華為防火墻配置手冊 華為USG防火墻NAT配置

[FW]firewall packet-filter default permitall
13:51:19 2014/07/08
Warning:Setting the default packetfiltering to permit poses security risks. You
are advised to configure the securitypolicy based on the actual data flows. Are
you sure you want to continue?[Y/N]y
[FW]ping -c 1 10.0.10.1
13:51:56 2014/07/08
PING 10.0.10.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=90 ms
---10.0.10.1 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 90/90/90 ms
[FW]ping -c 1 10.0.20.2
13:52:08 2014/07/08
PING 10.0.20.2: 56 data bytes,press CTRL_C to break
Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=400 ms
---10.0.20.2 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 400/400/400 ms
[FW]ping -c 1 10.0.30.3
13:52:18 2014/07/08
PING 10.0.30.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.30.3: bytes=56 Sequence=1 ttl=255 time=410 ms
---10.0.30.3 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 410/410/410 ms
步驟三.配置靜態(tài)路由,實現(xiàn)網(wǎng)絡(luò)的連通性
在R2和R3上配置缺省路由,在FW上配置明確的靜態(tài)路由,實現(xiàn)三個loopback0接口之間的通信。R1無需定義缺省路由,原因是其作為internet設(shè)備,他不需要知道內(nèi)部和DMZ區(qū)域的私有網(wǎng)絡(luò)信息。
[R2]ip route-static 0.0.0.0 0 10.0.20.254
[R3]ip route-static 0.0.0.0 0 10.0.30.254
[FW]ip route-static 10.0.1.0 24 10.0.10.1
13:58:26 2014/07/08
[FW]ip route-static 10.0.2.0 24 10.0.20.2
13:58:40 2014/07/08
[FW]ip route-static 10.0.3.0 24 10.0.30.3
13:58:52 2014/07/08
在防火墻上測試與10.0.1.0、10.0.2.0、10.0.3.0之間的連通性。
[FW]ping -c 1 10.0.1.1
14:00:18 2014/07/08
PING 10.0.1.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms
---10.0.1.1 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/80/80 ms
[FW]ping -c 1 10.0.2.2
14:00:25 2014/07/08
PING 10.0.2.2: 56 data bytes,press CTRL_C to break
Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=170 ms
---10.0.2.2 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 170/170/170 ms
[FW]ping -c 1 10.0.3.3
14:00:29 2014/07/08
PING 10.0.3.3: 56 data bytes,press CTRL_C to break
Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=110 ms
---10.0.3.3 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 110/110/110 ms
目前配置下,所有區(qū)域之間可以通訊,不被檢查。但是由于當前尚未定義NAT,外部區(qū)域不能與內(nèi)部和DMZ區(qū)域相互訪問。
步驟四.配置區(qū)域間的安全過濾
配置從Trust區(qū)域的部分網(wǎng)段10.0.2.3發(fā)往Untrust區(qū)域的數(shù)據(jù)包被放行。從Untrust區(qū)域發(fā)往DMZ目標服務(wù)器10.0.3.3的telnet請求被放行。
[FW]firewall session link-state check
[FW]policy interzone trust untrust outbound
[FW-policy-interzone-trust-untrust-outbound]policy0
14:06:57 2014/07/08
[FW-policy-interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.255
14:07:18 2014/07/08
[FW-policy-interzone-trust-untrust-outbound-0]actionpermit
14:07:31 2014/07/08
[FW-policy-interzone-trust-untrust-outbound-0]q
14:07:40 2014/07/08
[FW-policy-interzone-trust-untrust-outbound]q
14:07:40 2014/07/08
]policy interzone dmz untrust inbound
14:09:01 2014/07/08
[FW-policy-interzone-dmz-untrust-inbound]policy0
14:09:08 2014/07/08
[FW-policy-interzone-dmz-untrust-inbound-0]policydestination 10.0.3.3 0
14:09:37 2014/07/08
[FW-policy-interzone-dmz-untrust-inbound-0]policyservice service-set telnet
[FW-policy-interzone-dmz-untrust-inbound-0]actionpermit
14:09:55 2014/07/08
[FW-policy-interzone-dmz-untrust-inbound-0]q
14:09:55 2014/07/08
步驟五.配置Easy-Ip,實現(xiàn)Trust區(qū)域到Untrust區(qū)域的訪問。
配置使用Easy-IP,進行NAT源地址轉(zhuǎn)換。并且將NAT與接口進行綁定。
[FW-nat-policy-interzone-trust-untrust-outbound]policy0
相關(guān)文章
- 今天小編為大家?guī)淼氖菤⒍拒浖判邪?015:殺毒軟件2015免費下載前十名,感興趣的朋友可以看一下2014-10-26
無線路由器(WIFI網(wǎng)絡(luò))的輻射會對人體到底有沒有傷害
不論是筆記本還是手機,現(xiàn)在幾乎離不開無線網(wǎng)絡(luò),那到底這些無線網(wǎng)絡(luò)對身體有沒有輻射傷害呢。下面我們來科普一下2012-05-11用手機當無線路由器 無線AP 手機無線熱點的設(shè)置方法(圖文)
手機能上網(wǎng)?沒什么奇怪的,現(xiàn)在是共享的年代,我們要把手機也當無線路由器,用來給其它的設(shè)備,比如手機,本本上網(wǎng)。這對于出差在外時上網(wǎng)比較方便。流量多的話。也可以共2012-05-11百度安全組件怎么刪除?win7百度安全組件服務(wù)卸載方法
百度安全組件怎么刪除?想知道的朋友就和小編一起來看看win7百度安全組件服務(wù)卸載方法吧2014-07-20- bt4破解軟件(backtrack4)是一款完全免費的便攜linux系統(tǒng),也是bt4的中文版本。它是目前網(wǎng)絡(luò)上最著名的攻擊平臺,能夠非常方便的破解無線網(wǎng)絡(luò)密碼2013-04-14
- 很多人不知道路由器漏洞是非常危險的,一旦攻擊者得手,網(wǎng)民的個人隱私信息、網(wǎng)銀資產(chǎn)等均面臨巨大威脅2014-06-18
百度衛(wèi)士怎么卸不掉?百度衛(wèi)士2種卸載方法
百度衛(wèi)士是百度推出的安全軟件,有時候這個殺毒軟件或安全軟件卸載起來真的比較麻煩,甚至無法卸載,怎么也刪除不掉。百度衛(wèi)士卸不掉刪不掉怎么處理呢?2014-07-07無線路由器當無線AP(無線交換機,無線熱點)的設(shè)置方法
無線路由除了可以發(fā)射無線信號以外,也可以當作一個無線交換機來用。用來接收其它的無線路由的信號,再發(fā)射出去,相當方便。可以按以下的方法設(shè)置。2012-05-11- Peid是一款強大的查殼軟件,非常簡單易用。2010-10-25
如何利用P2P終結(jié)者軟件限制別人網(wǎng)速?P2P終結(jié)者斷網(wǎng)限速教程
很多時候我們大家在使用一個網(wǎng)絡(luò)資源,比如學(xué)校,單位等。那么如何限制別人的網(wǎng)速,提高自己的呢?下面小編就為大家講解如何利用P2P終結(jié)者軟件限制別人網(wǎng)速2016-08-22