《华为防火墙USG配置》由会员分享,可在线阅读,更多相关《华为防火墙USG配置(5页珍藏版)》请在金锄头文库上搜索。
1、内网:配置GigabitEthernet0/0/1加入Trust区域USG5300firewallzonetrustUSG5300-zone-untrustaddinterfaceGigabitEthernet0/0/1外网:配置GigabitEthernet0/0/2加入Untrust区域USG5300firewallzoneuntrustUSG5300-zone-untrustaddinterfaceGigabitEthernet0/0/2DMZ:USG5300firewallzonedmzUSG5300-zone-untrustaddinterfaceGigabitEthernet0/0
2、/3USG5300-zone-untrustquitTrust和Untrust域间:允许内网用户访问公网policy1:允许源地址为的网段的报文通过USG5300policyinterzonetrustuntrustoutboundUSG5300-policy-interzone-trust-untrust-outboundpolicy1USG5300-policy-interzone-trust-untrust-outbound-1policysourceUSG5300-policy-interzone-trust-untrust-outbound-1actionpermitUSG5300-
3、policy-interzone-trust-untrust-outbound-1quit如果是允许所有的内网地址上公网可以用以下命令:USG2100firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutbound/必须DMZ和Untrust域间:从公网访问内部服务器policy2:允许目的地址为,目的端口为21的报文通过policy3:允许目的地址为,目的端口为8080的报文通过USG5300policyinterzoneuntrustdmzinboundUSG5300-policy-interzone-dmz-
4、untrust-inboundpolicy2USG5300-policy-interzone-dmz-untrust-inbound-2policydestinationUSG5300-policy-interzone-dmz-untrust-inbound-2policyserviceservice-setftpUSG5300-policy-interzone-dmz-untrust-inbound-2actionpermitUSG5300-policy-interzone-dmz-untrust-inbound-2quitUSG5300-policy-interzone-dmz-untru
5、st-inboundpolicy3USG5300-policy-interzone-dmz-untrust-inbound-3policydestinationUSG5300-policy-interzone-dmz-untrust-inbound-3policyserviceservice-sethttpUSG5300-policy-interzone-dmz-untrust-inbound-3actionpermitUSG5300-policy-interzone-dmz-untrust-inbound-3quitUSG5300-policy-interzone-dmz-untrust-i
6、nboundquit配置内部服务器:system-viewUSG5300natserverprotocoltcpglobalinsidewwwUSG5300natserverprotocoltcpglobalftpinsideftpNAT2、通过公网接口的方式创建Trust区域和Untrust区域之间的NAT策略,确定进行NAT转换的源地址范围网段,并且将其与外网接口GigabitEthernet0/0/4进行绑定。USGnat-policyinterzonetrustuntrustoutboundUSG-nat-policy-interzone-trust-untrust-outboundU
7、SG-nat-policy-interzone-trust-untrust-outbound-0USG-nat-policy-interzone-trust-untrust-outbound-0USG-nat-policy-interzone-trust-untrust-outbound-00/0/4USG-nat-policy-interzone-trust-untrust-outbound-03、直接在接口启用natpolicy0policysourceactionsource-nateasy-ipGigabitEthernetquitnatenable如果是针对内网用户上公网做nat,需
8、要在内网接口使用USG-GigabitEthernet0/0/02.10配置策略路由配置要求:走,走。1、创建aclaclnumber3000rule1permitipsourceaclnumber3001rule1permitipsource2、创建策略路由policy-based-routeinternetpermitnode0if-matchacl3000applyip-addressnext-hoppolicy-based-routeinternetpermitnode1if-matchacl3001applyip-addressnext-hop3、将策略路由引用到入接口(内网口)ippolicy-based-routeinternet4、配置默认路由,配置策略路由的时候不需要配置明细路由。iproute-staticiproute-static检查配置:dispolicy-based-route