Table of contents
1. Configure the firewall graphical interface
Add network segment network card
Find the default IP address of firewall 0/0/0 port
Change the address and the address of the loopback port to the same network segment
Release strategy, RTPS protocol
Enter the access address of the graphical interface
Log in with the username and password you just set
Click on the network to enter the interface
Configuration of server2 in R1
Test --- ping 100.1.1.1 firewall
Configure the gateway of PC1 on LSW1
Interface aggregation configuration
Configure interface aggregation on LSW2
Create a Layer 3 port on the DMZ on the firewall
4. Inter-regional communication
5. Configure the interface pair
6. Firewall security policy configuration (trust-to-untrust)
Configure the original address
Configure return packet routing on AR1
LSW1 configures return packet routing
7. Firewall security policy configuration (trust-to-DMZ)
Create a security policy (trust-to-dmz)
8. Firewall security policy configuration (untrust-to-DMZ)
Create Security Policy (untrust-to-dmz)
firewall security policy
Experimental diagram
1. Configure the firewall graphical interface
Add the UDP port first
Add network segment network card
Notice:
The network card of the network segment is on Windows , so Windows can access the firewall through this network card
Do port mapping, click the two-way channel , click Add
Notice:
Under normal circumstances, the firewall will have a management port when it is just purchased , with its own IP address. In Huawei equipment, only the GigabitEthernet0/0/0 port of the firewall is a trusted port by default, and the ip address is 192.168.0.1
Start firewall FW1
After successful startup, you will be prompted to enter Username and Password
The Huawei default username and password are:
Username:admin
Password:Admin@123
登录成功后提示修改密码 The password needs to be changed. Change now? [Y/N]: y Please enter old password: Please enter new password: Please confirm new password: Info: Your password has been changed. Save the change to survive a reboot. ************************************************************************* * Copyright (C) 2014-2018 Huawei Technologies Co., Ltd. * * All rights reserved. * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ************************************************************************* <USG6000V1> Mar 17 2023 08:22:41 USG6000V1 SNMPADAPT/4/UPDATE_SUCCESS:OID 1.3.6.1.4.1.2011.6 .122.76.2.1 Succeed in updating database. (Module= "LOCATION-SDB", Pre-UpdateVer sion= "0", UpdateVersion= "2018061815") <USG6000V1>
Find the default IP address of firewall 0/0/0 port
<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]int g 0/0/0
[USG6000V1-GigabitEthernet0/0/0]display this
2023-03-17 08:25:48.180
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default ---- VPN的设置,单独隔离出来的一个口
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
return
[USG6000V1-GigabitEthernet0/0/0]
Change the address and the address of the loopback port to the same network segment
[USG6000V1-GigabitEthernet0/0/0]ip address 192.168.160.1 24
[USG6000V1-GigabitEthernet0/0/0]
Mar 17 2023 08:45:36 USG6000V1 %%01FRAG/4/FRAG_PKT_EXCEED_THRESHOLD(l)[13]:The t
otal number of cached packet fragments on SPU 11 CPU 0 is 64, exceeding threshol
d value 64.
Release strategy, RTPS protocol
[USG6000V1-GigabitEthernet0/0/0]service-manage all permit
test
Enter the access address of the graphical interface
Log in with the username and password you just set
2. Configure the untrust zone
Click on the network to enter the interface
Configure GE1/0/0 interface
Notice:
If you write the gateway, the default route will appear. In general, if you don’t write it , you can configure it yourself.
R1 configuration
<Huawei>sys
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[ISp]sysname ISP
[ISP]int g 0/0/0
[ISP-GigabitEthernet0/0/0]ip address 100.1.1.2 24
Mar 17 2023 18:04:30-08:00 ISP %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[ISP-GigabitEthernet0/0/0]q
[ISP]int g 0/0/1
[ISP-GigabitEthernet0/0/1]ip address 200.1.1.1 24
Mar 17 2023 18:04:56-08:00 ISP %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/1 has entered the UP state.
[ISP-GigabitEthernet0/0/1]
Configuration of server2 in R1
Open http service
Test --- ping 100.1.1.1 firewall
[ISP]ping 100.1.1.1
PING 100.1.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 100.1.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[ISP]
Unable to ping:
Reason --- the default is not allowed (no release)
How to test:
Configure GE0/0/1 port
[ISP]ping 100.1.1.1 PING 100.1.1.1: 56 data bytes, press CTRL_C to break Reply from 100.1.1.1: bytes=56 Sequence=1 ttl=255 time=20 ms Reply from 100.1.1.1: bytes=56 Sequence=2 ttl=255 time=10 ms Reply from 100.1.1.1: bytes=56 Sequence=3 ttl=255 time=10 ms Reply from 100.1.1.1: bytes=56 Sequence=4 ttl=255 time=10 ms Reply from 100.1.1.1: bytes=56 Sequence=5 ttl=255 time=10 ms --- 100.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 10/12/20 ms
Configure route default
new build
2. Configure the trust area
Configure GE1/0/1 interface
LSW1 configuration
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname LSW1
[LSW1]
Mar 17 2023 18:23:07-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 4, the
change loop count is 0, and the maximum number of records is 4095.
