【网工】华为配置专题进阶篇④

目录

■防火墙配置

▲实验

---

---

■防火墙配置

▲实验

配置要求

①防火墙接口的IP地址如拓扑所示，将接口划入相应的安全区域。

②内网主机PC1可以主动访问Internet，但Internet无法主动访问PC1。

③出口防火墙进行NAT，NAT公网地址池100.1.1.10-100.1.1.20。

④Internet可以通过公网地址100.1.1.100/24访问目的地址为192.168.2.100/24 的内部Web服务。

• Internet

<Huawei>system-view

[Huawei]sysname Internet

[Internet]interface GigabitEthernet 0/0/0

[Internet-GigabitEthernet0/0/0]ip add 100.1.1.2 24

[Internet-GigabitEthernet0/0/0]quit

[Internet]

• Firewall

<USG6000V1>system-view

[USG6000V1]]sysname Firewall

[Firewall]

[Firewall]interface GigabitEthernet 1/0/1

[Firewall-GigabitEthernet1/0/1]ip address 192.168.1.254 24

[Firewall-GigabitEthernet1/0/1]quit

[Firewall] linterface GigabitEthernet 1/0/2

[Firewall-GigabitEthernet1/0/2]ip address 192.168.2.254 24

[Firewall-GigabitEthernet1/0/2]quit

[Firewall] interface GigabitEthernet 1/0/3

[Firewall-GigabitEthernet1/0/3]ip address 100.1.1.1 24

[Firewall-GigabitEthernet1/0/3]quit

[Firewall]

[Firewall]firewall zone untrust 

[Firewall-zone-untrust]add interface GigabitEthernet 1/0/3

[Firewall-zone-untrust]quit

[Firewall]

[Firewall]firewall zone trust

[Firewall-zone-trust]add interface GigabitEthernet 1/0/1

[Firewall-zone-trust]quit

[Firewall]firewall zone dmz

[Firewall-zone-dmz] add interface GigabitEthernet 1/0/2

[Firewall-zone-dmz]quit

[Firewall]

[Firewall]security-policy

[Firewall-policy-security]rule name trust_to_untrust

[Firewall-policy-security-rule-trust_to_untrust]source-zone trust

[Firewall-policy-security-rule-trust_to_untrust]destination-zone untrust

[Firewall-policy-security-rule-trust_to_untrust]source-address 192.168.1.0 24

[Firewall-policy-security-rule-trust_to_untrust]destination-address any

[Firewall-policy-security-rule-trust_to_untrust]action permit

[Firewall-policy-security-rule-trust_to_untrust]quit

[Firewall]

# 配置NAT地址池，开启端口转换。

[Firewall] nat address-group addressgroupl

[Firewall-address-qroup-addressgroup1]mode pat

[Firewall-address-group-addressgroupl]section 0 100.1.1.10 100.1.1.20 

[Firewall-address-group-addresagroupl]quit

[Firewall]

# 配置源NAT策略1，实现私网指定网段访问Internet时自动进行源地址转换。[Firewall] nat-policy

[Firewall-policy-nat] rule name policy_natl

[Firewall-policy-nat-rule-policy natl] source-zone trust

[Firewall-policy-nat-rule-policy natl] destination-zone untrust

[Firewall-policy-nat-rule-policy natl] source-address 192.168.1.0 24

[Firewall-policy-nat-rule-policy natl] destination-address any

[Firewall-policy-nat-rule-policy natl] action source-nat address-group addressgroup1

[Firewall]security-policy

[Firewall-policy-security]rule name trust_to_dmz

[Firewall-policy-security-rule-trust_to_dmz]source-zone trust

[Firewall-policy-security-rule-trust_to_dmz]destination-zone dmz

[Firewall-policy-security-rule-trust_to_dmz]action permit

[Firewall-policy-security-rule-trust_to_dmz]quit

# 配置NAT Server功能，把内网Web服务映射到公网地址。

[Firewall] nat server policy_web protocol tcp global 100.1.1.100 80 inside 192.168.2.100 80

[Firewall] display firewall session table

[Firewall]security-policy

[Firewall-policy-security]rule name untrust_to_dmz

[Firewall-policy-security-rule-untrust_to_dmz]source-zone untrust

[Firewall-policy-security-rule-untrust_to_dmz]destination-zone dmz

[Firewall-policy-security-rule-untrust_to_dmz]destination-address 192.168.2.100 32

[Firewall-policy-security-rule-untrust_to_dmz]action permit

至此，本文的内容就结束了。