华为防火墙路由模式配置(三)
2024-04-15 14:01:21
实验背景:
由于公司在园区内扩展,将现网分享给另一个办公区域,同时加一台华为防火墙,为了尽量少改现网配置,并不将FW部署在出口,而是部署在出口路由与三层交换之间;
实验目的:
掌握简单配置防火墙路由模式的操作方法,部署模式:路由器——防火墙——2个三层交换,实现网络互通;
网络地址及拓扑结构:
配置要求:
全网互通
配置操作:
L2-SW-1配置
L2-SW-2、L2-SW-3、L2-SW-4类似,省略;
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname L2-SW-1
[L2-SW-1]vlan batch 1081 1082
Info: This operation may take a few seconds. Please wait for a moment...done.
[L2-SW-1]int gi 0/0/2
[L2-SW-1-GigabitEthernet0/0/2]port link-type access
[L2-SW-1-GigabitEthernet0/0/2]port default vlan 1081
[L2-SW-1-GigabitEthernet0/0/2]q
[L2-SW-1]int gi 0/0/3
[L2-SW-1-GigabitEthernet0/0/3]port link-type access
[L2-SW-1-GigabitEthernet0/0/3]port default vlan 1082
[L2-SW-1-GigabitEthernet0/0/3]q
[L2-SW-1]int gi 0/0/1
[L2-SW-1-GigabitEthernet0/0/1]port link-type trunk
[L2-SW-1-GigabitEthernet0/0/1]port trunk allow-pass vlan 1081 1082
[L2-SW-1-GigabitEthernet0/0/1]L3-SW-2配置:
L3-SW-1类似,省略
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname L3-SW-2
[L3-SW-2]vlan batch 1091 1092 1093 1094 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[L3-SW-2]int gi 0/0/2
[L3-SW-2-GigabitEthernet0/0/2]port link-type trunk
[L3-SW-2-GigabitEthernet0/0/2]port trunk allow-pass vlan 1091 1092 300
[L3-SW-2-GigabitEthernet0/0/2]q
[L3-SW-2]int gi 0/0/3
[L3-SW-2-GigabitEthernet0/0/3]port link-type trunk
[L3-SW-2-GigabitEthernet0/0/3]port trunk allow-pass vlan 1093 1094 300
[L3-SW-2-GigabitEthernet0/0/3]q
[L3-SW-2]int gi 0/0/1
[L3-SW-2-GigabitEthernet0/0/1]port link-type access
[L3-SW-2-GigabitEthernet0/0/1]q
[L3-SW-2]int vlanif 300
[L3-SW-2-Vlanif300]ip addr 192.168.202.1 30
[L3-SW-2-Vlanif300]q
[L3-SW-2]int gi 0/0/1
[L3-SW-2-GigabitEthernet0/0/1]port default vlan 300
[L3-SW-2-GigabitEthernet0/0/1]q
[L3-SW-2]ip route-static 0.0.0.0 0.0.0.0 192.168.202.2
[L3-SW-2]int vlanif 1091 //vlan1091子网gateway
[L3-SW-2-Vlanif1091]ip addr 10.180.109.1 26
[L3-SW-2-Vlanif1091]q
[L3-SW-2]int vlanif 1092 //vlan1092子网gateway
[L3-SW-2-Vlanif1092]ip addr 10.180.109.65 26
[L3-SW-2-Vlanif1092]q
[L3-SW-2]int vlanif 1093 //vlan1093子网gateway
[L3-SW-2-Vlanif1093]ip addr 10.180.109.129 26
[L3-SW-2-Vlanif1093]q
[L3-SW-2]int vlanif 1094 //vlan1094子网gateway
[L3-SW-2-Vlanif1094]ip addr 10.180.109.193 26
[L3-SW-2-Vlanif1094]q
[L3-SW-2]AR路由器配置:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname AR
[AR]int gi 0/0/0
[AR-GigabitEthernet0/0/0]
<AR>sys
Enter system view, return user view with Ctrl+Z.
[AR]int gi 0/0/0
[AR-GigabitEthernet0/0/0]ip addr 192.168.200.1 29
[AR-GigabitEthernet0/0/0]q
[AR]ip route-static 0.0.0.0 0.0.0.0 192.168.200.2
[AR]qFW防火墙配置:
The device is running!Login authenticationUsername:admin
Password:
The password needs to be changed. Change now? [Y/N]: y
Please enter old password:
Please enter new password:
Please confirm new password: Info: Your password has been changed. Save the change to survive a reboot.
