CLI配置华为防火墙步骤
1、华为防火墙CLI基础
华为防火墙的系统将命令行接口划分为若干个命令视图,系统的所有命令都注册在某个(或某些)命令视图下,只有在相应的视图下才能执行该视图下的命令。
命令视图的分类:
用户视图 <USG>
系统视图 [USG]
接口视图 [USG -Ethernet0/0/1 ]
协议视图 [USG -rip]
键入一命令,后接以空格分隔的“?”,如果该位置为关键字,则列出全部关键字及其简单描述。
<USG 5000> display ?
键入一命令,后接以空格分隔的“?”,如果该位置为参数,则列出有关的参数描述。
[USG 5000] interface ethernet ?
<3-3> Slot number
键入一字符串,其后紧接“?”,列出以该字符串开头的所有命令。
<USG 5000> d?
debugging delete dir display
2、任务一CLI操作步骤
1.配置各个接口IP地址并将其加入对应的安全区域。
<USG>system-view
[USG]hostname FW
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet1/0/3] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 1/0/1
[FW-zone-untrust] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/3
[FW-zone-trust] quit
2.配置FW作为DHCP Server。
开启DHCP功能。
[FW] dhcp enable
创建接口地址池并为内网PC配置网关地址和DNS Server地址。
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] dhcp select interface
[FW-GigabitEthernet1/0/3] dhcp server ip-range 10.3.0.1 10.3.0.254
[FW-GigabitEthernet1/0/3] dhcp server dns-list 1.2.2.2
[FW-GigabitEthernet1/0/3] dhcp server gateway-list 10.3.0.1
[FW-GigabitEthernet1/0/3] quit
3.配置安全策略,允许内部网络中的PC访问Internet。
[FW] security-policy
[FW-security-policy] rule name policy_sec_1
[FW-security-policy-sec_policy_1] source-address 10.3.0.0 mask 255.255.255.0
[FW-security-policy-sec_policy_1] source-zone trust
[FW-security-policy-sec_policy_1] destination-zone untrust
[FW-security-policy-sec_policy_1] action permit
[FW-security-policy-sec_policy_1] quit
[FW-security-policy] quit
4.配置NAT策略,当内部网络中的PC访问Internet时进行地址转换。
[FW] nat-policy
[FW-policy-nat] rule name policy_nat_1
[FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 mask 255.255.255.0
[FW-policy-nat-rule-policy_nat_1] source-zone trust
[FW-policy-nat-rule-policy_nat_1] egress-interface GigabitEthernet 1/0/1
[FW-policy-nat-rule-policy_nat_1] action source-nat easy-ip
[FW-policy-nat-rule-policy_nat_1] quit
[FW-policy-nat] quit
5.配置NAT策略,当内部网络中的PC访问Internet时进行地址转换。
[FW] nat-policy
[FW-policy-nat] rule name policy_ftp1
[FW-policy-nat-rule-policy_ftp1] source-zone trust
[FW-policy-nat-rule-policy_ftp1] destination-address 1.1.1.2 32
[FW-policy-nat-rule-policy_ftp1] service protocol tcp destination-port 2121
[FW-policy-nat-rule-policy_ftp1] action destination-nat static port-to-port 10.3.0.30 21
[FW-policy-nat-rule-policy_ftp1] quit
[FW-policy-nat] quit
6.配置缺省路由,指定下一跳地址为1.1.1.254。
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
如何查看全局的配置脚本
[FW]#display current-configuration
#
dhcp enable
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.0
dhcp select interface
dhcp server ip-range 10.3.0.1 10.3.0.254
dhcp server gateway-list 10.3.0.1
dhcp server dns-list 9.9.9.9
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 10.3.0.0 24
action source-nat easy-ip
#
nat-policy
rule name policy_ftp1
source-zone untrust
destination-address 1.1.1.2 32
action destination-nat static port-to-port 10.3.0.30 21
#
return