【网工】华为配置专题进阶篇④

目录

■防火墙配置

▲实验



■防火墙配置

▲实验

配置要求

①防火墙接口的IP地址如拓扑所示,将接口划入相应的安全区域

②内网主机PC1可以主动访问Internet,但Internet无法主动访问PC1。

③出口防火墙进行NAT,NAT公网地址池100.1.1.10 - 100.1.1.20

④Internet可以通过公网地址100.1.1.100/24访问目的地址为192.168.2.100/24 的内部Web服务。

  • Internet

<Huawei>system-view

Huaweisysname Internet

Internetinterface GigabitEthernet 0/0/0

Internet-GigabitEthernet0/0/0ip add 100.1.1.2 24

Internet-GigabitEthernet0/0/0quit

Internet

  • Firewall

<USG6000V1>system-view

USG6000V1]sysname Firewall

Firewall

Firewallinterface GigabitEthernet 1/0/1

Firewall-GigabitEthernet1/0/1ip address 192.168.1.254 24

Firewall-GigabitEthernet1/0/1quit

Firewall linterface GigabitEthernet 1/0/2

Firewall-GigabitEthernet1/0/2ip address 192.168.2.254 24

Firewall-GigabitEthernet1/0/2quit

Firewall interface GigabitEthernet 1/0/3

Firewall-GigabitEthernet1/0/3ip address 100.1.1.1 24

Firewall-GigabitEthernet1/0/3quit

Firewall

Firewallfirewall zone untrust

Firewall-zone-untrustadd interface GigabitEthernet 1/0/3

Firewall-zone-untrustquit

Firewall

Firewallfirewall zone trust

Firewall-zone-trustadd interface GigabitEthernet 1/0/1

Firewall-zone-trustquit

Firewallfirewall zone dmz

Firewall-zone-dmz add interface GigabitEthernet 1/0/2

Firewall-zone-dmzquit

Firewall

Firewallsecurity-policy

Firewall-policy-securityrule name trust_to_untrust

Firewall-policy-security-rule-trust_to_untrustsource-zone trust

Firewall-policy-security-rule-trust_to_untrustdestination-zone untrust

Firewall-policy-security-rule-trust_to_untrustsource-address 192.168.1.0 24

Firewall-policy-security-rule-trust_to_untrustdestination-address any

Firewall-policy-security-rule-trust_to_untrustaction permit

Firewall-policy-security-rule-trust_to_untrustquit

Firewall

配置NAT地址池,开启端口转换。

Firewallnat addr e ss- g roup addressgroupl

Firewall-address-qroup-addressgroup1mode pat

Firewall-address-group-addressgrouplsection 0 100.1.1.10 100.1.1.20

Firewall-address-group-addresagrouplquit

Firewall

配置源NAT策略1,实现私网指定网段访问Internet时自动进行源地址转换。

Firewall nat-policy

Firewall-policy-nat rule name policy_natl

Firewall-policy-nat-rule-policy natlsource-zone trust

Firewall-policy-nat-rule-policy natl destination-zone untrust

Firewall-policy-nat-rule-policy natl source-address192.168.1.0 24

Firewall-policy-nat-rule-policy natl destination-address any

Firewall-policy-nat-rule-policy natl action source-nat address-group addressgroup1

Firewallsecurity-policy

Firewall-policy-securityrule name trust_to_dmz

Firewall-policy-security-rule-trust_to_dmzsource-zone trust

Firewall-policy-security-rule-trust_to_dmzdestination-zone dmz

Firewall-policy-security-rule-trust_to_dmzaction permit

Firewall-policy-security-rule-trust_to_dmzquit

配置NAT Server功能,把内网Web服务映射到公网地址。

Firewall nat server policy_web protocol tcp globa l 100.1.1.100 80 inside 192.168.2.100 80

Firewalldisplay firewall session table

Firewallsecurity-policy

Firewall-policy-securityrule name untrust_to_dmz

Firewall-policy-security-rule-untrust_to_dmzsource-zone untrust

Firewall-policy-security-rule-untrust_to_dmzdestination-zone dmz

Firewall-policy-security-rule-untrust_to_dmzdestination-address 192.168.2.100 32

Firewall-policy-security-rule-untrust_to_dmzaction permit

至此,本文的内容就结束了。

相关推荐
●VON6 小时前
HarmonyKit | 时间戳转换:自动识别秒/毫秒与双向转换器实现
华为·harmonyos·鸿蒙
国服第二切图仔7 小时前
HarmonyOS APP《画伴梦工厂》开发第44篇-页面路由注册与动态加载——main_pages配置
深度学习·华为·harmonyos
我是小a9 小时前
「财务管家」智能记账应用:HarmonyOS NEXT 页面布局设计与实现详解
华为·harmonyos·鸿蒙·鸿蒙系统
心中有国也有家12 小时前
使用 DevEco Studio 配置 Flutter 鸿蒙签名
学习·flutter·华为·harmonyos
爱吃大芒果12 小时前
鸿蒙 ArkTS 网络工程进阶:@ohos.net.http 模块下的长连接、超时与防内存泄漏实战
华为·harmonyos
FrameNotWork13 小时前
HarmonyOS 6.0 沉浸式状态栏与安全区域适配实战
华为·harmonyos
绝世番茄13 小时前
鸿蒙原生ArkTS布局方式之Stack+Opacity叠加淡入淡出深度解析
华为·harmonyos·鸿蒙
心中有国也有家13 小时前
鸿蒙Flutter开发环境从零搭建教程(Windows/macOS双平台·避坑版)
学习·flutter·华为·harmonyos
国服第二切图仔13 小时前
HarmonyOS APP《画伴梦工厂》开发第43篇-多模块架构设计——模块拆分与依赖管理
华为·harmonyos
fei_sun15 小时前
开放最短路径优先OSPF----基于链路状态
网络