华为防火墙1
实验拓扑:
实验步骤:
1.完成终端基本IP信息配置
2.配置防火墙:
2.1配置IP地址
sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo in e
Info: Saving log files…
Info: Information center is disabled.
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip add 192.168.1.254 24
[USG6000V1-GigabitEthernet1/0/1]int g1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip add 172.16.1.254 24
[USG6000V1-GigabitEthernet1/0/2]int g1/0/3
[USG6000V1-GigabitEthernet1/0/3]ip add 64.1.1.1 24
[USG6000V1-GigabitEthernet1/0/3]q
2.2配置安全域
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add int g1/0/1
[USG6000V1-zone-trust]q
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add int g1/0/3
[USG6000V1-zone-untrust]q
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add int g1/0/2
[USG6000V1-zone-dmz]
2.2配置安全策略
2.3.1 我的内网主机,访问防火墙本身,能通
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name neiwang-to-fhq
[USG6000V1-policy-security-rule-neiwang-to-fhq]source-zone trust
[USG6000V1-policy-security-rule-neiwang-to-fhq]destination-zone untrust
[USG6000V1-policy-security-rule-neiwang-to-fhq]action permit
配完后经测试,PC1(192.168.1.10 还是不能ping通防火墙的g1/0/1接口192.168.1.254
需要开启防火墙的接口服务管理,允许ping的动作
[USG6000V1-GigabitEthernet1/0/1]service-manage ping permit
再次测试PC1和防火墙的通信,就可ping 通了
小结:防火墙配完IP要能PING通,需要做三件事:1.安全域配置好;2.安全策略配置好;3.接口允许ping要开通。
2.3.2 我的内网主机,要上网,访问外网能通
配置安全策略,允许数据包从内外trust到外网untrust。
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name nei-wai 内网去外网
[USG6000V1-policy-security-rule-nei-wai]source-zone trust
[USG6000V1-policy-security-rule-nei-wai]destination-zone untrust
[USG6000V1-policy-security-rule-nei-wai]action permit
[USG6000V1-policy-security-rule-nei-wai]
NAT:要把私网IP,出去时候转换为公网IP,
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name dianxin 典型宽带
[USG6000V1-policy-nat-rule-dianxin]source-zone trust
[USG6000V1-policy-nat-rule-dianxin]destination-zone untrust
[USG6000V1-policy-nat-rule-dianxin]action source-nat easy-ip
[USG6000V1-policy-nat-rule-dianxin]
测试内外ping 外网地址
上图显示内网能访问外网了,可用ping通防火墙的公网出口。
***如果不能ping通的时候需要做一条防火墙策略,如下:
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name local-to-waiwang
[USG6000V1-policy-nat-rule-local-to-waiwang]source-zone local
[USG6000V1-policy-nat-rule-local-to-waiwang]destination-zone untrust
[USG6000V1-policy-nat-rule-local-to-waiwang]action source-nat easy-ip
[USG6000V1-policy-nat-rule-local-to-waiwang]
配路由:让防火墙拥有去6.6.6.6的路由表。
[USG6000V1]ip route-static 0.0.0.0 0.0.0.0 64.1.1.2
