华为防火墙配置指南

华为防火墙配置指南，有情趣的小伙伴可以学习一下！

方法/步骤

步骤一.基本配置与IP编址首先给三个路由器配置地址信息。[Huawei]sysname R1[R1]interface g0/0/1[R1-GigabitEthernet0/0/1]ip add 10.0.10.124[R1-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/1[R1-GigabitEthernet0/0/1]interfaceloopback0[R1-LoopBack0]ip add 10.0.1.1 24[R1-LoopBack0]q [Huawei]sysname R2[R2]interface g0/0/1[R2-GigabitEthernet0/0/1]ip add 10.0.20.224[R2-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/2[R2-GigabitEthernet0/0/1]interfaceloopback0[R2-LoopBack0]ip add 10.0.2.2 24[R2-LoopBack0]q [Huawei]sysname R3[R3]interface g0/0/1[R3-GigabitEthernet0/0/1]ip add 10.0.30.324[R3-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/3[R3-GigabitEthernet0/0/1]interfaceloopback0[R3-LoopBack0]ip add 10.0.3.3 24[R3-LoopBack0]q 给防火墙配置地址时，G0/0/1配置10.0.20.254/24.[SRG]sysname FW13:06:03 2014/07/08[FW]interface g0/0/113:06:30 2014/07/08[FW-GigabitEthernet0/0/1]ip add 10.0.20.2542413:07:01 2014/07/08[FW-GigabitEthernet0/0/1]desc this portconnect to S1-G0/0/2213:07:52 2014/07/08[FW-GigabitEthernet0/0/1]interface g0/0/013:08:23 2014/07/08[FW-GigabitEthernet0/0/0]dis this13:08:31 2014/07/08#interface GigabitEthernet0/0/0 alias GE0/MGMT ipaddress 192.168.0.1 255.255.255.0 dhcpselect interface dhcpserver gateway-list 192.168.0.1#return[FW-GigabitEthernet0/0/0]undo ip add13:08:42 2014/07/08Info: The DHCP server configuration on thisinterface will be deleted. [FW-GigabitEthernet0/0/0]display this13:08:46 2014/07/08#interface GigabitEthernet0/0/0 alias GE0/MGMT#return[FW-GigabitEthernet0/0/0]ip add 10.0.10.2542413:09:29 2014/07/08[FW-GigabitEthernet0/0/0]desc this portconnect to S1-G0/0/2113:10:05 2014/07/08[FW-GigabitEthernet0/0/0]interface G0/0/213:10:15 2014/07/08[FW-GigabitEthernet0/0/2]ip add 10.0.30.2542413:10:28 2014/07/08[FW-GigabitEthernet0/0/2]desc this portconnect to S1-G0/0/2313:10:53 2014/07/08[FW-GigabitEthernet0/0/2]q

交换机上需要按照需求定义vlan[Huawei]sysname S1[S1]vlan batch 11 to 13Info: This operation may take a fewseconds. Please wait for a moment...done.[S1]interface g0/0/1[S1-GigabitEthernet0/0/1]port link-typeaccess[S1-GigabitEthernet0/0/1]port default vlan11[S1]interface g0/0/2[S1-GigabitEthernet0/0/2]port link-typeaccess[S1-GigabitEthernet0/0/2]port default vlan12[S1-GigabitEthernet0/0/2]interface g0/0/3[S1-GigabitEthernet0/0/3]port link-typeaccess[S1-GigabitEthernet0/0/3]port default vlan13[S1-GigabitEthernet0/0/3]interface g0/0/21[S1-GigabitEthernet0/0/21]port link-typeaccess[S1-GigabitEthernet0/0/21]port default vlan11[S1-GigabitEthernet0/0/21]interface g0/0/22[S1-GigabitEthernet0/0/22]port link-typeaccess[S1-GigabitEthernet0/0/22]port default vlan12[S1-GigabitEthernet0/0/22]interface g0/0/23[S1-GigabitEthernet0/0/23]port link-typeaccess[S1-GigabitEthernet0/0/23]port default vlan13

