华为防火墙USG2000实验文档
要求:通过配置华为防火墙实现本地telnet 服务器能够通过NAT上网.并且,访问电信网络链路时走电信,访问网通链路时走网通.
具体配置如下:
华为 USG 2000
Urname:admin
[USG2205BSR]sysname
[huawei]interface GigabitEthernet
[huawei-GigabitEthernet0/0/0]ip
address 202.100.1.1
[huawei-GigabitEthernet0/0/0]undo
[huawei]interface GigabitEthernet 0/0/1
[huawei-GigabitEthernet0/0/1]description ###conn to yidong link###
[huawei-GigabitEthernet0/0/1]ip address 202.200.1.1 255.255.255.0
[huawei-GigabitEthernet0/0/1]undo shutdown
[huawei-GigabitEthernet0/0/1]quit
[huawei]interface Vlanif 1
[huawei-Vlanif1]description ###conn to local###
[huawei-Vlanif1]ip address 192.168.1.1 255.255.255.0
[huawei-Vlanif1]undo shutdown
[huawei-Vlanif1]quit
[huawei-zone-trust]undo add interface GigabitEthernet 0/0/1
[huawei-zone-trust]add interface Vlanif
[huawei]firewall zone name
[huawei-zone-dianxin]t priority 4
[huawei-zone-dianxin]add interface GigabitEthernet 0/0/0
[huawei-zone-dianxin]quit
[huawei-zone-yidong]t priority 3
[huawei-zone-yidong]add interface GigabitEthernet 0/0/1
[huawei-zone-yidong]quit
[huawei]acl number
[huawei-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255
[huawei-acl-basic-2000]quit
[huawei]firewall interzone trust
[huawei-interzone-trust-dianxin]packet-filter 2000 outbound
[huawei-interzone-trust-dianxin]nat outbound 2000 interface GigabitEthernet 0/0/0
[huawei-interzone-trust-dianxin]quit
[huawei-interzone-trust-yidong]nat outbound 2000 interface GigabitEthernet 0/0/1
[huawei-interzone-trust-yidong]quit
[huawei]ur-interface vty 0 4
[huawei-ui-vty0-4]authentication-mode password
[huawei-ui-vty0-4]quit
[huawei]ip route-static 0.0.0.0 0.0.0.0 202.100.1.2
[huawei]ip route-static …… …… 202.200.1.2
[huawei]ip route-static 222.160.0.0 255.252.0.0 202.200.1.2
[huawei] firewall packet-filter default permit interzone local dianxin direction outbound
[huawei] firewall packet-filter default permit interzone trust dianxin direction inbound
[huawei] firewall packet-filter default permit interzone trust dianxin direction outbound
[huawei] firewall packet-filter default permit interzone local yidong direction inbound
[huawei] firewall packet-filter default permit interzone local yidong direction outbound
[huawei] firewall packet-filter default permit interzone trust yidong direction inbound
如图:电信网络、网通网络和telnet服务器配置 略!
验证:
内网192.168.1.2 分别PING 电信与网通.
inside#ping 202.100.1.2
Type escape quence to abort.
Sending 5, 100-byte ICMP Echos to 202.100.1.2, timeout is 2 conds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
inside#ping 202.200.1.2
Type escape quence to abort.
Sending 5, 100-byte ICMP Echos to 202.200.1.2, timeout is 2 conds:
