華為H3C防火墻配置手冊_第1頁
華為H3C防火墻配置手冊_第2頁
華為H3C防火墻配置手冊_第3頁
華為H3C防火墻配置手冊_第4頁
華為H3C防火墻配置手冊_第5頁
已閱讀5頁,還剩5頁未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)

文檔簡介

1、要求:通過配置華為防火墻實(shí)現(xiàn)本地 telnet 服務(wù)器能夠通過 NAT 上網(wǎng).并且,訪問電信網(wǎng)絡(luò) 鏈路時走電信,訪問網(wǎng)通鏈路時走網(wǎng)通.具體配置如下:華為 USG 2000Username:adminPassword:Admin123S G2205BSR>syste m -view USG2 2 05BSR s y s n a m e h u awei hu a w ei i nt e r f ace G i gab i tEthernet 0 / 0/0 批注 canhong1: 默認(rèn)用戶名和密碼批注 canhong2: 進(jìn)入配置 模式批注 canhong3: 命名批注 canhong4

2、: 進(jìn)入接口huawei-GigabitEthernet0/0/0description #conn to dianxin link# huawei-GigabitEthernet0/0/0ip address 202.100.1.1 255.255.255.0 huawei-GigabitEthernet0/0/0undo shutdownhuawei-GigabitEthernet0/0/0quit批注 canhong5: 對接口描 述批注 canhong6: 配置 IP批注 canhong7: 啟用接口 批注 canhong8: 退出接口模式huaweiinterface Gigabit

3、Ethernet 0/0/1huawei-GigabitEthernet0/0/1description #conn to yidong link# huawei-GigabitEthernet0/0/1ip address 202.200.1.1 255.255.255.0 huawei-GigabitEthernet0/0/1undo shutdownhuawei-GigabitEthernet0/0/1quithuaweiinterface Vlanif 1huawei-Vlanif1description #conn to local# huawei-Vlanif1ip address

4、 192.168.1.1 255.255.255.0 huawei-Vlanif1undo shutdownhuawei-Vlanif1quithuaweifirewall zone trusthuawei-zone-trustundo add interface GigabitEthernet 0/0/0批注 canhong9: 進(jìn)入信認(rèn)區(qū)域,信認(rèn)區(qū)域默認(rèn)安全等級 為 85huawei-zone-trustundo add interface GigabitEthernet 0/0/1huawei-zone-trustadd interface Vlanif 1 huaweifirewall

5、 zone name Dianxin huawei-zone-dianxinset priority 4huawei-zone-dianxinadd interface GigabitEthernet 0/0/0huawei-zone-dianxinquit批注 canhong10: 默認(rèn)G0/0/0 和 G0/0/1 屬于信認(rèn)區(qū) 域,由于本實(shí)驗(yàn),這兩個接口連 接外網(wǎng),應(yīng)把這兩個接口從信 認(rèn)區(qū)域移出,加入到非信認(rèn)區(qū) 域中.批注 canhong11: 把VLANIF 1 加入信認(rèn)區(qū)域批注 canhong12: 重新建個 新的區(qū)域,命名為 dianxin,設(shè) 置安全等級為 4,并把 G0/0/0

6、加入該區(qū)域huaweifirewall zone name Yidonghuawei-zone-yidongset priority 3huawei-zone-yidongadd interface GigabitEthernet 0/0/1 huawei-zone-yidongquithuaweiacl number 2000huawei-acl-basic-2000rule 10 permit source .1.0 0.0.0.255批注 canhong13: 重新建個新的區(qū)域,命名為 yidong,設(shè)置 安全等級為 3,并把 G0/0/1 加 入該區(qū)域批注 canhong14: 配置一

7、個 ACL 2000, 設(shè)置規(guī)則允許內(nèi) 網(wǎng) 192.168.1.0 的網(wǎng)段huawei-acl-basic-2000quithuaweifirewall interzone trust dianxinhuawei-interzone-trust-dianxinpacket-filter 2000 outboundhuawei-interzone-trust-dianxinnat outbound 2000 interface GigabitEthernet 0/0/0 huawei-interzone-trust-dianxinquit批注 canhong15: 進(jìn)入信認(rèn)區(qū)域和 dianxin

8、批注 canhong16: 包過濾的 出口方向應(yīng)用 ACL 2000批注 canhong17: ACL 2000與接口 G0/0/0 做 PAThuaweifirewall interzone trust yidonghuawei-interzone-trust-yidongnat outbound 2000 interface GigabitEthernet 0/0/1 huawei-interzone-trust-yidongquithuaweiuser-interface vty 0 4批注 canhong18: 同上批注 canhong19: 進(jìn)入接口 VTY, 啟用驗(yàn)證模式為密碼 模

9、式huawei-ui-vty0-4authentication-mode passwordhuawei-ui-vty0-4quithuaweiip route-static 0.0.0.0 0.0.0.0 202.1批注 canhong20: 配置默認(rèn)路由到達(dá)電信.huaweiip route-static 27.8.0.0 2548.0.0 202.200.1.2huaweiip route-static 0.1.2huaweiip route-static 222.160.0.0 255.252.0.0 20批注 canhong21: 配置明細(xì)路由到網(wǎng)通的路由,約有 683條明細(xì)路由.hu

10、awei firewall packet-filter default permit interzone local dianxin direction inboundhuawei firewall packet-filter default permit interzone local dianxin direction outboundhuawei firewall packet-filter default permit interzone trust dianxin direction inboundhuawei firewall packet-filter default permi

11、t interzone trust dianxin direction outboundhuawei firewall packet-filter default permit interzone local yidong direction inboundhuawei firewall packet-filter default permit interzone local yidong direction outboundhuawei firewall packet-filter default permit interzone trust yidong direction inbound

12、huawei firewall packet-filter default permit interzone trust yidong direction outbound如圖:電信網(wǎng)絡(luò)、網(wǎng)通網(wǎng)絡(luò)和 telnet 服務(wù)器配置 略!驗(yàn)證:內(nèi)網(wǎng) 192.168.1.2 分別 PING 電信與網(wǎng)通. inside#ping 202.10.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds:!Success rate is 100 percent (5/5,

13、 round-trip min/avg/max = 4/4/4 ms inside#ping 202.20.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 202.200.1.2, timeout is 2 seconds:!批注 canhong22: 配置包過濾,允許 dianxin 、yidong 與 local 、trust 之間的入方向和 出方向。沒有允許的話,則外 網(wǎng)無法 PING 通防火墻的出接 口。a w e i > d i splay fi r e w a ll session t a b

14、l e 11:38:23 2010/11/06Current total sessions: 3icmp VPN: public -> public192.168.1.2:320.1.1:23088->202.100.1.2:3tcp VPN: public -> public 192.168.:1024->192.168.1.2:23 icmp VPN: public -> public192.168.1.2:420.1.1:43288->202.200.1.2:4驗(yàn)證成功!huaweidisplay current-configuration11:54:

15、30 2010/11/06#acl number 2000rule 10 permit source 192.168.1.0 0.0.0.255批注 canhong23: 查看 NAT轉(zhuǎn)換列表批注 canhong24: 查看當(dāng)前 配置#sysname huawei#super password level 3 cipher S*H+DFHFSQ=QMAF4<1!#web-manager enable#info-center timestamp debugging date#firewall packet-filter default permit interzone local trus

16、t direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inboundfirewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzon

17、e local dmz direction outbound firewall packet-filter default permit interzone local vzone direction inbound firewall packet-filter default permit interzone local vzone direction outbound firewall packet-filter default permit interzone local dianxin direction inbound firewall packet-filter default p

18、ermit interzone local dianxin direction outbound firewall packet-filter default permit interzone local yidong direction inbound firewall packet-filter default permit interzone local yidong direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall pac

19、ket-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone trust vzone direction inbound

20、firewall packet-filter default permit interzone trust vzone direction outbound firewall packet-filter default permit interzone trust dianxin direction inbound firewall packet-filter default permit interzone trust dianxin direction outbound firewall packet-filter default permit interzone trust yidong

21、 direction inbound firewall packet-filter default permit interzone trust yidong direction outbound firewall packet-filter default permit interzone dmz untrust direction inbound firewall packet-filter default permit interzone dmz untrust direction outbound firewall packet-filter default permit interz

22、one untrust vzone direction inbound firewall packet-filter default permit interzone untrust vzone direction outbound firewall packet-filter default permit interzone dmz vzone direction inbound firewall packet-filter default permit interzone dmz vzone direction outbound#dhcp enable#firewall statistic

23、 system enable#vlan 1#interface Cellular0/1/0 link-protocol ppp#interface Vlanif1description #conn to local#ip address 192.168.1.1 #interface Ethernet1/0/0 port link-type access#interface Ethernet1/0/1 port link-type access#interface Ethernet1/0/2 port link-type access#interface Ethernet1/0/3 port l

24、ink-type access#interface Ethernet1/0/4 port link-type access#interface GigabitEthernet0/0/0 description #conn to dianxin link# ip address 202.100.1.1 #interface GigabitEthernet0/0/1 description #conn to yidong link# ip address 202.200.1.1 #interface NULL0#firewall zone local set priority 100#firewall zone trust set priority 85add interface Vlanif1#firewall zone untrust set priority 5#firewall zone dmz set priority 50#firewall zone vzone set priority 0#firewall zone name dianxin set priority 4add interface GigabitEthernet0/0/0#firewall zone name yidong s

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

最新文檔

評論

0/150

提交評論