华为防火墙USG配置
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
内网:
配置GigabitEthernet 0/0/1加入Trust区域
[USG5300] firewall zone trust
[USG5300-zone-untrust] add interface GigabitEthernet 0/0/1
外网:
配置GigabitEthernet 0/0/2加入Untrust区域
[USG5300] firewall zone untrust
[USG5300-zone-untrust] add interface GigabitEthernet 0/0/2
DMZ:
[USG5300] firewall zone dmz
[USG5300-zone-untrust] add interface GigabitEthernet 0/0/3
[USG5300-zone-untrust] quit
1.4.1 Trust和Untrust域间:允许内网用户访问公网
policy 1:允许源地址为10.10.10.0/24的网段的报文通过
[USG5300] policy interzone trust untrust outbound
[USG5300-policy-interzone-trust-untrust-outbound] policy 1
[USG5300-policy-interzone-trust-untrust-outbound-1] policy source 10.10.10.0 0.0.0.255 [USG5300-policy-interzone-trust-untrust-outbound-1] action permit
[USG5300-policy-interzone-trust-untrust-outbound-1] quit
如果是允许所有的内网地址上公网可以用以下命令:
[USG2100]firewall packet-filter default permit interzone trust untrust direction outbound //必须
1.4.2 DMZ和Untrust域间:从公网访问内部服务器
policy 2:允许目的地址为10.10.11.2,目的端口为21的报文通过
policy 3:允许目的地址为10.10.11.3,目的端口为8080的报文通过
[USG5300] policy interzone untrust dmz inbound
[USG5300-policy-interzone-dmz-untrust-inbound] policy 2
[USG5300-policy-interzone-dmz-untrust-inbound-2] policy destination 10.10.11.3 0
[USG5300-policy-interzone-dmz-untrust-inbound-2] policy service service-set ftp
[USG5300-policy-interzone-dmz-untrust-inbound-2] action permit
[USG5300-policy-interzone-dmz-untrust-inbound-2] quit
[USG5300-policy-interzone-dmz-untrust-inbound] policy 3
[USG5300-policy-interzone-dmz-untrust-inbound-3] policy destination 10.10.11.2 0
[USG5300-policy-interzone-dmz-untrust-inbound-3] policy service service-set http
[USG5300-policy-interzone-dmz-untrust-inbound-3] action permit
[USG5300-policy-interzone-dmz-untrust-inbound-3] quit
[USG5300-policy-interzone-dmz-untrust-inbound] quit
配置内部服务器:
[USG5300] nat server protocol tcp global 220.10.10.16 8080 inside 10.10.11.2 www [USG5300] nat server protocol tcp global 220.10.10.17 ftp inside 10.10.11.3 ftp
NAT
2、通过公网接口的方式
创建Trust区域和Untrust区域之间的NAT策略,确定进行NAT转换的源地址范围192.168.1.0/24网段,并且将其与外网接口GigabitEthernet 0/0/4进行绑定。
[USG] nat-policy interzone trust untrust outbound
[USG-nat-policy-interzone-trust-untrust-outbound] policy 0
[USG-nat-policy-interzone-trust-untrust-outbound-0] policy source 192.168.1.0 0.0.0.255
[USG-nat-policy-interzone-trust-untrust-outbound-0] action source-nat
[USG-nat-policy-interzone-trust-untrust-outbound-0] easy-ip GigabitEthernet 0/0/4
[USG-nat-policy-interzone-trust-untrust-outbound-0] quit
3、直接在接口启用nat
如果是针对内网用户上公网做nat,需要在内网接口使用
[USG-GigabitEthernet0/0/0]nat enable
2.10 配置策略路由
配置要求:10.10.167.0走218.201.135.177,10.10.168.0走58.57.15.53。
1、创建acl
acl number 3000
rule 1 permit ip source 10.10.167.0 0.0.0.255
acl number 3001
rule 1 permit ip source 10.10.168.0 0.0.0.255
2、创建策略路由
policy-based-route internet permit node 0