0走58.57.15.53。

1、创建acl

acl number 3000

rule 1 permit ip source 10.10.167.0 0.0.0.255

acl number 3001

rule 1 permit ip source 10.10.168.0 0.0.0.255

2、创建策略路由

policy-based-route internet permit node 0

相关文档
最新文档