华为H3C防火墙配置手册.docx

《华为H3C防火墙配置手册.docx》由会员分享，可在线阅读，更多相关《华为H3C防火墙配置手册.docx（18页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、华为H3C防火墙配置手册 - 1 - 要求:通过配置华为防火墙实现本地 telnet 服务器能够通过 NAT 上网.并且,访问电信网络 链路时走电信,访问网通链路时走网通. 具体配置如下: 华为 US G 2000 Username:admin Password:Admin123 system-view USG2205BSRsysname huawei huaweiinterface GigabitEthernet 0/0/0 T - 2 - huawei-GigabitEthernet0/0/0ip address 202.100.1.1 255.255.255.0 huawei-Gigab

2、itEthernet0/0/0undo shutdown huawei-Gigab itEthernet0/0/0quit huaweiinterface GigabitEthernet 0/0/1 huawei-GigabitEthernet0/0/1description #conn to yidong link# huawei-GigabitEthernet0/0/1ip address 202.200.1.1 255.255.255.0 huawei-GigabitEthernet0/0/1undo shutdown huawei-Gigab itEthernet0/0/1quit h

3、uaweiinterface Vlanif 1 huawei-Vlanif1description #conn to local# huawei-Vlanif1ip address 192.168.1.1 255.255.255.0 huawei-Vlanif1undo shutdown huawei-Vlanif1quit 专注高端，技术为王 TEL:0592-* - 3 - huawei-zone-trustundo add interface GigabitEthernet 0/0/1 huawei-zone-trustadd interface Vlanif 1 huaweifirew

4、all zone name Dianxin huawei-zone-dianxinset priority 4 huawei-zone-dianxinadd interface GigabitEthernet 0/0/0 huawei-zone-dianxinquit huawei-zone-yidongset priority 3 huawei-zone-yidongadd interface GigabitEthernet 0/0/1 huawei-zone-yidongquit huaweiacl number 2000 huawei-acl-basic-2000rule 10 perm

5、it source 192.168.1.0 0.0.0.255 专注高端，技术为王 TEL:0592-* - 4 - huawei-acl-basic-2000quit huaweifirewall interzone trust dianxin huawei-interzone-trust-dianxinpacket-filter 2000 outbound huawei-interzone-trust-dianxinnat outbound 2000 interface GigabitEthernet 0/0/0 huawei-interzone-trust-dianxinquit hua

6、wei-interzone-trust-yidongnat outbound 2000 interface GigabitEthernet 0/0/1 huawei-interzone-trust-yidongquit huaweiuser-interface vty 0 4 huawei-ui-vty0-4authentication-mode password huawei-ui-vty0-4quit huaweiip route-static 0.0.0.0 0.0.0.0 202.100.1.2 huaweiip route-static 202.200.1.2 huaweiip ro

7、ute-static 222.160.0.0 255.252.0.0 202.200.1.2 专注高端，技术为王 TEL:0592-* - 5 - huawei firewall packet-filter default permit interzone local dianxin direction outbound huawei firewall packet-filter default permit interzone trust dianxin direction inbound huawei firewall packet-filter default permit interz

8、one trust dianxin direction outbound huawei firewall packet-filter default permit interzone local yidong direction inbound huawei firewall packet-filter default permit interzone local yidong direction outbound huawei firewall packet-filter default permit interzone trust yidong direction inbound huaw

9、ei firewall packet-filter default permit interzone trust yidong direction outbound 如图：电信网络、网通网络和 telnet 服务器配置 略！ 验证： 内网 192.168.1.2 分别 PING 电信与网通. inside#ping 202.100.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 seconds: ! Success rate is 100 percent

10、 (5/5), round-trip min/avg/max = 4/4/4 ms inside#ping 202.200.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 202.200.1.2, timeout is 2 seconds: ! TEL:0592-* - 6 - 专注高端，技术为王 Current total sessions: 3 icmp VPN: public - public 192.168.1.2:3202.100.1.1:23088-202.100.1.2:3 tcp VPN:

11、 public - public 192.168.1.1:1024-192.168.1.2:23 icmp VPN: public - public 192.168.1.2:4202.200.1.1:43288-202.200.1.2:4 验证成功！ huaweidisplay current-configuration 11:54:30 2022/11/06 # acl number 2000 rule 10 permit source 192.168.1.0 0.0.0.255 # sysname huawei # super password level 3 cipher S*H+DFH

