H3C F1050防火墙从出厂到可上网应用的基本配置过程
全命令行模式
console或web默认的账号密码均为admin
基础接线: console线 console接口 电脑com接口
网线 网卡 g1/0/0接口(出厂默认IP: 192.168.0.1/24)
全部console配置过程
(一)恢复出厂
<H3C>reset saved-configuration
The saved configuration file will be erased. Are you sure? [Y/N]:y
Configuration file in flash: is being cleared.
Please wait ...
MainBoard:
Configuration file is cleared.
(二)重启不保存
<H3C>reboot
Start to check configuration with next startup configuration file, please wait.........DONE!
Current configuration may be lost after the reboot, save current configuration? [Y/N]:n
This command will reboot the device. Continue? [Y/N]:y
Now rebooting, please wait...
(三)防火墙起名
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname H3C_F1050
(四)域加端口Trust域包含内网接口
[H3C_F1050]security-zone name Trust
[H3C_F1050-security-zone-Trust]import interface g1/0/0---出厂默认有IP的端口,用此端口连接电脑进行WEB或telnet等配置
[H3C_F1050-security-zone-Trust]import interface g1/0/2---测试上网的连接计算机的内网接口
[H3C_F1050-security-zone-Trust]
(五)Untrust域加端口(Untrust域加所有出接口)
[H3C_F1050]security-zone name Untrust
[H3C_F1050-security-zone-Untrust]import interface g1/0/14---连接运营商的出接口
[H3C_F1050-security-zone-Untrust]
(六)Local<-->Trust域间通行策略(Local与Trust双向放行策略,配置后,默认的G1/0/0接口可WEB可telnet),所以此段下可继续命令行配置,也可WEB配置更方便
[H3C_F1050]object-policy ip Trust-Local
[H3C_F1050-object-policy-ip-Trust-Local]rule pass
[H3C_F1050-object-policy-ip-Trust-Local]quit
[H3C_F1050]object-policy ip Local-Trust
[H3C_F1050-object-policy-ip-Local-Trust]rule pass
[H3C_F1050-object-policy-ip-Local-Trust]quit
此时可继续命令配置,也可通过WEB登录F1050快捷配置
(A)关于WEB配置大概路径 根据左侧导航 逐项去找, 大概是
接口配置 IP配置 地址池 静态路由(网关) 动态NAT 防火墙的域端口 域策略等的配置就OK了
注意: 上面把g1/0/0默认管理端口(IP 192.168.0.1)用web访问时请以http://***开头, 因为默认下https没有开通
(B)继续命令配置如下:
(七)Trust<--->Untrust域间策略,只配置Trust->Untrust单向的策略即可让内网动态NAT上网
[H3C_F1050]object-policy ip Trust-Untrust
[H3C_F1050-object-policy-ip-Trust-Untrust]rule pass
[H3C_F1050-object-policy-ip-Trust-Untrust]quit
如果只是上网这个域间策略可不要
[H3C_F1050]object-policy ip Untrust-Trust
[H3C_F1050-object-policy-ip-Untrust-Trust]rule pass
[H3C_F1050-object-policy-ip-Untrust-Trust]quit
[H3C_F1050]
(八)域间策略的应用(生效)
[H3C_F1050]zone-pair security source Local destination Trust
[H3C_F1050-zone-pair-security-Local-Trust]object-policy apply ip Local-Trust
[H3C_F1050-zone-pair-security-Local-Trust]quit
[H3C_F1050]
[H3C_F1050]zone-pair security source Trust destination Local
[H3C_F1050-zone-pair-security-Trust-Local]object-policy apply ip Trust-Local
[H3C_F1050-zone-pair-security-Trust-Local]quit
[H3C_F1050]
[H3C_F1050]zone-pair security source Trust destination Untrust
[H3C_F1050-zone-pair-security-Trust-Untrust]object-policy apply ip Trust-Untrust
[H3C_F1050-zone-pair-security-Trust-Untrust]quit
[H3C_F1050]zone-pair security source Untrust destination Trust
[H3C_F1050-zone-pair-security-Untrust-Trust]object-policy apply ip Untrust-Trust
[H3C_F1050-zone-pair-security-Untrust-Trust]quit
[[H3C_F1050]
(九)测试内网上网用接口(内网口)
[H3C_F1050]interface g1/0/2
[H3C_F1050-GigabitEthernet1/0/2]ip address 192.168.2.254 24
[H3C_F1050-GigabitEthernet1/0/2]quit
[[H3C_F1050]
(十)出接口(连接ISP,参数由ISP提供包括网关)
[H3C_F1050]interface g1/0/14
[H3C_F1050-GigabitEthernet1/0/14]ip address 172.16.11.11 24
[H3C_F1050-GigabitEthernet1/0/14]quit
[[H3C_F1050]
(十一)默认路由,指向ISP由ISP提供的网关(与IP一起提供)
[H3C_F1050]ip route-static 0.0.0.0 0 172.16.11.254 description ***
(十二)定义基本ACL2000允许所有内网NAT上网
[H3C_F1050]acl number 2000
[H3C_F1050-acl-basic-2000]rule permit
[H3C_F1050-acl-basic-2000]dis this
#
acl number 2000
rule 0 permit
#
return
[H3C_F1050-acl-basic-2000]quit
[H3C_F1050]
(十三)配置动态NAT(源地址转换)
[H3C_F1050]interface g1/0/14
[H3C_F1050-GigabitEthernet1/0/14]nat outbound 2000
[H3C_F1050-GigabitEthernet1/0/14]quit
[H3C_F1050]
(十四)保存配置
[H3C_F1050]save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait...
Saved the current configuration to mainboard device successfully.
[H3C_F1050]
(十五)配置DHCP服务及给G1/0/2的地址池,这样接在G1/0/2接口的电脑可自动获取上网IP
[H3C_F1050]dhcp enable
[H3C_F1050]dhcp server ip-pool BaseInterface2
[H3C_F1050-dhcp-pool-BaseInterface2]network 192.168.2.0 24
[H3C_F1050-dhcp-pool-BaseInterface2]gateway 192.168.2.254
[H3C_F1050-dhcp-pool-BaseInterface2]dns-list 202.99.166.4 222.222.222.222
[H3C_F1050-dhcp-pool-BaseInterface2]
关于DHCP池可在池下单个forbidden不分IP
也可在全局下dhcp server forbidden排除一段IP不分