本文為大家介紹一個H3C防火牆的配置例項,配置內容包括:配置介面IP地址、配置區域、配置NAT地址轉換、配置訪問策略等,組網拓撲及需求如下。
1、網路拓撲圖
2、配置要求
1)防火牆的E0/2介面為TRUST區域,ip地址是:192.168.254.1/29;
2)防火牆的E1/2介面為UNTRUST區域,ip地址是:202.111.0.1/27;
3)內網伺服器對網路做一對一的地址對映,192.168.254.2、192.168.254.3分別對映為202.111.0.2、202.111.0.3;
4)內網伺服器訪問網路不做限制,網路訪問內網只放通公網地址211.101.5.49訪問192.168.254.2的1433埠和192.168.254.3的80埠。
3、防火牆的配置指令碼如下
<H3CF100A>dis cur
#
sysname H3CF100A
super password level 3 cipher 6aQ>Q57-$.I)0;4:\(I41!!!
firewall packet-filter enable
firewall packet-filter default permit
insulate
nat static inside ip 192.168.254.2 global ip 202.111.0.2
nat static inside ip 192.168.254.3 global ip 202.111.0.3
firewall statistic system enable
radius scheme system
server-type extended
domain system
local-user net1980
password cipher ######
service-type telnet
level 2
aspf-policy 1
detect h323
detect sqlnet
detect rtsp
detect http
detect smtp
detect ftp
detect tcp
detect udp
object address 192.168.254.2/32 192.168.254.2 255.255.255.255
object address 192.168.254.3/32 192.168.254.3 255.255.255.255
acl number 3001
description out-inside
rule 1 permit tcp source 211.101.5.49 0 destination 192.168.254.2 0 destination-port eq 1433
rule 2 permit tcp source 211.101.5.49 0 destination 192.168.254.3 0 destination-port eq www
rule 1000 deny ip
acl number 3002
description inside-to-outside
rule 1 permit ip source 192.168.254.2 0
rule 2 permit ip source 192.168.254.3 0
interface Aux0
async mode flow
interface Ethernet0/0
shutdown
interface Ethernet0/1
interface Ethernet0/2
speed 100
duplex full
description to server
ip address 192.168.254.1 255.255.255.248
firewall packet-filter 3002 inbound
firewall aspf 1 outbound
interface Ethernet0/3
interface Ethernet1/0
interface Ethernet1/1
interface Ethernet1/2
description to internet
ip address 202.111.0.1 255.255.255.224
firewall packet-filter 3001 inbound
nat outbound static
interface NULL0
firewall zone local
set priority 100
firewall zone trust
add interface Ethernet0/2
set priority 85
firewall zone untrust
add interface Ethernet1/2
set priority 5
firewall zone DMZ
add interface Ethernet0/3
set priority 50
firewall interzone local trust
firewall interzone local untrust
firewall interzone local DMZ
firewall interzone trust untrust
firewall interzone trust DMZ
firewall interzone DMZ untrust
ip route-static 0.0.0.0 0.0.0.0 202.111.0.30 preference 60
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
return
本文為大家介紹一個H3C防火牆的配置例項,配置內容包括:配置介面IP地址、配置區域、配置NAT地址轉換、配置訪問策略等,組網拓撲及需求如下。
1、網路拓撲圖
2、配置要求
1)防火牆的E0/2介面為TRUST區域,ip地址是:192.168.254.1/29;
2)防火牆的E1/2介面為UNTRUST區域,ip地址是:202.111.0.1/27;
3)內網伺服器對網路做一對一的地址對映,192.168.254.2、192.168.254.3分別對映為202.111.0.2、202.111.0.3;
4)內網伺服器訪問網路不做限制,網路訪問內網只放通公網地址211.101.5.49訪問192.168.254.2的1433埠和192.168.254.3的80埠。
3、防火牆的配置指令碼如下
<H3CF100A>dis cur
#
sysname H3CF100A
#
super password level 3 cipher 6aQ>Q57-$.I)0;4:\(I41!!!
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
nat static inside ip 192.168.254.2 global ip 202.111.0.2
nat static inside ip 192.168.254.3 global ip 202.111.0.3
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user net1980
password cipher ######
service-type telnet
level 2
#
aspf-policy 1
detect h323
detect sqlnet
detect rtsp
detect http
detect smtp
detect ftp
detect tcp
detect udp
#
object address 192.168.254.2/32 192.168.254.2 255.255.255.255
object address 192.168.254.3/32 192.168.254.3 255.255.255.255
#
acl number 3001
description out-inside
rule 1 permit tcp source 211.101.5.49 0 destination 192.168.254.2 0 destination-port eq 1433
rule 2 permit tcp source 211.101.5.49 0 destination 192.168.254.3 0 destination-port eq www
rule 1000 deny ip
acl number 3002
description inside-to-outside
rule 1 permit ip source 192.168.254.2 0
rule 2 permit ip source 192.168.254.3 0
rule 1000 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
shutdown
#
interface Ethernet0/1
shutdown
#
interface Ethernet0/2
speed 100
duplex full
description to server
ip address 192.168.254.1 255.255.255.248
firewall packet-filter 3002 inbound
firewall aspf 1 outbound
#
interface Ethernet0/3
shutdown
#
interface Ethernet1/0
shutdown
#
interface Ethernet1/1
shutdown
#
interface Ethernet1/2
speed 100
duplex full
description to internet
ip address 202.111.0.1 255.255.255.224
firewall packet-filter 3001 inbound
firewall aspf 1 outbound
nat outbound static
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/2
set priority 85
#
firewall zone untrust
add interface Ethernet1/2
set priority 5
#
firewall zone DMZ
add interface Ethernet0/3
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 202.111.0.30 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return