华为USG6000V防火墙简单配置案例
如图,PC1是企业内网用户,要通过防火墙NAT方式( 1.1.1.105-1.1.1.106 )访问Internet,Server是企业的FTP服务器,通过静态NAT方式供外网用户访问,对外的地址是1.1.1.100。FW1是企业边界防火墙,充当路由和保护企业安全的责任。AR1、AR2是外网路由器。
PC1是Trust区域、Server是DMZ区域,AR1、AR2是Untrust区域。
现在通过配置防火墙,使企业内网用户能通过PAT(端口多路复用)方式上网。
首先,防火墙上新建一个Nat Pool,供内网用户以NAT方式访问外网
然后在配置Nat策略
然后再防火墙上配置一个策略,使得trust区域可以访问untrust区域
配置默认路由,指向AR1
最后再设置到达Nat Pool的静态路由,指向一个空接口,防止路由黑洞
现在通过配置防火墙,使得外网用户能访问企业DMZ区域的FTP服务器(双向nat)
先配置服务器对外静态映射
在防火墙上配置一个策略,使得untrust区域能访问DMZ区域
接着在配置一个nat pool地址池,目的是作为外网用户访问内网服务器后nat的内网地址
在配置一个nat策略。注意,这个nat策略和内网nat外网有所不同!!!
最后再配置一个到达服务器对外地址的静态路由,防止路由黑洞
至此,配置完成!!
以下是配置
PC1
PC>ipconfig IPv4 address......................: 10.1.1.1 Subnet mask.......................: 255.255.255.0 Gateway...........................: 10.1.1.254 Physical address..................: 54-89-98-6C-7F-9E
FTP-Server
PC>ipconfig IPv4 address......................: 10.1.2.1 Subnet mask.......................: 255.255.255.0 Gateway...........................: 10.1.2.254 Physical address..................: 54-89-98-30-75-F0
FW1
[FW1]display current-configuration # ip address-set FTP_Server type object address 0 10.1.2.0 mask 24 # interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.2.254 255.255.255.0 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.254 255.255.255.0 # interface GigabitEthernet1/0/2 undo shutdown ip address 1.1.1.1 255.255.255.0 service-manage ping permit # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/2 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/0 # ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2 1.1.1.2 ip route-static 1.1.1.100 255.255.255.255 NULL0 ip route-static 1.1.1.105 255.255.255.255 NULL0 ip route-static 1.1.1.106 255.255.255.255 NULL0 # nat server FTP 0 zone untrust protocol tcp global 1.1.1.100 ftp inside 10.1.2.1 //静态映射 ftp no-reverse # nat address-group "nat pool" 0 //内网nat地址池 mode pat section 0 1.1.1.105 1.1.1.106 # nat address-group "dmz pool" 1 //外网访问ftp服务器的内网地址池 mode pat section 0 10.1.2.100 10.1.2.100 # security-policy //安全策略 rule name Internet source-zone trust destination-zone untrust action permit rule name Ftp source-zone untrust destination-zone dmz service ftp action permit #
AR1
[AR1]display current-configuration # interface GigabitEthernet0/0/0 ip address 1.1.1.2 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 12.1.1.1 255.255.255.0 # ospf 100 router-id 11.1.1.1 import-route direct area 0.0.0.0 network 12.1.1.1 0.0.0.0 #
AR2
[AR2]display current-configuration # interface GigabitEthernet0/0/1 ip address 12.1.1.2 255.255.255.0 # interface GigabitEthernet0/0/2 # ospf 100 router-id 22.2.2.2 area 0.0.0.0 network 12.1.1.2 0.0.0.0 #
