【网工】华为配置专题进阶篇④

■防火墙配置

▲实验

配置要求

①防火墙接口的IP地址如拓扑所示，将接口划入相应的安全区域。

②内网主机PC1可以主动访问Internet，但Internet无法主动访问PC1。

③出口防火墙进行NAT，NAT公网地址池100.1.1.10 - 100.1.1.20。

④Internet可以通过公网地址100.1.1.100/24访问目的地址为192.168.2.100/24 的内部Web服务。

Internet

<Huawei>system-view

$Huawei$ sysname Internet

$Internet$ interface GigabitEthernet 0/0/0

$Internet-GigabitEthernet0/0/0$ ip add 100.1.1.2 24

$Internet-GigabitEthernet0/0/0$ quit
$Internet$

Firewall

<USG6000V1>system-view

$USG6000V1$ ]sysname Firewall
$Firewall$
$Firewall$ interface GigabitEthernet 1/0/1

$Firewall-GigabitEthernet1/0/1$ ip address 192.168.1.254 24

$Firewall-GigabitEthernet1/0/1$ quit

$Firewall$ linterface GigabitEthernet 1/0/2

$Firewall-GigabitEthernet1/0/2$ ip address 192.168.2.254 24

$Firewall-GigabitEthernet1/0/2$ quit

$Firewall$ interface GigabitEthernet 1/0/3

$Firewall-GigabitEthernet1/0/3$ ip address 100.1.1.1 24

$Firewall-GigabitEthernet1/0/3$ quit
$Firewall$
$Firewall$ firewall zone untrust

$Firewall-zone-untrust$ add interface GigabitEthernet 1/0/3

$Firewall-zone-untrust$ quit
$Firewall$
$Firewall$ firewall zone trust

$Firewall-zone-trust$ add interface GigabitEthernet 1/0/1

$Firewall-zone-trust$ quit

$Firewall$ firewall zone dmz

$Firewall-zone-dmz$ add interface GigabitEthernet 1/0/2

$Firewall-zone-dmz$ quit
$Firewall$
$Firewall$ security-policy

$Firewall-policy-security$ rule name trust_to_untrust

$Firewall-policy-security-rule-trust_to_untrust$ source-zone trust

$Firewall-policy-security-rule-trust_to_untrust$ destination-zone untrust

$Firewall-policy-security-rule-trust_to_untrust$ source-address 192.168.1.0 24

$Firewall-policy-security-rule-trust_to_untrust$ destination-address any

$Firewall-policy-security-rule-trust_to_untrust$ action permit

$Firewall-policy-security-rule-trust_to_untrust$ quit
$Firewall$
配置NAT地址池，开启端口转换。

$Firewall$ nat addr e ss- g roup addressgroupl

$Firewall-address-qroup-addressgroup1$ mode pat

$Firewall-address-group-addressgroupl$ section 0 100.1.1.10 100.1.1.20

$Firewall-address-group-addresagroupl$ quit
$Firewall$
配置源NAT策略1，实现私网指定网段访问Internet时自动进行源地址转换。

$Firewall$ nat-policy

$Firewall-policy-nat$ rule name policy_natl

$Firewall-policy-nat-rule-policy natl$ source-zone trust

$Firewall-policy-nat-rule-policy natl$ destination-zone untrust

$Firewall-policy-nat-rule-policy natl$ source-address192.168.1.0 24

$Firewall-policy-nat-rule-policy natl$ destination-address any

$Firewall-policy-nat-rule-policy natl$ action source-nat address-group addressgroup1

$Firewall$ security-policy

$Firewall-policy-security$ rule name trust_to_dmz

$Firewall-policy-security-rule-trust_to_dmz$ source-zone trust

$Firewall-policy-security-rule-trust_to_dmz$ destination-zone dmz

$Firewall-policy-security-rule-trust_to_dmz$ action permit

$Firewall-policy-security-rule-trust_to_dmz$ quit

配置NAT Server功能，把内网Web服务映射到公网地址。

$Firewall$ nat server policy_web protocol tcp globa l 100.1.1.100 80 inside 192.168.2.100 80

$Firewall$ display firewall session table

$Firewall$ security-policy

$Firewall-policy-security$ rule name untrust_to_dmz

$Firewall-policy-security-rule-untrust_to_dmz$ source-zone untrust

$Firewall-policy-security-rule-untrust_to_dmz$ destination-zone dmz

$Firewall-policy-security-rule-untrust_to_dmz$ destination-address 192.168.2.100 32

$Firewall-policy-security-rule-untrust_to_dmz$ action permit

至此，本文的内容就结束了。