華為H3C防火墻配置手冊

1、要求:通過配置華為防火墻實現(xiàn)本地 telnet 服務(wù)器能夠通過 NAT 上網(wǎng).并且,訪問電信網(wǎng)絡(luò) 鏈路時走電信,訪問網(wǎng)通鏈路時走網(wǎng)通.具體配置如下:華為 USG 2000Username:adminPassword:Admin123S G2205BSR>syste m -view USG2 2 05BSR s y s n a m e h u awei hu a w ei i nt e r f ace G i gab i tEthernet 0 / 0/0 批注 canhong1: 默認用戶名和密碼批注 canhong2: 進入配置 模式批注 canhong3: 命名批注 canhong4

2、: 進入接口huawei-GigabitEthernet0/0/0description #conn to dianxin link# huawei-GigabitEthernet0/0/0ip address 202.100.1.1 255.255.255.0 huawei-GigabitEthernet0/0/0undo shutdownhuawei-GigabitEthernet0/0/0quit批注 canhong5: 對接口描 述批注 canhong6: 配置 IP批注 canhong7: 啟用接口 批注 canhong8: 退出接口模式huaweiinterface Gigabit

3、Ethernet 0/0/1huawei-GigabitEthernet0/0/1description #conn to yidong link# huawei-GigabitEthernet0/0/1ip address 202.200.1.1 255.255.255.0 huawei-GigabitEthernet0/0/1undo shutdownhuawei-GigabitEthernet0/0/1quithuaweiinterface Vlanif 1huawei-Vlanif1description #conn to local# huawei-Vlanif1ip address

4、 192.168.1.1 255.255.255.0 huawei-Vlanif1undo shutdownhuawei-Vlanif1quithuaweifirewall zone trusthuawei-zone-trustundo add interface GigabitEthernet 0/0/0批注 canhong9: 進入信認區(qū)域,信認區(qū)域默認安全等級 為 85huawei-zone-trustundo add interface GigabitEthernet 0/0/1huawei-zone-trustadd interface Vlanif 1 huaweifirewall

5、 zone name Dianxin huawei-zone-dianxinset priority 4huawei-zone-dianxinadd interface GigabitEthernet 0/0/0huawei-zone-dianxinquit批注 canhong10: 默認G0/0/0 和 G0/0/1 屬于信認區(qū) 域,由于本實驗,這兩個接口連 接外網(wǎng),應(yīng)把這兩個接口從信 認區(qū)域移出,加入到非信認區(qū) 域中.批注 canhong11: 把VLANIF 1 加入信認區(qū)域批注 canhong12: 重新建個 新的區(qū)域,命名為 dianxin,設(shè) 置安全等級為 4,并把 G0/0/0

6、加入該區(qū)域huaweifirewall zone name Yidonghuawei-zone-yidongset priority 3huawei-zone-yidongadd interface GigabitEthernet 0/0/1 huawei-zone-yidongquithuaweiacl number 2000huawei-acl-basic-2000rule 10 permit source .1.0 0.0.0.255批注 canhong13: 重新建個新的區(qū)域,命名為 yidong,設(shè)置 安全等級為 3,并把 G0/0/1 加 入該區(qū)域批注 canhong14: 配置一

7、個 ACL 2000, 設(shè)置規(guī)則允許內(nèi) 網(wǎng) 192.168.1.0 的網(wǎng)段huawei-acl-basic-2000quithuaweifirewall interzone trust dianxinhuawei-interzone-trust-dianxinpacket-filter 2000 outboundhuawei-interzone-trust-dianxinnat outbound 2000 interface GigabitEthernet 0/0/0 huawei-interzone-trust-dianxinquit批注 canhong15: 進入信認區(qū)域和 dianxin

8、批注 canhong16: 包過濾的 出口方向應(yīng)用 ACL 2000批注 canhong17: ACL 2000與接口 G0/0/0 做 PAThuaweifirewall interzone trust yidonghuawei-interzone-trust-yidongnat outbound 2000 interface GigabitEthernet 0/0/1 huawei-interzone-trust-yidongquithuaweiuser-interface vty 0 4批注 canhong18: 同上批注 canhong19: 進入接口 VTY, 啟用驗證模式為密碼 模

