华为防火墙USG6000V配置实验（防火墙华为USG6000）

华为防火墙USG6000V配置实验（防火墙华为USG6000）

interface GigabitEthernet0/0/0 undo shutdown ip binding *-instance default ip address 192.168.0.1 255.255.255.0 alias GE0/METH service-manage permit //是否允许 service-manage ping permit** //是否允许PING

2.防火墙FW1接口配置 `#

interface Vlanif1ip address 192.168.11.254 255.255.255.0service-manage ping permit#interface Vlanif3ip address 192.168.3.254 255.255.255.0service-manage ping permit#interface Vlanif4ip address 192.168.4.254 255.255.255.0service-manage ping permit#interface GigabitEthernet0/0/0undo shutdownip binding ***-instance defaultip address 192.168.0.1 255.255.255.0alias GE0/METHservice-manage permitservice-manage ping permit#interface GigabitEthernet1/0/0undo shutdownip address 192.168.1.1 255.255.255.0alias trust_内网service-manage ping permit#interface GigabitEthernet1/0/1undo shutdownip address 202.1.1.1 255.255.255.0service-manage ping permit#interface GigabitEthernet1/0/2undo shutdownip address 172.16.1.1 255.255.255.0service-manage ping permit#interface GigabitEthernet1/0/3portswitchundo shutdownport link-type trunkport trunk allow-pass vlan 3 to 4#interface GigabitEthernet1/0/4portswitchundo shutdownport link-type trunkport trunk allow-pass vlan 3 to 4#`

3.安全区配置#firewall zone localset priority 100#firewall zone trustset priority 85add interface GigabitEthernet0/0/0add interface GigabitEthernet1/0/0add interface Vlanif1#firewall zone untrustset priority 5add interface GigabitEthernet1/0/1#firewall zone dmzset priority 50add interface GigabitEthernet1/0/2#firewall zone name vlan3zone id 4set priority 3add interface Vlanif3#firewall zone name vlan4zone id 5set priority 4add interface Vlanif4#firewall zone name portszone id 6set priority 8add interface GigabitEthernet1/0/3add interface GigabitEthernet1/0/4#

4.安全策略配置#security-policyrule name local_anysource-zone localaction permitrule name lan_wansource-zone trustsource-zone vlan3zonedestination-zone untrustaction permitrule name trust_dmzsource-zone trustdestination-zone dmzaction permitrule name untrust_dmzsource-zone untrustdestination-zone dmzdestination-address 172.16.1.2 32service permitrule name trust_vlan4zonesource-zone trustsource-zone vlan4zonedestination-zone trustdestination-zone vlan4zoneaction permitrule name any_managevlan1destination-zone trustdestination-address 192.168.11.0 24action permit#

5.NAT配置#nat-policyrule name lan_to_ispsource-zone trustsource-zone vlan3zoneegress-interface GigabitEthernet1/0/1source-address 192.168.1.0 24source-address 192.168.3.0 24action nat easy-ip##nat server mywebserver 0 protocol tcp global 202.1.1.1 inside 172.16.1.2 no-reverse#

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。