[LSW1]vlan 2
[LSW1-vlan2]
Mar 17 2023 18:24:47-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 5, the
change loop count is 0, and the maximum number of records is 4095.
[LSW1-GigabitEthernet0/0/1]port default vlan 2
[LSW1-GigabitEthernet0/0/1]
Mar 17 2023 18:40:31-08:00 LSW1 %%01IFNET/4/IF_STATE(l)[2]:Interface Vlanif1 has
turned into DOWN state.
Mar 17 2023 18:40:31-08:00 LSW1 %%01IFNET/4/IF_STATE(l)[3]:Interface Vlanif2 has
turned into UP state.
Mar 17 2023 18:40:31-08:00 LSW1 %%01IFNET/4/LINK_STATE(l)[4]:The line protocol I
P on the interface Vlanif2 has entered the UP state.
[LSW1-vlan2]q
[LSW1]int g 0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type access
Mar 17 2023 18:25:47-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 6, the
change loop count is 0, and the maximum number of records is 4095.
[LSW1-GigabitEthernet0/0/1]q
[LSW1]int Vlanif 2
[LSW1-Vlanif2]ip address 10.1.255.1 24
[LSW1-Vlanif2]q
Mar 17 2023 18:26:57-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 7, the
change loop count is 0, and the maximum number of records is 4095.
Configure the gateway of PC1 on LSW1
[LSW1]vlan 3
[LSW1-vlan3]q
Mar 17 2023 18:27:57-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 8, the
change loop count is 0, and the maximum number of records is 4095.la
[LSW1]int Vlanif 3
[LSW1-Vlanif3]ip address 10.1.3.1 24
[LSW1-Vlanif3]q
Mar 17 2023 18:28:17-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 9, the
change loop count is 0, and the maximum number of records is 4095
[LSW1]int g 0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type access
[LSW1-GigabitEthernet0/0/2]por
[LSW1-GigabitEthernet0/0/2]port
Mar 17 2023 18:28:47-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 10, the
change loop count is 0, and the maximum number of records is 4095. def
[LSW1-GigabitEthernet0/0/2]port default vla
[LSW1-GigabitEthernet0/0/2]port default vlan 3
[LSW1-GigabitEthernet0/0/2]
Mar 17 2023 18:28:54-08:00 LSW1 %%01IFNET/4/IF_STATE(l)[0]:Interface Vlanif3 has
turned into UP state.
Mar 17 2023 18:28:54-08:00 LSW1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol I
P on the interface Vlanif3 has entered the UP state.
Mar 17 2023 18:28:57-08:00 LSW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.2
5.191.3.1 configurations have been changed. The current change number is 11, the
change loop count is 0, and the maximum number of records is 4095.
[LSW1-GigabitEthernet0/0/2]
PC1 configuration
test
open ping
[LSW1]ping 10.1.255.2
PING 10.1.255.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.255.2: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 10.1.255.2: bytes=56 Sequence=2 ttl=255 time=40 ms
Reply from 10.1.255.2: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 10.1.255.2: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 10.1.255.2: bytes=56 Sequence=5 ttl=255 time=40 ms
--- 10.1.255.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/46/50 ms
[LSW1]
Configure return routing
test
3. Configure the DMZ area
Configure GE1/0/2 interface
Notice:
GE1/0/3 interface configuration is the same as GE1/0/2
Interface aggregation configuration
Notice:
Generally, one gateway is selected: Access, and two gateways are selected: Truck
Configure interface aggregation on LSW2
[DMZ]int Eth-Trunk 1
[DMZ-Eth-Trunk1]tru
[DMZ-Eth-Trunk1]trunkport g 0/0/1
[DMZ-Eth-Trunk1]
[DMZ-Eth-Trunk1]trunkport g 0/0/2
[DMZ-Eth-Trunk1]port link-type trunk
[DMZ-Eth-Trunk1]
[DMZ-Eth-Trunk1]port trunk allow-pass vlan 10 to 11
[DMZ-Eth-Trunk1]
[DMZ-Eth-Trunk1]vla
[DMZ-Eth-Trunk1]vlan 10
[DMZ-vlan10]vla
[DMZ-vlan10]vlan 11
[DMZ-vlan11]q
[DMZ]int g 0/0/4
[DMZ-GigabitEthernet0/0/4]port link-type access
[DMZ-GigabitEthernet0/0/4]port default vlan 10
[DMZ-GigabitEthernet0/0/4]
[DMZ-GigabitEthernet0/0/4]int g 0/0/3
[DMZ-GigabitEthernet0/0/3]port link-type access
[DMZ-GigabitEthernet0/0/3]port default vlan 11
[DMZ-GigabitEthernet0/0/3]
Create a Layer 3 port on the DMZ on the firewall
test
4. Inter-regional communication
Configure Routing Policy
5. Configure the interface pair
Configure GE1/0/4 port
Notice:
GE1/0/5 port is the same as GE1/0/4 port
create interface pair
6. Firewall security policy configuration (trust-to-untrust)
Create a new security policy
Configure the original address
Configure return packet routing on AR1
[ISP]ip router-static 0.0.0.0 0 100.1.1.1
LSW1 configures return packet routing
[LSW1]ip route-static 0.0.0.0 0 10.1.255.2
test
7. Firewall security policy configuration (trust-to-DMZ)
Define address groups