9、式huawei-ui-vty0-4authentication-mode passwordhuawei-ui-vty0-4quithuaweiip route-static 0.0.0.0 0.0.0.0 202.1批注 canhong20: 配置默認路由到達電信.huaweiip route-static 27.8.0.0 2548.0.0 202.200.1.2huaweiip route-static 0.1.2huaweiip route-static 222.160.0.0 255.252.0.0 20批注 canhong21: 配置明細路由到網(wǎng)通的路由，約有 683條明細路由.hu

10、awei firewall packet-filter default permit interzone local dianxin direction inboundhuawei firewall packet-filter default permit interzone local dianxin direction outboundhuawei firewall packet-filter default permit interzone trust dianxin direction inboundhuawei firewall packet-filter default permi

11、t interzone trust dianxin direction outboundhuawei firewall packet-filter default permit interzone local yidong direction inboundhuawei firewall packet-filter default permit interzone local yidong direction outboundhuawei firewall packet-filter default permit interzone trust yidong direction inbound

12、huawei firewall packet-filter default permit interzone trust yidong direction outbound如圖：電信網(wǎng)絡(luò)、網(wǎng)通網(wǎng)絡(luò)和 telnet 服務(wù)器配置 略！驗證：內(nèi)網(wǎng) 192.168.1.2 分別 PING 電信與網(wǎng)通. inside#ping 202.10.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:!Success rate is 100 percent (5/5,

13、 round-trip min/avg/max = 4/4/4 ms inside#ping 202.20.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.200.1.2, timeout is 2 seconds:!批注 canhong22: 配置包過濾,允許 dianxin 、yidong 與 local 、trust 之間的入方向和 出方向。沒有允許的話，則外 網(wǎng)無法 PING 通防火墻的出接 口。a w e i > d i splay fi r e w a ll session t a b

14、l e 11:38:23 2010/11/06Current total sessions: 3icmp VPN: public -> public192.168.1.2:320.1.1:23088->202.100.1.2:3tcp VPN: public -> public 192.168.:1024->192.168.1.2:23 icmp VPN: public -> public192.168.1.2:420.1.1:43288->202.200.1.2:4驗證成功！huaweidisplay current-configuration11:54:

15、30 2010/11/06#acl number 2000rule 10 permit source 192.168.1.0 0.0.0.255批注 canhong23: 查看 NAT轉(zhuǎn)換列表批注 canhong24: 查看當(dāng)前 配置#sysname huawei#super password level 3 cipher S*H+DFHFSQ=QMAF4<1!#web-manager enable#info-center timestamp debugging date#firewall packet-filter default permit interzone local trus

16、t direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inboundfirewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzon

17、e local dmz direction outbound firewall packet-filter default permit interzone local vzone direction inbound firewall packet-filter default permit interzone local vzone direction outbound firewall packet-filter default permit interzone local dianxin direction inbound firewall packet-filter default p

18、ermit interzone local dianxin direction outbound firewall packet-filter default permit interzone local yidong direction inbound firewall packet-filter default permit interzone local yidong direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall pac

19、ket-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone trust vzone direction inbound

20、firewall packet-filter default permit interzone trust vzone direction outbound firewall packet-filter default permit interzone trust dianxin direction inbound firewall packet-filter default permit interzone trust dianxin direction outbound firewall packet-filter default permit interzone trust yidong

21、 direction inbound firewall packet-filter default permit interzone trust yidong direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound firewall packet-filter default permit interz

22、one untrust vzone direction inbound firewall packet-filter default permit interzone untrust vzone direction outbound firewall packet-filter default permit interzone dmz vzone direction inbound firewall packet-filter default permit interzone dmz vzone direction outbound#dhcp enable#firewall statistic

23、 system enable#vlan 1#interface Cellular0/1/0 link-protocol ppp#interface Vlanif1description #conn to local#ip address 192.168.1.1 #interface Ethernet1/0/0 port link-type access#interface Ethernet1/0/1 port link-type access#interface Ethernet1/0/2 port link-type access#interface Ethernet1/0/3 port l

24、ink-type access#interface Ethernet1/0/4 port link-type access#interface GigabitEthernet0/0/0 description #conn to dianxin link# ip address 202.100.1.1 #interface GigabitEthernet0/0/1 description #conn to yidong link# ip address 202.200.1.1 #interface NULL0#firewall zone local set priority 100#firewall zone trust set priority 85add interface Vlanif1#firewall zone untrust set priority 5#firewall zone dmz set priority 50#firewall zone vzone set priority 0#firewall zone name dianxin set priority 4add interface GigabitEthernet0/0/0#firewall zone name yidong s