步骤二.将接口配置到安全区域防火墙默认有四个区域，分别是“local”、“trust"、“untrust”、“dmz”。实验中我们用到“trust”、'untrust"、“dmz”三个区域。将G0/0/0加入untrust区域、g/0/0/2加入dmz和g/0/0/1加入trust。[FW]firewall zone trust13:45:31 2014/07/08[FW-zone-trust]dis this13:45:35 2014/07/08#firewall zone trust setpriority 85 addinterface GigabitEthernet0/0/0#return[FW-zone-trust]undo add inter [FW-zone-trust]undo add interface g0/0/013:46:01 2014/07/08[FW-zone-trust]add interface g0/0/113:46:22 2014/07/08[FW-zone-trust]firewall zone untrust[FW-zone-untrust]add interface g0/0/013:47:24 2014/07/08[[FW-zone-untrust]firewall zone dmz13:48:06 2014/07/08[FW-zone-dmz]add interface g0/0/213:48:13 2014/07/08[FW-zone-dmz]q

步骤三.配置静态路由，实现网络的连通性在R2和R3上配置缺省路由，在FW上配置明确的静态路由，实现三个loopback0接口之间的通信。R1无需定义缺省路由，原因是其作为internet设备，他不需要知道内部和DMZ区域的私有网络信息。 [R2]ip route-static 0.0.0.0 0 10.0.20.254 [R3]ip route-static 0.0.0.0 0 10.0.30.254 [FW]ip route-static 10.0.1.0 24 10.0.10.113:58:26 2014/07/08[FW]ip route-static 10.0.2.0 24 10.0.20.213:58:40 2014/07/08[FW]ip route-static 10.0.3.0 24 10.0.30.313:58:52 2014/07/08 在防火墙上测试与10.0.1.0、10.0.2.0、10.0.3.0之间的连通性。 [FW]ping -c 1 10.0.1.114:00:18 2014/07/08 PING 10.0.1.1: 56 data bytes,press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms ---10.0.1.1 ping statistics --- 1packet(s) transmitted 1packet(s) received 0.00% packet loss round-trip min/avg/max = 80/80/80 ms [FW]ping -c 1 10.0.2.214:00:25 2014/07/08 PING 10.0.2.2: 56 data bytes,press CTRL_C to break Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=170 ms ---10.0.2.2 ping statistics --- 1packet(s) transmitted 1packet(s) received 0.00% packet loss round-trip min/avg/max = 170/170/170 ms [FW]ping -c 1 10.0.3.314:00:29 2014/07/08 PING 10.0.3.3: 56 data bytes,press CTRL_C to break Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=110 ms ---10.0.3.3 ping statistics --- 1packet(s) transmitted 1packet(s) received 0.00% packet loss round-trip min/avg/max = 110/110/110 ms 目前配置下，所有区域之间可以通讯，不被检查。但是由于当前尚未定义NAT，外部区域不能与内部和DMZ区域相互访问。

步骤四.配置区域间的安全过滤配置从Trust区域的部分网段10.0.2.3发往Untrust区域的数据包被放行。从Untrust区域发往DMZ目标服务器10.0.3.3的telnet请求被放行。 [FW]firewall session link-state check[FW]policy interzone trust untrust outbound[FW-policy-interzone-trust-untrust-outbound]policy014:06:57 2014/07/08[FW-policy-interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.25514:07:18 2014/07/08[FW-policy-interzone-trust-untrust-outbound-0]actionpermit14:07:31 2014/07/08[FW-policy-interzone-trust-untrust-outbound-0]q14:07:40 2014/07/08[FW-policy-interzone-trust-untrust-outbound]q14:07:40 2014/07/08]policy interzone dmz untrust inbound14:09:01 2014/07/08[FW-policy-interzone-dmz-untrust-inbound]policy014:09:08 2014/07/08[FW-policy-interzone-dmz-untrust-inbound-0]policydestination 10.0.3.3 014:09:37 2014/07/08[FW-policy-interzone-dmz-untrust-inbound-0]policyservice service-set telnet[FW-policy-interzone-dmz-untrust-inbound-0]actionpermit14:09:55 2014/07/08[FW-policy-interzone-dmz-untrust-inbound-0]q14:09:55 2014/07/08

