华为防火墙小型企业边界网关配置实例
组网及规划:
华为USG6000作为边界网关实现企业内部网络出口,防火墙实现内部网络NAT功能实现访问Internet功能
实现公司财务部门访问内网服务器。
办公网络不能访问内网服务器,
办公室及财务部均可以访问外网。
外部网络可以通过NatServer实现外部网络通过8080端口访问内网服务器80端口。
网络规划:办公网地址段:192.168.10.0/24 VLAN:10
财务地址段:192.168.20.0/24 VLAN:20
服务器地址段:192.168.200.0/24
运营商固定IP地址:202.1.1.1/24
网络组网见下图:
sysname BanGong
#
vlan batch 10
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
财务接入交换机配置:
sysname CaiWu
#
vlan batch 20
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
#
核心交换机配置:
sysname SW
#
undo info-center enable
#
vlan batch 10 20 100
#
interface Vlanif10
ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
#
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/21
eth-trunk 2
#
interface GigabitEthernet0/0/22
eth-trunk 2
#
interface GigabitEthernet0/0/23
eth-trunk 1
#
interface GigabitEthernet0/0/24
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.2
#
防火墙配置:
acl number 2000
rule 5 permit source 192.168.10.0 0.0.0.255
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 202.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.100.2 255.255.255.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.200.254 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 202.1.1.2
ip route-static 192.168.10.0 255.255.255.0 192.168.100.1
ip route-static 192.168.20.0 255.255.255.0 192.168.100.1
#
nat server 0 protocol tcp global 202.1.1.1 8080 inside 192.168.200.1 www
#
security-policy
rule name policy_ses_1
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action permit
rule name policy_ses_2
source-zone trust
destination-zone dmz
source-address 192.168.20.0 mask 255.255.255.0
action permit
rule name policy_ses_3
source-zone trust
destination-zone untrust
source-address 192.168.20.0 mask 255.255.255.0
action permit
rule name Untrust_DMA
source-zone untrust
destination-zone dmz
destination-address 192.168.200.1 mask 255.255.255.255
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface GigabitEthernet0/0/0
source-address 192.168.10.0 mask 255.255.255.0
action source-nat easy-ip
rule name policy_nat_2
source-zone trust
egress-interface GigabitEthernet0/0/0
source-address 192.168.20.0 mask 255.255.255.0
action source-nat easy-ip
验证配置:办公PC可以访问Internet,不能访内网问服务器。