华为防火墙配置手册 华为USG防火墙NAT配置

[FW]firewall packet-filter default permitall

13:51:19 2014/07/08

Warning:Setting the default packetfiltering to permit poses security risks. You

are advised to configure the securitypolicy based on the actual data flows. Are

you sure you want to continue?[Y/N]y

[FW]ping -c 1 10.0.10.1

13:51:56 2014/07/08

 PING 10.0.10.1: 56  data bytes,press CTRL_C to break

   Reply from 10.0.10.1: bytes=56 Sequence=1 ttl=255 time=90 ms

  ---10.0.10.1 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 90/90/90 ms

[FW]ping -c 1 10.0.20.2

13:52:08 2014/07/08

 PING 10.0.20.2: 56  data bytes,press CTRL_C to break

   Reply from 10.0.20.2: bytes=56 Sequence=1 ttl=255 time=400 ms

  ---10.0.20.2 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 400/400/400 ms

[FW]ping -c 1 10.0.30.3

13:52:18 2014/07/08

 PING 10.0.30.3: 56  data bytes,press CTRL_C to break

   Reply from 10.0.30.3: bytes=56 Sequence=1 ttl=255 time=410 ms

  ---10.0.30.3 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 410/410/410 ms

步骤三.配置静态路由，实现网络的连通性 

        在R2和R3上配置缺省路由，在FW上配置明确的静态路由，实现三个loopback0接口之间的通信。R1无需定义缺省路由，原因是其作为internet设备，他不需要知道内部和DMZ区域的私有网络信息。

[R2]ip route-static 0.0.0.0 0 10.0.20.254

[R3]ip route-static 0.0.0.0 0 10.0.30.254

[FW]ip route-static 10.0.1.0 24 10.0.10.1

13:58:26 2014/07/08

[FW]ip route-static 10.0.2.0 24 10.0.20.2

13:58:40 2014/07/08

[FW]ip route-static 10.0.3.0 24 10.0.30.3

13:58:52 2014/07/08

        在防火墙上测试与10.0.1.0、10.0.2.0、10.0.3.0之间的连通性。

[FW]ping -c 1 10.0.1.1

14:00:18 2014/07/08

 PING 10.0.1.1: 56  data bytes,press CTRL_C to break

   Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=80 ms

  ---10.0.1.1 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 80/80/80 ms

[FW]ping -c 1 10.0.2.2

14:00:25 2014/07/08

 PING 10.0.2.2: 56  data bytes,press CTRL_C to break

   Reply from 10.0.2.2: bytes=56 Sequence=1 ttl=255 time=170 ms

  ---10.0.2.2 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 170/170/170 ms

[FW]ping -c 1 10.0.3.3

14:00:29 2014/07/08

 PING 10.0.3.3: 56  data bytes,press CTRL_C to break

   Reply from 10.0.3.3: bytes=56 Sequence=1 ttl=255 time=110 ms

  ---10.0.3.3 ping statistics ---

    1packet(s) transmitted

    1packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 110/110/110 ms

        目前配置下，所有区域之间可以通讯，不被检查。但是由于当前尚未定义NAT，外部区域不能与内部和DMZ区域相互访问。 

步骤四.配置区域间的安全过滤 

         配置从Trust区域的部分网段10.0.2.3发往Untrust区域的数据包被放行。从Untrust区域发往DMZ目标服务器10.0.3.3的telnet请求被放行。

[FW]firewall session link-state check

[FW]policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound]policy0

14:06:57 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]policysource 10.0.2.0 0.0.0.255

14:07:18 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]actionpermit

14:07:31 2014/07/08

[FW-policy-interzone-trust-untrust-outbound-0]q

14:07:40 2014/07/08

[FW-policy-interzone-trust-untrust-outbound]q

14:07:40 2014/07/08

]policy interzone dmz untrust inbound

14:09:01 2014/07/08

[FW-policy-interzone-dmz-untrust-inbound]policy0

14:09:08 2014/07/08

[FW-policy-interzone-dmz-untrust-inbound-0]policydestination 10.0.3.3 0

14:09:37 2014/07/08

[FW-policy-interzone-dmz-untrust-inbound-0]policyservice service-set telnet

[FW-policy-interzone-dmz-untrust-inbound-0]actionpermit

14:09:55 2014/07/08

[FW-policy-interzone-dmz-untrust-inbound-0]q

14:09:55 2014/07/08

步骤五.配置Easy-Ip，实现Trust区域到Untrust区域的访问。 

       配置使用Easy-IP，进行NAT源地址转换。并且将NAT与接口进行绑定。

[FW-nat-policy-interzone-trust-untrust-outbound]policy0

最新评论