《华为防火墙usg配置》由会员分享,可在线阅读,更多相关《华为防火墙usg配置(3页珍藏版)》请在金锄头文库上搜索。
1、内网:内网:配置 GigabitEthernet 0/0/1 加入 Trust 区域USG5300 firewallfirewall zonezone trusttrust USG5300-zone-untrust addadd interfaceinterface GigabitEthernetGigabitEthernet 0/0/10/0/1外网:外网:配置 GigabitEthernet 0/0/2 加入 Untrust 区域USG5300 firewallfirewall zonezone untrustuntrust USG5300-zone-untrust addadd inte
2、rfaceinterface GigabitEthernetGigabitEthernet 0/0/20/0/2DMZ:USG5300 firewallfirewall zonezone dmz USG5300-zone-untrust addadd interfaceinterface GigabitEthernetGigabitEthernet 0/0/30/0/3 USG5300-zone-untrust quitquit1.4.11.4.1 TrustTrust 和和 UntrustUntrust 域间域间:允许内网用户访问公网允许内网用户访问公网policy 1:允许源地址为 10.
3、10.10.0/24 的网段的报文通过USG5300 policypolicy interzoneinterzone trusttrust untrustuntrust outboundoutbound USG5300-policy-interzone-trust-untrust-outbound policypolicy 1 1 USG5300-policy-interzone-trust-untrust-outbound-1 policypolicy sourcesource 10.10.10.010.10.10.0 0.0.0.2550.0.0.255 USG5300-policy-in
4、terzone-trust-untrust-outbound-1 actionaction permitpermit USG5300-policy-interzone-trust-untrust-outbound-1 quitquit 如果是允许所有的内网地址上公网可以用以下命令:如果是允许所有的内网地址上公网可以用以下命令: USG2100firewall packet-filter default permit interzone trust untrust direction outbound /必 须1.4.2 DMZ 和和 Untrust 域间:从公网访问内部服务器域间:从公网访问内
5、部服务器policy 2:允许目的地址为 10.10.11.2,目的端口为 21 的报文通过 policy 3:允许目的地址为 10.10.11.3,目的端口为 8080 的报文通过 USG5300 policy interzone untrust dmz inbound USG5300-policy-interzone-dmz-untrust-inbound policy 2 USG5300-policy-interzone-dmz-untrust-inbound-2 policy destination 10.10.11.3 0 USG5300-policy-interzone-dmz-u
6、ntrust-inbound-2 policy service service-set ftp USG5300-policy-interzone-dmz-untrust-inbound-2 action permit USG5300-policy-interzone-dmz-untrust-inbound-2 quit USG5300-policy-interzone-dmz-untrust-inbound policy 3 USG5300-policy-interzone-dmz-untrust-inbound-3 policy destination 10.10.11.2 0 USG530
7、0-policy-interzone-dmz-untrust-inbound-3 policy service service-set httpUSG5300-policy-interzone-dmz-untrust-inbound-3 action permit USG5300-policy-interzone-dmz-untrust-inbound-3 quit USG5300-policy-interzone-dmz-untrust-inbound quit配置内部服务器:配置内部服务器:system-viewsystem-viewUSG5300 natnat serverserver
8、protocolprotocol tcptcp globalglobal 220.10.10.16220.10.10.16 80808080 insideinside 10.10.11.210.10.11.2 wwwwww USG5300 natnat serverserver protocolprotocol tcptcp globalglobal 220.10.10.17220.10.10.17 ftpftp insideinside 10.10.11.310.10.11.3 ftpftpNATNAT2、通过公网接口的方式、通过公网接口的方式 创建 Trust 区域和 Untrust 区域
9、之间的 NAT 策略,确定进行 NAT 转换的源地址范围 192.168.1.0/24 网段,并且将其与外网接口 GigabitEthernet 0/0/4 进行绑定。USG nat-policynat-policy interzoneinterzone trusttrust untrustuntrust outboundoutbound USG-nat-policy-interzone-trust-untrust-outbound policypolicy 0 0 USG-nat-policy-interzone-trust-untrust-outbound-0 policypolicy s
10、ourcesource 192.168.1.0192.168.1.0 0.0.0.2550.0.0.255 USG-nat-policy-interzone-trust-untrust-outbound-0 actionaction source-natsource-nat USG-nat-policy-interzone-trust-untrust-outbound-0 easy-ipeasy-ip GigabitEthernetGigabitEthernet 0/0/40/0/4 USG-nat-policy-interzone-trust-untrust-outbound-0 quitq
11、uit 3、直接在接口启用、直接在接口启用 nat 如果是针对内网用户上公网做 nat,需要在内网接口使用USG-GigabitEthernet0/0/0natnat enableenable2.102.10 配置策略路由配置策略路由配置要求:10.10.167.0 走 218.201.135.177,10.10.168.0 走 58.57.15.53。 1、创建 aclacl number 3000rule 1 permit ip source 10.10.167.0 0.0.0.255 acl number 3001rule 1 permit ip source 10.10.168.0 0
12、.0.0.2552、创建策略路由 policy-based-route internet permit node 0if-match acl 3000apply ip-address next-hop 218.201.135.177 policy-based-route internet permit node 1if-match acl 3001apply ip-address next-hop 58.57.15.533、将策略路由引用到入接口(内网口)ip policy-based-route internet4、配置默认路由,配置策略路由的时候不需要配置明细路由。ip route-static 0.0.0.0 0.0.0.0 218.201.135.177ip route-static 0.0.0.0 0.0.0.0 58.57.15.53检查配置:dis policy-based-route
