Shulou(Shulou.com)06/01 Report--

The Root Firewall configuration is as follows

System-view

Sysname root-firewall # Firewall naming

Vlan batch 41 71 73 100 to 1000 to 2000 3001 to 3100 # create vlan

Interface eth-trunk 0 # create aggregation group 0 (used by HRP)

Trunkport GigabitEthernet1/0/0 # add aggregation group member

Trunkport GigabitEthernet1/0/1 # add aggregation group member

Ip address 1.1.1.1 255.255.255.0 # configure aggregation group address

Quit # exits aggregation group mode

Interface eth-trunk 1 # create aggregation group 1 (egress link aggregation)

Portswitch # switches to layer 2 aggregation mode

Trunkport 10GE 1-0-8 # add aggregation group member

Trunkport 10GE 1-0-9 # add aggregation group member

Port link-type trunk # Port Type trunk

Undo port trunk allow-pass vlan1 # deny vlan1 pass

Port trunk allow-pass vlan 41 71 73 100 to 1000 3000 to 3100 # allow vlan 41 71 73 100 to 200 1000 3000 to 3100

Alias eth-trunk1 # aggregate Group name eth-trunk1

Quit

Add aggregation groups to different regions

Firewall zone dmz

Add interface Eth-Trunk0 # HRP aggregation group is added to the DMZ area

Firewall zone trust

Add interface Eth-Trunk1 # egress link aggregation is added to the Trust area

Add interface Virtual-if0

Note: it is recommended that the Eth-Trunk1 and Virtual-if interfaces belong to different regions (because Huawei firewall only has inter-area policies)-by default, the traffic of the same zone can communicate, and the security policy can be based on the source-destination address.

Vsys enable # enable the virtual system

Resource-class R1 # configuration resource class

Resource-item-limit session reserved-number 10000 maximum 50000

Resource-item-limit policy reserved-number 300

Resource-item-limit user reserved-number 300

Resource-item-limit user-group reserved-number 10

Resource-item-limit bandwidth-ingress maximum 100000

Vsys name vsysA # create virtual subwall A

Vsys name vsysB # create virtual subwall B

Quit # exit

Quit # exit

Create virtual subinterfaces for outreach and business

Interface Eth-Trunk1.109 # create telecom subinterface

Description link-to-gateway-DianXin# the description of the interface

Ip address 123.126.109.166 255.255.255.128 # set the public network address of the interface

Arp-proxy enable # enables ARP proxy function

Vlan-type dot1q 109 # this API belongs to vlan109

Alias Eth-Trunk1.109 # alias Eth-Trunk1.109

Service-manage ping permit # allow ping

Interface Eth-Trunk1.73 creates private network subinterfaces

Description link-to-gateway-ZhuanXian # description of the interface

Ip address 172.16.1.1 255.255.255.0 # set the public network address of the interface

Vlan-type dot1q 7 this API belongs to vlan73

Alias Eth-Trunk1.73# alias Eth-Trunk73

Service-manage ping permit # allow ping

Interface Eth-Trunk1.128 creates a business subinterface

Description link-to-ZhuHu1 # description of the interface

Ip address 192.168.1.254 255.255.255.0 # set the public network address of the interface

Vlan-type dot1q 12 this API belongs to vlan128

Alias Eth-Trunk1.128# alias Eth-Trunk128

Service-manage ping permit # allow ping

Interface Eth-Trunk1.129 creates a business subinterface

Description link-to-ZhuHu2 # description of the interface

Ip address 192.168.2.254 255.255.255.0 # set the public network address of the interface

Vlan-type dot1q 12 this API belongs to vlan129

Alias Eth-Trunk1.129# alias Eth-Trunk129

Service-manage ping permit # allow ping

Add virtual subinterfaces to different interfaces

Firewall zone trust

Add interface Eth-Trunk1.73 # # add subinterfaces

Add interface Virtual-if0 # virtual logic root interface for communicating with virtual walls

Firewall zone name DianXin # create a DianXin region

Set priority 4

Add interface Eth-Trunk1.109 # add subinterfaces

Firewall zone trust

Add interface Virtualif 0

Security-policy # Security Policy

Default action permit # default actions allow

Ip route-static 0.0.0.0 0.0.0.0 123.126.109.129 # default route to telecom operator

Ip route-static 123.126.109.182 255.255.255.255.255 * *-instance vsysA # introduces the backhaul traffic of employees accessing Internet in vsysA into VSYSA

Ip route-static 123.126.109.164 255.255.255.255.255 * *-instance vsysB # public network address is delegated to subwall B

Ip route-static 192.168.1.0 255.255.255.0 * *-instance vsysA # dedicated line address is lowered to sub-wall A

