《华为防火墙USG配置.docx》由会员分享,可在线阅读,更多相关《华为防火墙USG配置.docx(4页珍藏版)》请在得力文库 - 分享文档赚钱的网站上搜索。
1、精选优质文档-倾情为你奉上内网:配置GigabitEthernet 0/0/1加入Trust区域USG5300 firewall zone trustUSG5300-zone-untrust add interface GigabitEthernet 0/0/1外网:配置GigabitEthernet 0/0/2加入Untrust区域USG5300 firewall zone untrustUSG5300-zone-untrust add interface GigabitEthernet 0/0/2DMZ:USG5300 firewall zone dmzUSG5300-zone-untru
2、st add interface GigabitEthernet 0/0/3USG5300-zone-untrust quit1.4.1 Trust和Untrust域间:允许内网用户访问公网policy 1:允许源地址为10.10.10.0/24的网段的报文通过USG5300 policy interzone trust untrust outboundUSG5300-policy-interzone-trust-untrust-outbound policy 1USG5300-policy-interzone-trust-untrust-outbound-1 policy source 10
3、.10.10.0 0.0.0.255 USG5300-policy-interzone-trust-untrust-outbound-1 action permitUSG5300-policy-interzone-trust-untrust-outbound-1 quit如果是允许所有的内网地址上公网可以用以下命令:USG2100firewall packet-filter default permit interzone trust untrust direction outbound /必须1.4.2 DMZ和Untrust域间:从公网访问内部服务器policy 2:允许目的地址为10.1
4、0.11.2,目的端口为21的报文通过policy 3:允许目的地址为10.10.11.3,目的端口为8080的报文通过USG5300 policy interzone untrust dmz inboundUSG5300-policy-interzone-dmz-untrust-inbound policy 2USG5300-policy-interzone-dmz-untrust-inbound-2 policy destination 10.10.11.3 0USG5300-policy-interzone-dmz-untrust-inbound-2 policy service ser
5、vice-set ftpUSG5300-policy-interzone-dmz-untrust-inbound-2 action permitUSG5300-policy-interzone-dmz-untrust-inbound-2 quitUSG5300-policy-interzone-dmz-untrust-inbound policy 3USG5300-policy-interzone-dmz-untrust-inbound-3 policy destination 10.10.11.2 0USG5300-policy-interzone-dmz-untrust-inbound-3
6、 policy service service-set httpUSG5300-policy-interzone-dmz-untrust-inbound-3 action permitUSG5300-policy-interzone-dmz-untrust-inbound-3 quitUSG5300-policy-interzone-dmz-untrust-inbound quit配置内部服务器: system-viewUSG5300 nat server protocol tcp global 220.10.10.16 8080 inside 10.10.11.2 wwwUSG5300 na
7、t server protocol tcp global 220.10.10.17 ftp inside 10.10.11.3 ftpNAT2、通过公网接口的方式创建Trust区域和Untrust区域之间的NAT策略,确定进行NAT转换的源地址范围192.168.1.0/24网段,并且将其与外网接口GigabitEthernet 0/0/4进行绑定。USG nat-policy interzone trust untrust outboundUSG-nat-policy-interzone-trust-untrust-outbound policy 0USG-nat-policy-interz
8、one-trust-untrust-outbound-0 policy source 192.168.1.0 0.0.0.255USG-nat-policy-interzone-trust-untrust-outbound-0 action source-natUSG-nat-policy-interzone-trust-untrust-outbound-0 easy-ip GigabitEthernet 0/0/4 USG-nat-policy-interzone-trust-untrust-outbound-0 quit3、直接在接口启用nat如果是针对内网用户上公网做nat,需要在内网接
9、口使用USG-GigabitEthernet0/0/0nat enable2.10 配置策略路由配置要求:10.10.167.0走218.201.135.177,10.10.168.0走58.57.15.53。1、创建aclacl number 3000 rule 1 permit ip source 10.10.167.0 0.0.0.255acl number 3001 rule 1 permit ip source 10.10.168.0 0.0.0.2552、创建策略路由 policy-based-route internet permit node 0 if-match acl 30
10、00 apply ip-address next-hop 218.201.135.177policy-based-route internet permit node 1 if-match acl 3001 apply ip-address next-hop 58.57.15.533、将策略路由引用到入接口(内网口) ip policy-based-route internet4、配置默认路由,配置策略路由的时候不需要配置明细路由。 ip route-static 0.0.0.0 0.0.0.0 218.201.135.177 ip route-static 0.0.0.0 0.0.0.0 58.57.15.53检查配置:dis policy-based-route专心-专注-专业