【网工】华为配置专题进阶篇④

目录

■防火墙配置

▲实验

---

---

■防火墙配置

▲实验

配置要求

①防火墙接口的IP地址如拓扑所示，将接口划入相应的安全区域。

②内网主机PC1可以主动访问Internet，但Internet无法主动访问PC1。

③出口防火墙进行NAT，NAT公网地址池100.1.1.10 - 100.1.1.20。

④Internet可以通过公网地址100.1.1.100/24访问目的地址为192.168.2.100/24 的内部Web服务。

• Internet

<Huawei>system-view

Huawei\]sysname Internet \[Internet\]interface GigabitEthernet 0/0/0 \[Internet-GigabitEthernet0/0/0\]ip add 100.1.1.2 24 \[Internet-GigabitEthernet0/0/0\]quit \[Internet

• Firewall

<USG6000V1>system-view

USG6000V1\]\]sysname Firewall \[Firewall

Firewall\]interface GigabitEthernet 1/0/1 \[Firewall-GigabitEthernet1/0/1\]ip address 192.168.1.254 24 \[Firewall-GigabitEthernet1/0/1\]quit \[Firewall\] linterface GigabitEthernet 1/0/2 \[Firewall-GigabitEthernet1/0/2\]ip address 192.168.2.254 24 \[Firewall-GigabitEthernet1/0/2\]quit \[Firewall\] interface GigabitEthernet 1/0/3 \[Firewall-GigabitEthernet1/0/3\]ip address 100.1.1.1 24 \[Firewall-GigabitEthernet1/0/3\]quit \[Firewall

Firewall\]****firewall zone untrust**** \[Firewall-zone-untrust\]add interface GigabitEthernet 1/0/3 \[Firewall-zone-untrust\]quit \[Firewall

Firewall\]****firewall zone trust**** \[Firewall-zone-trust\]add interface GigabitEthernet 1/0/1 \[Firewall-zone-trust\]quit \[Firewall\]****firewall zone dmz**** \[Firewall-zone-dmz\] add interface GigabitEthernet 1/0/2 \[Firewall-zone-dmz\]quit \[Firewall

Firewall\]****security-policy**** \[Firewall-policy-security\]****rule name trust_to_untrust**** \[Firewall-policy-security-rule-trust_to_untrust\]****source-zone trust**** \[Firewall-policy-security-rule-trust_to_untrust\]****destination-zone untrust**** \[Firewall-policy-security-rule-trust_to_untrust\]****source-address**** 192.168.1.0 24 \[Firewall-policy-security-rule-trust_to_untrust\]****destination-address**** any \[Firewall-policy-security-rule-trust_to_untrust\]****action permit**** \[Firewall-policy-security-rule-trust_to_untrust\]****quit**** \[Firewall

配置NAT地址池，开启端口转换。

Firewall\]****nat addr**** ****e**** ****ss-**** ****g**** ****roup**** addressgroupl \[Firewall-address-qroup-addressgroup1\]****mode pat**** \[Firewall-address-group-addressgroupl\]****section 0**** ****100.1.1.10 100.1.1.20**** \[Firewall-address-group-addresagroupl\]****quit**** \[Firewall

配置源NAT策略1，实现私网指定网段访问Internet时自动进行源地址转换。

Firewall\] ****nat-policy**** \[Firewall-policy-nat\] ****rule name**** policy_natl \[Firewall-policy-nat-rule-policy natl\]****source-zone**** trust \[Firewall-policy-nat-rule-policy natl\] ****destination-zone**** untrust \[Firewall-policy-nat-rule-policy natl\] ****source-address****192.168.1.0 24 \[Firewall-policy-nat-rule-policy natl\] ****destination-address**** any \[Firewall-policy-nat-rule-policy natl\] ****action**** ****source-nat address-group**** addressgroup1 \[Firewall\]****security-policy**** \[Firewall-policy-security\]****rule name trust_to_dmz**** \[Firewall-policy-security-rule-trust_to_dmz\]****source-zone trust**** \[Firewall-policy-security-rule-trust_to_dmz\]****destination-zone dmz**** \[Firewall-policy-security-rule-trust_to_dmz\]****action permit**** \[Firewall-policy-security-rule-trust_to_dmz\]quit # 配置NAT Server功能，把内网Web服务映射到公网地址。 \[Firewall\] ****nat server**** policy_web ****protocol tcp**** ****globa**** ****l 100.1.1.100**** ****80**** ****inside**** ****192.168.2.100**** ****80**** \[Firewall\]****display firewall session table**** \[Firewall\]****security-policy**** \[Firewall-policy-security\]****rule name untrust_to_dmz**** \[Firewall-policy-security-rule-untrust_to_dmz\]****source-zone untrust**** \[Firewall-policy-security-rule-untrust_to_dmz\]****destination-zone dmz**** \[Firewall-policy-security-rule-untrust_to_dmz\]****destination-address**** 192.168.2.100 32 \[Firewall-policy-security-rule-untrust_to_dmz\]****action permit****

至此，本文的内容就结束了。