华为防火墙USG配置.docx

《华为防火墙USG配置.docx》由会员分享，可在线阅读，更多相关《华为防火墙USG配置.docx（4页珍藏版）》请在得力文库 - 分享文档赚钱的网站上搜索。

1、精选优质文档-倾情为你奉上内网：配置GigabitEthernet 0/0/1加入Trust区域USG5300 firewall zone trustUSG5300-zone-untrust add interface GigabitEthernet 0/0/1外网：配置GigabitEthernet 0/0/2加入Untrust区域USG5300 firewall zone untrustUSG5300-zone-untrust add interface GigabitEthernet 0/0/2DMZ：USG5300 firewall zone dmzUSG5300-zone-untru

2、st add interface GigabitEthernet 0/0/3USG5300-zone-untrust quit1.4.1 Trust和Untrust域间：允许内网用户访问公网policy 1：允许源地址为10.10.10.0/24的网段的报文通过USG5300 policy interzone trust untrust outboundUSG5300-policy-interzone-trust-untrust-outbound policy 1USG5300-policy-interzone-trust-untrust-outbound-1 policy source 10

3、.10.10.0 0.0.0.255 USG5300-policy-interzone-trust-untrust-outbound-1 action permitUSG5300-policy-interzone-trust-untrust-outbound-1 quit如果是允许所有的内网地址上公网可以用以下命令：USG2100firewall packet-filter default permit interzone trust untrust direction outbound /必须1.4.2 DMZ和Untrust域间：从公网访问内部服务器policy 2：允许目的地址为10.1

4、0.11.2，目的端口为21的报文通过policy 3：允许目的地址为10.10.11.3，目的端口为8080的报文通过USG5300 policy interzone untrust dmz inboundUSG5300-policy-interzone-dmz-untrust-inbound policy 2USG5300-policy-interzone-dmz-untrust-inbound-2 policy destination 10.10.11.3 0USG5300-policy-interzone-dmz-untrust-inbound-2 policy service ser

5、vice-set ftpUSG5300-policy-interzone-dmz-untrust-inbound-2 action permitUSG5300-policy-interzone-dmz-untrust-inbound-2 quitUSG5300-policy-interzone-dmz-untrust-inbound policy 3USG5300-policy-interzone-dmz-untrust-inbound-3 policy destination 10.10.11.2 0USG5300-policy-interzone-dmz-untrust-inbound-3

6、 policy service service-set httpUSG5300-policy-interzone-dmz-untrust-inbound-3 action permitUSG5300-policy-interzone-dmz-untrust-inbound-3 quitUSG5300-policy-interzone-dmz-untrust-inbound quit配置内部服务器： system-viewUSG5300 nat server protocol tcp global 220.10.10.16 8080 inside 10.10.11.2 wwwUSG5300 na

7、t server protocol tcp global 220.10.10.17 ftp inside 10.10.11.3 ftpNAT2、通过公网接口的方式创建Trust区域和Untrust区域之间的NAT策略，确定进行NAT转换的源地址范围192.168.1.0/24网段，并且将其与外网接口GigabitEthernet 0/0/4进行绑定。USG nat-policy interzone trust untrust outboundUSG-nat-policy-interzone-trust-untrust-outbound policy 0USG-nat-policy-interz

8、one-trust-untrust-outbound-0 policy source 192.168.1.0 0.0.0.255USG-nat-policy-interzone-trust-untrust-outbound-0 action source-natUSG-nat-policy-interzone-trust-untrust-outbound-0 easy-ip GigabitEthernet 0/0/4 USG-nat-policy-interzone-trust-untrust-outbound-0 quit3、直接在接口启用nat如果是针对内网用户上公网做nat，需要在内网接

9、口使用USG-GigabitEthernet0/0/0nat enable2.10 配置策略路由配置要求：10.10.167.0走218.201.135.177，10.10.168.0走58.57.15.53。1、创建aclacl number 3000 rule 1 permit ip source 10.10.167.0 0.0.0.255acl number 3001 rule 1 permit ip source 10.10.168.0 0.0.0.2552、创建策略路由 policy-based-route internet permit node 0 if-match acl 30

10、00 apply ip-address next-hop 218.201.135.177policy-based-route internet permit node 1 if-match acl 3001 apply ip-address next-hop 58.57.15.533、将策略路由引用到入接口（内网口） ip policy-based-route internet4、配置默认路由，配置策略路由的时候不需要配置明细路由。 ip route-static 0.0.0.0 0.0.0.0 218.201.135.177 ip route-static 0.0.0.0 0.0.0.0 58.57.15.53检查配置：dis policy-based-route专心-专注-专业