华为边界防火墙的基本配置
华为边界防火墙的基本配置这是一个部署在企业网边界的防火墙,先定义三个安全区域:1、内网(trust zone)2、服务器(DMZ zone)3、运营商(untrust zone)防火墙建议配置步骤:1、配置防火墙接口地址并且将接口划入相关的安全区域2、配置路由3、配置NAT策略(防火墙与路路由器的配置方式会有所不同)4、配置安全策略基本要求trust可以ping通外网,可以ping通服务器,防火墙dmz及trust接口允许ping通。配置方法:第一部分-配置接口及把接口划入相关安全域配置接口地址<USG6000V2>system-viewsysname fwip address 202.200.100.2 29quitip address 172.16.1.1 24service-manage ping permitquitinterface GigabitEthernet 1/0/2ip address 192.168.1.1 24service-manage ping permitquit配置给trust区域的DHCP服务dhcp enableip pool trustnetwork 192.168.1.0 mask 24gateway-list 192.168.1.1 excluded-ip-address 192.168.1.200 192.168.1.254lease day 2dns-list 114.114.114.114 8.8.8.8quitinterface GigabitEthernet 1/0/2dhcp select global quit把接口划入相关的安全域firewall zone untrustadd interface GigabitEthernet 1/0/0quitfirewall zone dmzadd interface Gigabitethernet 1/0/2quitfirewall zone trustadd interface Gigabitethernet 1/0/2quit第二部分-配置路由配置路由(防火墙内线全部是直连,仅需要对出口配置默认路由)ip route-static 0.0.0.0 0.0.0.0 202.200.100.1第三部分-配置NAT策略nat-policyrule name trust-untrustsource-zone trustdestination-zone untrustsource-address 192.168.1.0 24service icmp http ftp sshaction source-nat easy-ipquitquit第四部分-配置security安全策略security-policy rule name trust-untrustsource-zone trustdestination-zone untrustsource-address 192.168.1.0 24service icmp http ftp sshaction permitquitquitsecurity-policy rule name trust-dmzsource-zone trustdestination-zone dmzsource-address 192.168.1.0 24service icmp action permitquitquit配置ISP设备(路由器)<Huawei>system-viewinterface gigabitethernet 0/0/0ip address 202.200.100.1 29quitinterface loopback 0ip address 100.100.100.100 32quit检测通信
页:
[1]
