防火墙概览系列又更新了! 本文会简单介绍下 huawei usg6000 的防火墙。
提示
输入 ‘?’ 号 可以命令提示,tab 补全命令,quit 或者 ctrl + z 可以退回上个层级
进入配置 configure 模式
system-view
hostname
sysname USG6000V2
提交配置,用来保存当前配置信息到系统的存储路径中
save all
获取 running 配置
display current-configuration all
interface
display interface
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.1.60 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
Logging
display logbuffer
address (group)
display ip address-set all
ip address-set hello type object
address 0 11.10.1.0 mask 25
ip address-set ttttt type group
description asdasd
address range 10.10.12.2 10.10.12.10
address address-set addr
address address-set kkk
address address-set uuu
address range 10.10.123.2 10.10.123.10
service (group)
display ip service-set all
ip service-set fdf type object
description tgasfasd
service protocol tcp source-port 0 to 2 destination-port 0 to 65
service protocol udp source-port 0 to 655 destination-port 0 to 65535
service protocol tcp source-port 0 to 76 destination-port 88 to 999
service protocol tcp source-port 666 destination-port 777 to 4564
service protocol icmp icmp-type 8 9
service protocol 111
service protocol icmp icmp-type host-unreachable
ip service-set zxvasfasfsafa type group
description asdasdsd
service service-set ad
service service-set ah
service service-set bgp
service service-set discard-tcp
zone
display zone
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
firewall zone name aaa
set priority 20
application
display application user-defined
sa
user-defined-application name UD_3333
description ada
data-model browser-based
label Productivity-LossEvasiveTunnelingSupports-VideoSocial-ApplicationsNetwork-StorageDatabase
rule name zxc
protocol tcp
ip-address 2.2.2.2
port 3333
signature context packet direction both plain-string vva field General-Payload
rule name aaz
port 6600
signature context packet direction request regular-expression "aaa?" field General-Payload
rule name azxc
ip-address 2.2.2.2
port 55
port 66
port 44
undo signature
policy
display security-policy all
security-policy
rule name dfsd
description fdsdfd
source-zone trust
source-zone local
destination-zone aaa
destination-zone untrust
source-address address-set addr
source-address address-set asdf
destination-address address-set addr
destination-address address-set fangcong
service ad
service ah
application app HTML2JPG_Enterprise_Version
application category Business_Systems sub-category Auth_Service
application app-group dvsd
time-range time1
profile av zxcss
profile ips web_server
action permit
policy logging
session logging
session aging-time 324
long-link enable
long-link aging-time 3243
timeRange
display time-range all
time-range abc
period-range 01:30:00 to 23:00:00 Wed Tue Mon
absolute-range 00:00:00 2019/10/9 to 00:00:00 2019/10/10
absolute-range 00:00:00 2019/10/15 to 00:00:00 2019/10/24
huawei usg Configuring NAT
Static NAT (1 对 1)
使用 static nat 来进行目的地址转换
设备:cisco asa 192.168.1.204
接口:
设备:huawei usg 192.168.1.205
接口:
拓扑:
华为墙做 nat 墙
命令:
security-policy
rule name untrust_2_dmz_c0dbd
description create by NAP 97e5819c-2c2c-435b-9e29-5e40d8715f9a
source-zone untrust
destination-zone dmz
source-address address-set WS_172.16.205.1_32
destination-address address-set ws_10.1.206.1
service Any
action permit
nat server untrust_2_dmz_b9fe1 global 12.1.214.33 inside 10.1.206.1
cisco 设备上设置路由:
在 cisco 上 ping 12.1.214.33
转换结果
Source NAT
源 NAT 策略用于实现内网主机使用私网地址访问 Internet。系统会将内网主机报文的源 IP 由私网地址转换为公网地址。在配置时,转换前的源地址应选择私网地址或地址组(可多选),转换后的源地址可以使用 NAT 地址池或使用报文出接口的公网 IP 地址。
nat-policy
[USG6000V2-policy-nat]
rule name snat1
[USG6000V2-policy-nat-rule-snat1]
description test
[USG6000V2-policy-nat-rule-snat1]
destination-zone untrust
[USG6000V2-policy-nat-rule-snat1]
source-zone trust
[USG6000V2-policy-nat-rule-snat1]
source-address address-set WS_192.168.1.11_32
[USG6000V2-policy-nat-rule-snat1]
destination-address address-set WS_2.3.1.120_32
[USG6000V2-policy-nat-rule-snat1]
service TCP_241
[USG6000V2-policy-nat-rule-snat1]
action nat address-group test2 //test2为地址池里面的地址
[USG6000V2-policy-nat-rule-snat1]
Destination NAT
将公网 ip12.1.214.33 的 443 端口 映射到私有 ip 10.1.206.1 的 999
nat server untrust_2_dmz_b9fe1 protocol tcp global 12.1.214.33 443 inside 10.1.206.1 9999
所以我们会通过 nat-server 的方式来进行 dnat 的配置
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于