步骤五.配置Easy-Ip，实现Trust区域到Untrust区域的访问。配置使用Easy-IP，进行NAT源地址转换。并且将NAT与接口进行绑定。 [FW-nat-policy-interzone-trust-untrust-outbound]policy014:14:00 2014/07/08[FW-nat-policy-interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.25514:14:26 2014/07/08[FW-nat-policy-interzone-trust-untrust-outbound-0]actionsource-nat14:14:37 2014/07/08[FW-nat-policy-interzone-trust-untrust-outbound-0]easy-ipg0/0/014:14:51 2014/07/08[FW-nat-policy-interzone-trust-untrust-outbound-0]q 配置完成后，验证Trust区域与Untrust区域之间的访问是否正常。ping 10.0.1.1 PING 10.0.1.1: 56 data bytes,press CTRL_C to break Request time out Request time out Request time out Request time out Request time out ---10.0.1.1 ping statistics --- 5packet(s) transmitted 0packet(s) received 100.00% packet loss ping -a 10.0.2.2 10.0.1.1 PING 10.0.1.1: 56 data bytes,press CTRL_C to break Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=254 time=220 ms Reply from 10.0.1.1: bytes=56 Sequence=2 ttl=254 time=100 ms Reply from 10.0.1.1: bytes=56 Sequence=3 ttl=254 time=100 ms Reply from 10.0.1.1: bytes=56 Sequence=4 ttl=254 time=120 ms Reply from 10.0.1.1: bytes=56 Sequence=5 ttl=254 time=440 ms ---10.0.1.1 ping statistics --- 5packet(s) transmitted 5packet(s) received 0.00% packet loss round-trip min/avg/max = 100/196/440 ms 注意，这里直接测试与10.0.1.1之间的连通性，显示不通。使用扩展ping，指定了发送数据包的源地址是10.0.2.2后，实现了连通性。原因是，直接发送数据包到10.0.1.1时，数据包的源地址到10.0.1.1时，数据包的源地址为10.0.20.2，该地址不属于NAT转换的客户端地址范围。步骤六.将内网服务器10.0.3.3发布出去配置内网服务器10.0.3.3的telnet服务，映射到地址10.0.10.20[FW]nat server protocol tcp global10.0.10.20 telnet inside 10.0.3.3 telnet 在R3上开启Telnet功能，并在R1上测试，测试时需要注意，对外发布的地址为10.0.10.20，所以R1对10.0.3.3访问时，访问的目标地址为10.0.10.20。[R3]user-interface vty 0 4[R3-ui-vty0-4]authentication-mode passwordPlease configure the login password(maximum length 16):16[R3-ui-vty0-4]set authentication password ? cipher Set the password withcipher text[R3-ui-vty0-4]set authentication passwordcip [R3-ui-vty0-4]set authentication passwordcipher Huawei[R3-ui-vty0-4]user privilege level 3[R3-ui-vty0-4]q telnet 10.0.10.20 Press CTRL_] to quit telnet mode Trying 10.0.10.20 ... Connected to 10.0.10.20 ...

上一篇：儿童房风格设计大全

下一篇：条码打印软件如何生成各种流水条码

欧尼酱

华为防火墙配置指南

华为eNSP配置RIP实验

华为eNSP配置防火墙的安全域和安全策略

华为eNSP配置OSPF单区域的实验与区域认证

华为eNSP配置应用ACL控制企业数据访问

华为防火墙配置指南

八个集体拍照的超酷POSE---碉堡了

请用首先灬接着灬然后灬等表示顺序的词_语来介绍一下县花开放的过程

玫瑰花的简单画法

WPS表格如何制作拼音田字格？

哈利波特魔法觉醒罗恩韦斯莱曾经拼图位置攻略

桂林山水教学设计

哈利波特拼图寻宝岂有此理为什么我不能使用在哪

拍婚纱照的姿势大全

成语里的加减乘除

哈利波特魔法觉醒拼图寻宝食物位居位置攻略

六种pose拍出最美婚纱照

哈利波特魔法觉醒拼图寻宝924位置