Ip route-static 192.168.2.0 255.255.255.0 * *-instance vsysB # dedicated line address is lowered to sub-wall B

Ip route-static 172.21.125.0 255.255.255.0 172.20.1.1 description Mangement

The virtual FirewallA configuration is described as follows:

Switch vsys vsysA # switch to virtual subwall A

Assign interface Eth-Trunk1.128 # assigns virtual subinterface (service gateway)

Assign resource-class R1 # assign resource class R1

Assign global-ip 172.16.1.2 172.16.1.2 exclusive # assigns the global address 172.16.1.2 to be exclusive

Assign global-ip 123.126.109.182 123.126.109.182 exclusive # assigns the global address 123.126.109.182 to be exclusive

Assign interface GigabitEthernet 1-0-3 assignment Interface

Firewall zone untrust

Add interface Virtual-if1 # add virtual subinterface (the number of Virtualif is automatically assigned according to the ID usage in the system)

Firewall zone trust

Add interface Eth-Trunk1.128

Aaa # create an administrator for the virtual system

Manager-user admin@@vsysa

Password

Enter Password:

Confirm Password:

Service-type web telnet ssh

Level 15

Ip route-static 0.0.0.0 0.0.0.0 public # introduces the traffic from employees accessing Internet in vsysA to the root system (public root wall)

Security-policy # configure security policy

Default action permit # allows all pass

Nat address-group Zhuanxian # creates a NAT address group for the Direct Connect

Mode pat mode

Section 0 172.16.1.2 172.16.1.2 # address group is 172.16.1.2

Nat address-group DianXin # creates a NAT address group for telecom

Mode pat

Section 0 123.126.109.182 123.126.109.182

Nat-policy # configure NAT Policy

Rule name no-nat # Rule naming no-nat

Source-zone trust # Source area trust

Destination-zone untrust # destination area untrust

Source-address 192.168.1.0 mask 255.255.255.0 # define the source 192.168.1.0 network segment

Destination-address 172.16.1.0 mask 255.255.255.0 # definition purpose 172.16.1.0 network segment

Destination-address 192.168.2.0 mask 255.255.255.0 # define the destination 192.168.2.0 network segment

Action no-nat # actions are not converted

Rule name DianXin # Rule name DianXian

Source-zone trust # Source area trust

Destination-zone untrust # destination area untrust

Source-address 192.168.1.0 mask 255.255.255.0 # Source address field is 192.168.1.0 mask 24

Action nat address-group DianXin

Configure server port mapping

Nat server 1 protocol tcp global 123.126.109.182 3389 inside 192.168.1.1 3389 # Mapping the internal private network address 192.168.1.1 port 3389 to 3389 of the public network address 123.126.109.182

The virtual FirewallB configuration is described as follows:

Vsys name vsysB

Assign interface Eth-Trunk1.129# assigns virtual subinterfaces (service gateways)

Assign resource-class R1 # assign resource class R1

Assign global-ip 172.16.1.3 172.16.1.3 exclusive # assigns the global address 172.16.1.3 to be exclusive

Assign global-ip 123.126.109.164 123.126.109.164 exclusive # assigns the global address 123.126.109.164 to be exclusive

Firewall zone untrust

Add interface Virtual-if2

Firewall zone trust

Add interface Eth-Trunk1.129

Ip route-static 0.0.0.0 0.0.0.0 public # default route is thrown to public (public root wall)

Security-policy

Default action permit # allows all pass

Nat address-group Zhuanxian # creates a NAT address group for the Direct Connect

Mode pat mode

Section 0 172.16.1.2 172.16.1.2 # address group is 172.16.1.3

Nat address-group DianXin # creates a NAT address group for telecom

Mode pat

Section 0 123.126.109.164 123.126.109.164

Nat-policy # enters the nat policy view (as an inter-domain policy)

Rule name no-nat # Rule naming no-nat

Source-zone trust # Source area trust

Destination-zone untrust # destination area untrust

Source-address 192.168.2.0 mask 255.255.255.0 # define the source 192.168.2.0 network segment

Destination-address 172.16.1.0 mask 255.255.255.0 # definition purpose 172.16.1.0 network segment

Destination-address 192.168.1.0 mask 255.255.255.0 # define the destination 192.168.1.0 network segment

Action no-nat # actions are not converted

Rule name DianXin # Rule name DianXian

Source-zone trust # Source area trust

Destination-zone untrust # destination area untrust

Source-address 192.168.2.0 mask 255.255.255.0 # Source address field is 192.168.2.0 hand 24

Action nat address-group DianXin

Configure server port mapping

Nat server 1 protocol tcp global 123.126.109.164 3389 inside 192.168.1.1 3389 # Mapping the internal private network address 192.168.1.1 port 3389 to 3389 of the public network address 123.126.109.164

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.