拓扑图

配置过程

PC分配IP

PC1：192.168.1.1/24

PC2：192.168.1.2/24

PC>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe87:1e5f
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.1.1
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.1.254
Physical address..................: 54-89-98-87-1E-5F
DNS server........................:

PC>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe69:79e9
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.1.2
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.1.254
Physical address..................: 54-89-98-69-79-E9
DNS server........................:

防火墙分配IP

防火墙需要登陆，默认账号：admin，密码：Admin@123

g1/0/2:192.168.1.254/24，允许ping

g1/0/0:192.168.2.254/24

g1/0/1:100.1.1.1/24

Username:admin
Password:
The password needs to be changed. Change now? [Y/N]: y
Please enter old password: 
Please enter new password: 
Please confirm new password: 

 Info: Your password has been changed. Save the change to survive a reboot. 
*************************************************************************
*         Copyright (C) 2014-2018 Huawei Technologies Co., Ltd.         *
*                           All rights reserved.                        *
*               Without the owner's prior written consent,              *
*        no decompiling or reverse-engineering shall be allowed.        *
*************************************************************************


<USG6000V1>
<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info-center enable
Info: Saving log files...
Info: Information center is disabled.
[USG6000V1]interface gigabitether 1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip address 192.168.1.254 24
[USG6000V1-GigabitEthernet1/0/2]service-manage ping permit
[USG6000V1-GigabitEthernet1/0/2]quit
[USG6000V1]interface gigabitether 1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip address 192.168.2.254 24
[USG6000V1-GigabitEthernet1/0/0]quit
[USG6000V1]interface gigabitether 1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip address 100.1.1.1 24
[USG6000V1-GigabitEthernet1/0/1]quit
[USG6000V1]

服务器配置IP

ip：192.168.2.100

网关：192.168.2.254

Internet分配IP

g0/0/0:100.1.1.2 /24

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]interface gigabitether 0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 100.1.1.2 24
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]sysname internet
[internet]

防火墙安全域划分

把相应的接口划入相应的区域

trust：g1/0/2

untrust:g1/0/1

dmz:g1/0/0

[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface gigabitether 1/0/2
[USG6000V1-zone-trust]quit
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface gigabitether 1/0/1
[USG6000V1-zone-untrust]quit
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface gigabitether 1/0/0
[USG6000V1-zone-dmz]quit
[USG6000V1]

创建安全策略

安全策略名：trust_to_untrust

源区域：trust

目的区域：untrust

源地址（可设可不设）1.0网段：192.168.1.0 24

目的地址（可设可不设）所有：any

动作：允许

[USG6000V1]security-policy
[USG6000V1-policy-security]rule name trust_to_untrust
[USG6000V1-policy-security-rule-trust_to_untrust]source-zone trust
[USG6000V1-policy-security-rule-trust_to_untrust]destination-zone untrust
[USG6000V1-policy-security-rule-trust_to_untrust]source-address 192.168.1.0 24
[USG6000V1-policy-security-rule-trust_to_untrust]destination-address any
[USG6000V1-policy-security-rule-trust_to_untrust]action permit
[USG6000V1-policy-security-rule-trust_to_untrust]quit
[USG6000V1-policy-security]quit
[USG6000V1]

配置NAT

策略建好了但是访问不到互联网，没有做nat

地址池名称：addressgroup1

模式：pat

公网地址：100.1.1.10-100.1.1.20

[USG6000V1]nat address-group addressgroup1
[USG6000V1-address-group-addressgroup1]mode pat
[USG6000V1-address-group-addressgroup1]section 0 100.1.1.10 100.1.1.20
[USG6000V1-address-group-addressgroup1]quit
[USG6000V1]

NAT策略

策略名称：nat1

源区域：trust

目的区域：untrust

源地址：192.168.1.0 /24

目的地址：any

动作：基于源地址nat，使用addressgroup1地址池

[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name nat1
[USG6000V1-policy-nat-rule-nat1]source-zone trust
[USG6000V1-policy-nat-rule-nat1]destination-zone untrust
[USG6000V1-policy-nat-rule-nat1]source-address 192.168.1.0 24
[USG6000V1-policy-nat-rule-nat1]destination-address any
[USG6000V1-policy-nat-rule-nat1]action source-nat address-group addressgroup1
[USG6000V1-policy-nat-rule-nat1]quit
[USG6000V1-policy-nat]quit
[USG6000V1]

