|
华为边界防火墙的基本配置 这是一个部署在企业网边界的防火墙,先定义三个安全区域: 1、 内网(trust zone) 2、 服务器(DMZ zone) 3、 运营商(untrust zone) 防火墙建议配置步骤: 1、 配置防火墙接口地址并且将接口划入相关的安全区域 2、 配置路由 3、 配置NAT策略(防火墙与路路由器的配置方式会有所不同) 4、 配置安全策略 基本要求trust可以ping通外网,可以ping通服务器,防火墙dmz及trust接口允许ping通。 配置方法: 第一部分-配置接口及把接口划入相关安全域 配置接口地址 <USG6000V2>system-view [USG6000V2]sysname fw [fw-GigabitEthernet1/0/0]ip address 202.200.100.2 29 [fw-GigabitEthernet1/0/0]quit [fw-GigabitEthernet1/0/1]ip address 172.16.1.1 24 [fw-GigabitEthernet1/0/1]service-manage ping permit [fw-GigabitEthernet1/0/1]quit [fw]interface GigabitEthernet 1/0/2 [fw-GigabitEthernet1/0/2]ip address 192.168.1.1 24 [fw-GigabitEthernet1/0/2]service-manage ping permit [fw-GigabitEthernet1/0/2]quit 配置给trust区域的DHCP服务 [fw]dhcp enable [fw]ip pool trust [fw-ip-pool-trust]network 192.168.1.0 mask 24 [fw-ip-pool-trust]gateway-list 192.168.1.1 [fw…]excluded-ip-address 192.168.1.200 192.168.1.254 [fw-ip-pool-trust]lease day 2 [fw-ip-pool-trust]dns-list 114.114.114.114 8.8.8.8 [fw-ip-pool-trust]quit [fw]interface GigabitEthernet 1/0/2 [fw-GigabitEthernet1/0/2]dhcp select global [fw-GigabitEthernet1/0/2]quit 把接口划入相关的安全域 [fw]firewall zone untrust [fw-zone-untrust]add interface GigabitEthernet 1/0/0 [fw-zone-untrust]quit [fw]firewall zone dmz [fw-zone-dmz]add interface Gigabitethernet 1/0/2 [fw-zone-dmz]quit [fw]firewall zone trust [fw-zone-trust]add interface Gigabitethernet 1/0/2 [fw-zone-trust]quit 第二部分-配置路由 配置路由(防火墙内线全部是直连,仅需要对出口配置默认路由) [fw]ip route-static 0.0.0.0 0.0.0.0 202.200.100.1 第三部分-配置NAT策略 [fw]nat-policy [fw-policy-nat]rule name trust-untrust [fw-policy-nat-rule-trust-untrust]source-zone trust [fw-policy-nat…]destination-zone untrust [fw-policy-nat…]source-address 192.168.1.0 24 [fw-policy-nat…]service icmp http ftp ssh [fw-policy-nat…]action source-nat easy-ip [fw-policy-nat-rule-trust-untrust]quit [fw-policy-nat]quit 第四部分-配置security安全策略 [fw]security-policy [fw-policy-security]rule name trust-untrust [fw-policy-security-rule…]source-zone trust [fw-policy-security-rule…]destination-zone untrust [fw-policy-security-rule…]source-address 192.168.1.0 24 [fw-policy-security-rule…]service icmp http ftp ssh [fw-policy-security-rule-trust-untrust]action permit [fw-policy-security-rule-trust-untrust]quit [fw-policy-security]quit [fw]security-policy [fw-policy-security]rule name trust-dmz [fw-policy-security-rule…]source-zone trust [fw-policy-security-rule…]destination-zone dmz [fw-policy-security-rule…]source-address 192.168.1.0 24 [fw-policy-security-rule…]service icmp [fw-policy-security-rule-trust-untrust]action permit [fw-policy-security-rule-trust-untrust]quit [fw-policy-security]quit 配置ISP设备(路由器) <Huawei>system-view [isp]interface gigabitethernet 0/0/0 [isp-GigabitEthernet0/0/0]ip address 202.200.100.1 29 [isp-GigabitEthernet0/0/0]quit [isp]interface loopback 0 [isp-LoopBack0]ip address 100.100.100.100 32 [isp-LoopBack0]quit 检测通信
| 
|Archiver|手机版|小黑屋|祖瑞科技 全国计算机 网络IT运维社区!
( 沪ICP备16021636号-2 )
发表于 2024-1-20 17:19:04
