Huawei firewall as egress gateway

Enterprise 2023-05-05 07:34:13 views: null

Configuration requirements:

1) PC1 and PC2 can ping the 172.16.1.100 server (web server) in the dmz area
2) PC1 and PC2 can ping 202.16.3.1, need to use Easy-IP NAT
3) 202.16.2.1 host uses http protocol to access dmz and publish to The IP address of the untrust region server 202.16.1.50

content:

1. Master the basic interface configuration

2. Master static routing configuration,

3. Master firewall security policy and content

The topology diagram is as follows:

 

 Each device is configured as follows:

Switch configuration:

SW1配置:
sy
sys SW1
v b 10 20 创建VLAN
int e0/0/1
po link-type ac 接口模式为access
po de v 10 加入vlan10
int e0/0/2
po link-type ac 
po de v 20
int g0/0/1
po link-type tr 接口模式为trunk(干路传输)
po tr allow-pass v al 允许所有vlan通过
int g0/0/2
po link-type tr
po tr allow-pass v al
stp instance 0 root primary 设置该交换机为根交换机

SW2配置
sy
sys SW2
v b 10 30 40 创建vlan
dhcp en 打开DHCP功能
int v 10  进入vlanif 10
ip add 192.168.10.254 24  创建vlanif 10 地址(用户地址)
dhcp sel int  DHCP从接口分配
int v 30
ip add 192.168.30.1 24 SW2与SW3接口地址
int v 40
ip add 192.168.40.1 24 与R1接口地址
int g0/0/1
po link-type tr
po tr allow-pass v al
int g0/0/2
po link-type ac
po de v 40
int eth-trunk 1 创建聚合口
po link-type tr
po tr allow-pass v al
trunkport GigabitEthernet 0/0/3 to 0/0/4 将3-4口加入该聚合口
ip route-static 0.0.0.0 0 192.168.40.2 配置缺省网关
ip route-static 0.0.0.0 0 192.168.30.2 preference 70 配置备份路由

SW3配置:
sy
sys SW3
v b 20 30 50 创建vlan
dhcp en DHCP功能启用
int v 20 
ip add 192.168.20.254 24 创建vlanif20 地址(用户地址)
dhcp sel int DHCP在接口获取
int v 30
ip add 192.168.30.2 24 SW3与SW2接口地址
int v 50
ip add 192.168.50.1 24 与R1接口地址
int g0/0/1
po link-type tr
po tr allow-pass v al
int g0/0/2
po link-type ac
po de v 50
int eth-trunk 1 创建聚合口
po link-type tr 聚合口模式
po tr allow-pass v al 允许用过所有数据
trunkport GigabitEthernet 0/0/3 to 0/0/4  把3-4口加入聚合口
ip route-static 0.0.0.0 0 192.168.50.2 配置到R1缺省路由
ip route-static 0.0.0.0 0 192.168.30.1 preference 70 配置到SW2备份路由
路由器配置:
	

内网R1配置:
sy
sys R1
int g0/0/1
ip add 192.168.40.2 24 配置接口地址(与SW2接口)
int g0/0/2
ip add 192.168.50.2 24 配置接口地址(与SW3接口)
int g0/0/0
ip add 192.168.100.1 24 配置接口地址(与FW1接口)
ip route-static 0.0.0.0 0.0.0.0 192.168.100.2 配置到FW1缺省路由
ip route-static 192.168.10.0 255.255.255.0 192.168.40.1 配置到SW2回城路由
ip route-static 192.168.10.0 255.255.255.0 192.168.50.1 preference 70 配置备份路由
ip route-static 192.168.20.0 255.255.255.0 192.168.50.1 配置到SW3回城路由
ip route-static 192.168.20.0 255.255.255.0 192.168.40.1 preference 70 配置备份路由

外网R2配置:
sy
sys R2
int g0/0/0
ip add 202.16.1.2 24 配置接口地址(与FW1接口地址)
int g0/0/1
ip add 202.16.2.254 24 配置接口地址(客户端接口地址)
int g0/0/2
ip add 202.16.3.254 24 接口地址(服务器接口地址)

Export firewall configuration:

FW配置:
sy
sys FW1
int g1/0/0
ip add 192.168.100.2 24配置接口地址(与内网R1接口)
int g1/0/2
ip add 172.16.1.254 24 配置接口地址(与WWW服务器接口)
int g1/0/1
ip add 202.16.1.1 24 配置接口地址(与外网R2接口)
firewall zone trust 配置安全域(可信任安全域)
add int g1/0/0 加入端口

fir zone dmz 配置安全域(中间安全域)
add int g1/0/2 加入端口

fir zone untrust 配置安全域(外网区域)
add int g1/0/1加入端口

security-policy 配置安全策略
rule name trust_dmz 命名
source-zone trust 始区域
destination-zone dmz 目的区域
action permit 允许通过

rule name trust_untrust 
source-zone trust
destination-zone untrust
action permit 

rule name untrust_dmz 命名
source-zone untrust 始区域(外网区域)
destination-zone dmz 目的区域(中间区域)
source-address 202.16.2.1 mask 255.255.255.255  允许的源地址
destination-address 172.16.1.100 mask 255.255.255.255 目的地址
action permit 允许通过

nat-policy NAT策略
rule name nat_tr_un 命名
source-zone trust 源区域
destination-zone untrust 目的区域
action source-nat easy-ip nat 使用接口地址

nat server huawei protocol icmp global 202.16.1.50 inside 172.16.1.100 外网映射放行ICMP功能
nat server 1 protocol tcp global 202.16.1.50 inside 172.16.1.100 外网映射放行TCP功能

ip route-s 0.0.0.0 0 202.16.1.2 通过R2的缺省路由
ip route-static 192.168.10.0 255.255.255.0 192.168.100.1 回城路由
ip route-static 192.168.20.0 255.255.255.0 192.168.100.1 回城路由

PC and server configuration:

 According to configuration requirements:

1: pc1 and pc2 join the middle area server 172.16.100:

 2. PC1 and PC2 can ping 202.16.3.1, need to use Easy-IP NAT

 

 As can be seen from the figure above, when PC1 and PC2 ping the external network server, the packet capture shows that none of them are accessed after conversion of the firewall egress address.

3. The 202.16.2.1 host uses the http protocol to access the IP address 202.16.1.50 published by dmz to the untrust region server:

 

As can be seen from the figure above, the external network client can be mapped to the internal network DMZ server through IP202.16.1.50, and can be pinged, but the external network server cannot be pinged, because in the firewall security policy, we do Security policies for source and destination addresses. Only client addresses are allowed to access. Therefore, the external network server cannot be accessed.

The configuration is complete, thank you all! 

Guess you like

Origin blog.csdn.net/m0_63775189/article/details/125884715
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com