12、FSQ=QMAF41! # web-manager enable # info-center timestamp debugging date # firewall packet-filter defau lt permit interzone local trust direction inbound firewall packet-filter defau lt permit interzone local trust direction outbound firewall packet-filter defau lt permit interzone local untrust dire

13、ction inbound 专注高端，技术为王firewall packet-filter defau lt permit interzone local untrust direction outbound firewall packet-filter defau lt permit interzone local dmz direction inbound firewall packet-filter defau lt permit interzone local dmz direction outbound firewall packet-filter defau lt permit i

14、nterzone local vzone direction inbound firewall packet-filter defau lt permit interzone local vzone direction outbound firewall packet-filter defau lt permit interzone local dianxin direction inbound firewall packet-filter defau lt permit interzone local dianxin direction outbound firewall packet-fi

15、lter defau lt permit interzone local yidong direction inbound firewall packet-filter defau lt permit interzone local yidong direction outbound firewall packet-filter defau lt permit interzone trust untrust direction inbound firewall packet-filter defau lt permit interzone trust untrust direction out

16、bound firewall packet-filter defau lt permit interzone trust dmz direction inbound firewall packet-filter defau lt permit interzone trust dmz direction outbound firewall packet-filter defau lt permit interzone trust vzone direction inbound firewall packet-filter defau lt permit interzone trust vzone

17、 direction outbound firewall packet-filter defau lt permit interzone trust dianxin direction inbound firewall packet-filter defau lt permit interzone trust dianxin direction outbound firewall packet-filter defau lt permit interzone trust yidong direction inbound firewall packet-filter defau lt permi

18、t interzone trust yidong direction outbound firewall packet-filter defau lt permit interzone dmz untrust direction inbound firewall packet-filter defau lt permit interzone dmz untrust direction outbound firewall packet-filter defau lt permit interzone untrust vzone direction inbound firewall packet-

19、filter defau lt permit interzone untrust vzone direction outbound firewall packet-filter defau lt permit interzone dmz vzone direction inbound firewall packet-filter defau lt permit interzone dmz vzone direction outbound # dhcp enable # firewall statistic system enable # vlan 1 TEL:0592-* - 7 - 专注高端

20、，技术为王# interface Cellular0/1/0 link-protocol ppp # interface Vlanif1 description #conn to local# ip address 192.168.1.1 255.255.255.0 # interface Ethernet1/0/0 port link-type access # interface Ethernet1/0/1 port link-type access # interface Ethernet1/0/2 port link-type access # interface Ethernet1/

21、0/3 port link-type access # interface Ethernet1/0/4 port link-type access # interface GigabitEthernet0/0/0 description #conn to dianxin link# ip address 202.100.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 description #conn to yidong link# ip address 202.200.1.1 255.255.255.0 # TEL:0592-* - 8

22、- 专注高端，技术为王interface NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface Vlanif1 # firewall zone untrust set priority 5 # firewall zone dmz set priority 50 # firewall zone vzone set priority 0 # firewall zone name dianxin set priority 4 add interface Giga

23、bitEthernet0/0/0 # firewall zone name yidong set priority 3 add interface GigabitEthernet0/0/1 # firewall interzone trust dianxin packet-filter 2000 outbound nat outbound 2000 interface GigabitEthernet0/0/0 # firewall interzone trust yidong TEL:0592-* - 9 - 专注高端，技术为王 N packet-filter 2000 outbound na

24、t outbound 2000 interface GigabitEthernet0/0/1 # aaa local-user admin password cipher MQ;4B+4Z,YWX*NZ55OA! local-user admin service-type web telnet local-user admin level 3 authentication-scheme default # authorization-scheme default # accounting-scheme default # domain default # # right-manager ser

25、ver-group # slb # ip route-static 0.0.0.0 0.0.0.0 202.100.1.2 ip route-static 27.8.0.0 255.248.0.0 202.200.1.2 ip route-static 202.200.1.2 ip route-static 222.160.0.0 255.252.0.0 202.200.1.2 # user-interface con 0 user-interface tty 9 authentication-mode none modem both user-interface vty 0 4 user privilege level 3 TEL:0592-* - 10 - HTTP:/WWW.XMWS.C 专注高端，技术为王 TEL:0592-* - 11 - HTTP:/WWW.XMWS.C N # return huawei