这时候用PC去ping互联网，已经通了

PC>ping 100.1.1.2

Ping 100.1.1.2: 32 data bytes, Press Ctrl_C to break
From 100.1.1.2: bytes=32 seq=1 ttl=254 time=47 ms
From 100.1.1.2: bytes=32 seq=2 ttl=254 time=47 ms
From 100.1.1.2: bytes=32 seq=3 ttl=254 time=31 ms
From 100.1.1.2: bytes=32 seq=4 ttl=254 time=47 ms
From 100.1.1.2: bytes=32 seq=5 ttl=254 time=47 ms

--- 100.1.1.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/43/47 ms

PC>

可以查看一下session表，ping停止后过段时间会消失，先ping一下再查看session表

[USG6000V1]display firewall session table
2023-10-06 02:35:27.900 
 Current Total Sessions : 5
 icmp  VPN: public --> public  192.168.1.1:20082[100.1.1.20:2066] --> 100.1.1.2:
2048
 icmp  VPN: public --> public  192.168.1.1:20338[100.1.1.20:2067] --> 100.1.1.2:
2048
 icmp  VPN: public --> public  192.168.1.1:19570[100.1.1.20:2064] --> 100.1.1.2:
2048
 icmp  VPN: public --> public  192.168.1.1:19314[100.1.1.20:2063] --> 100.1.1.2:
2048
 icmp  VPN: public --> public  192.168.1.1:19826[100.1.1.20:2065] --> 100.1.1.2:
2048
[USG6000V1]

到这里拓扑图里面的4点要求都已经实现

访问服务器配置

拓扑图里面还有个dmz区域没做任何配置，此时内部PC是访问不了服务器的

实现PC访问服务器，和trust访问untrust一样，放行trust到dmz区域的流量即可，配置如下

安全策略

创建个trust到dmz的策略

[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name trust_to_dmz
[USG6000V1-policy-security-rule-trust_to_dmz]source-zone trust
[USG6000V1-policy-security-rule-trust_to_dmz]destination-zone dmz
[USG6000V1-policy-security-rule-trust_to_dmz]action permit
[USG6000V1-policy-security-rule-trust_to_dmz]quit
[USG6000V1-policy-security]quit
[USG6000V1]

这个时候去ping 服务器可以通了

PC>ping 192.168.2.100

Ping 192.168.2.100: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.2.100: bytes=32 seq=2 ttl=254 time=31 ms
From 192.168.2.100: bytes=32 seq=3 ttl=254 time=47 ms
From 192.168.2.100: bytes=32 seq=4 ttl=254 time=15 ms
From 192.168.2.100: bytes=32 seq=5 ttl=254 time=31 ms

--- 192.168.2.100 ping statistics ---
  5 packet(s) transmitted
  4 packet(s) received
  20.00% packet loss
  round-trip min/avg/max = 0/31/47 ms

PC>

NAT Server配置

再来实现一下nat server 端口映射，把内网web服务器映射到公网地址，允许公网访问服务器

nat server 映射，www换成80 也是一样的

[USG6000V1]nat server protocol tcp global 100.1.1.100 80 inside 192.168.2.100 www

映射后公网还是访问不了服务器，没有放行untrust到dmz的流量，所以再建条安全策略

[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name untrust_to_dmz
[USG6000V1-policy-security-rule-untrust_to_dmz]source-zone untrust
[USG6000V1-policy-security-rule-untrust_to_dmz]destination-zone dmz
[USG6000V1-policy-security-rule-untrust_to_dmz]action permit
[USG6000V1-policy-security-rule-untrust_to_dmz]quit
[USG6000V1-policy-security]quit
[USG6000V1]

放行后去Internet上使用Telnet模拟访问服务器

<Huawei>telnet 100.1.1.100 80
  Press CTRL_] to quit telnet mode
  Trying 100.1.1.100 ...
  Connected to 100.1.1.100 ...

通过服务器的日志信息可以看到访问成功了

也可以到防火墙上查看session表，可以看到公网地址100.1.1.2访问服务器映射的公网地址100.1.1.100，实际内网地址192.168.2.100的80端口

[USG6000V1]display firewall session table
2023-10-06 02:59:04.750 
 Current Total Sessions : 1
 http  VPN: public --> public  100.1.1.2:49852 --> 100.1.1.100:80[192.168.2.100:
80]
[USG6000V1]

目录CONTENT

防火墙配置实验

拓扑图