*************************************************************************
* Copyright (C) 2014-2018 Huawei Technologies Co., Ltd. *
* All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*************************************************************************<USG6000V1>
<USG6000V1>
<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]un in en
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]sysname FW
[FW]int gi 0/0/0
[FW-GigabitEthernet0/0/0]dis th
2020-08-25 10:04:02.320
#
interface GigabitEthernet0/0/0undo shutdownip binding vpn-instance default //默认配置,需删除ip address 192.168.0.1 255.255.255.0 //默认配置,需删除alias GE0/METH //默认配置,需删除
#
return
[FW-GigabitEthernet0/0/0]undo ip binding vpn-instance default
Info: All IPv4 related configurations on this interface are removed!
Info: All IPv6 related configurations on this interface are removed!
[FW-GigabitEthernet0/0/0]dis th
2020-08-25 10:04:34.050
#
interface GigabitEthernet0/0/0undo shutdownalias GE0/METH
#
return
[FW-GigabitEthernet0/0/0]int gi 1/0/0 //与gi1/0/0口对比,需把gi0/0/0口设置与其一致
[FW-GigabitEthernet1/0/0]dis th
2020-08-25 10:04:42.410
#
interface GigabitEthernet1/0/0undo shutdown
#
return
[FW-GigabitEthernet1/0/0]int gi 0/0/0
[FW-GigabitEthernet0/0/0]dis th
2020-08-25 10:04:54.340
#
interface GigabitEthernet0/0/0undo shutdownalias GE0/METH
#
return
[FW-GigabitEthernet0/0/0]undo alias
[FW-GigabitEthernet0/0/0]dis th
2020-08-25 10:05:11.510
#
interface GigabitEthernet0/0/0undo shutdown
#
return[FW]int gi 0/0/0 //配置与AR连接端口
[FW-GigabitEthernet0/0/0]ip addr 192.168.200.2 29
[FW-GigabitEthernet0/0/0]service-manage ping permit
[FW-GigabitEthernet0/0/0]q
[FW]int gi 1/0/0 //配置与三层交换1连接端口
[FW-GigabitEthernet1/0/0]ip addr 192.168.201.2 30
[FW-GigabitEthernet1/0/0]service-manage ping permit
[FW-GigabitEthernet1/0/0]q
[FW]int gi 1/0/1 //配置与三层交换2连接端口
[FW-GigabitEthernet1/0/1]ip addr 192.168.202.2 30
[FW-GigabitEthernet1/0/1]service-manage ping permit
[FW-GigabitEthernet1/0/1]q
[FW]firewall zone trust //进入安全域配置
[FW-zone-trust]add int gi1/0/0
[FW-zone-trust]add int gi1/0/1
[FW-zone-trust]q
[FW]firewall zone untrust //进入非安全域配置
[FW-zone-untrust]add int gi 0/0/0Error: The interface has been added to trust security zone.
[FW-zone-untrust]q
[FW]firewall zone trust
[FW-zone-trust]dis th
2020-08-25 10:30:58.820
#
firewall zone trustset priority 85add interface GigabitEthernet0/0/0add interface GigabitEthernet1/0/0add interface GigabitEthernet1/0/1
#
return
[FW-zone-trust]undo add interface GigabitEthernet0/0/0
[FW-zone-trust]
[FW-zone-trust]q
[FW]firewall zone untrust
[FW-zone-untrust]add int gi 0/0/0
[FW-zone-untrust]q
[FW]security-policy //进入安全策略配置
[FW-policy-security]rule name trust_untrust //创建安全域到非安全域的策略名
[FW-policy-security-rule-trust_untrust]source-zone trust //策略中源为安全域
[FW-policy-security-rule-trust_untrust]destination-zone untrust //策略中目的为非安全域
[FW-policy-security-rule-trust_untrust]action permit //启动策略规则
[FW-policy-security-rule-trust_untrust]q
[FW-policy-security]rule name untrust_trust //创建非安全域到安全域的策略名
[FW-policy-security-rule-untrust_trust]source-zone untrust //策略中源为非安全域
[FW-policy-security-rule-untrust_trust]des
[FW-policy-security-rule-untrust_trust]destination-zone trust //策略中目的为安全域
[FW-policy-security-rule-untrust_trust]action permit
[FW-policy-security-rule-untrust_trust]q
[FW-policy-security]q
[FW]ip route-static 192.168.200.0 29 192.168.200.1 //配置到AR的静态路由
[FW]ip route-static 192.168.201.0 30 192.168.201.1 //配置到三层交换1的静态路由 这条是错误配置,需删除
[FW]ip route-static 192.168.202.0 30 192.168.202.1 //配置到三层交换2的静态路由 这条是错误配置,需删除
[FW]ip route-static 10.180.109.0 24 192.168.202.1 //配置到109网段的静态路由
[FW]ip route-static 10.180.108.0 24 192.168.201.1 //配置到108网段的静态路由华为防火墙路由模式配置(三)相关推荐
- 网络设备主备配置系列3:华为防火墙(路由模式)
自从推荐主备配置系列以来,许多网友一起与我沟通配置的方法.这两天终于有时间了,决定继续推出华为的.共分两部分,路由模式与透明模式! 双机热备,所谓双机热备其实是双机状态备份,当两台防火墙,在确定主 ...
- 华为防火墙的OSPF配置实验
华为防火墙的OSPF配置实验 文章目录 华为防火墙的OSPF配置实验 实验需求 步骤一:配置地址 步骤二:配置OSPF 步骤三:配置防火墙策略 步骤四:配置NAT 1)问题描述 2)问题分析 3)解决 ...
- 安全设备-华为防火墙NAT环境配置IPSec
华为防火墙NAT环境配置IPSec 本实验主要实现NAT穿透 实验环境 实验拓扑图: 模拟器:eNSP 设备型号:AR2240.S3700.USG6000VUSG6000V 默认配置口为0口 默认用户 ...
- 【实验】华为静态路由基础配置
一.静态路由功能介绍 静态路由就是手工配置的路由,使得数据包能够按照预定的路径传送到指定的目标网络.当不能通过动态路由协议学到一些目标网络的路由时,配置静态路由就会显得十分重要. 二.静态路由应用场景 ...
- 静态配置_【实验】华为静态路由基础配置
关注我,你的眼睛会怀孕 一.静态路由功能介绍 静态路由就是手工配置的路由,使得数据包能够按照预定的路径传送到指定的目标网络.当不能通过动态路由协议学到一些目标网络的路由时,配置静态路由就会显得十分重要 ...
- 华为防火墙USG5500的配置方法
防火墙基本配置 什么是防火墙? 防火墙(Firewall),也称防护墙,是由Check Point创立者Gil Shwed于1793年发明并引入国际互连网(US5606668(A)1793-12-15 ...
- 华为ENSP路由相关配置
华为ENSP路由配置 静态路由 先给路由器对应接口设置好对应ip int g0/0/1(进入对应接口) ip address 192.168.1.254 24 (设置对应ip) AR2配置 ip ro ...
- 华为防火墙图形登录配置
华为防火墙如何进入图形界面 1.拓补图 2.设置cloud端口映射 3.登录到防火墙命令界面做如下配置 4.在浏览器上输入刚才设置的管理地址 5.登录后的界面
- USG防火墙透明模式配置
实验要求: 某公司网络是有2个三层交换,现需要在三层交换与出口路由器之间加一个USG防火墙,为了方便配置,想采用透明模式配置防火墙,并将其加入现网,仅仅当做纯粹的防火墙使用: 实验目的: 观察防火墙透 ...
最新文章
- 程序员加班崩溃,过路外卖小哥主动帮忙改代码,网友直呼太暖了!
- centos make 升级_CentOS更改yum源与更新系统
- 数据库基础-数据库引擎
- 最短路问题的原始对偶算法形式
- Mysql 数据库锁表的原因和解决方法
- python cx_oracle配置_python连接oracle的模块cx_Oracle安装和配置
- Sublime Text 3的中文显示乱码问题
- Java中,什么是最终类与最终方法?它们的作用是什么?
- 2014.4.21 福州 晴 离京第一次面试(某天) 失败啊
- JavaScript学习笔记之数组(一)
- Unity开发 罗技方向盘 G29 白话版
- 鹤舞云天服务器稳定,《御剑红尘》手游新服“鹤舞云天”即将开启!
- HTML5 案例学习笔记
- java JVM 内存结构
- PDF文档翻译中文的方法
- MyDog框架安装步骤
- 【youcans 的 OpenCV 例程200篇】193.基于Gabor 滤波器的特征提取
- java出现无法读取_Java无法读取字体
- 付款申请金额对不上的问题
- 在eclipse中使用findbug