CLI配置华为防火墙步骤

Posted on 2023/02/03 by 朱 峰

CLI配置华为防火墙步骤

1、华为防火墙CLI基础

华为防火墙的系统将命令行接口划分为若干个命令视图,系统的所有命令都注册在某个(或某些)命令视图下,只有在相应的视图下才能执行该视图下的命令。

命令视图的分类:

用户视图 <USG>

系统视图 [USG]

接口视图 [USG -Ethernet0/0/1 ]

协议视图 [USG -rip]

键入一命令,后接以空格分隔的“?”,如果该位置为关键字,则列出全部关键字及其简单描述。

<USG 5000> display ?

键入一命令,后接以空格分隔的“?”,如果该位置为参数,则列出有关的参数描述。

[USG 5000] interface ethernet ?

<3-3>  Slot number

键入一字符串,其后紧接“?”,列出以该字符串开头的所有命令。

<USG 5000> d?

debugging   delete   dir   display

2、任务一CLI操作步骤
1.配置各个接口IP地址并将其加入对应的安全区域。
<USG>system-view

[USG]hostname FW
[FW] interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[FW-GigabitEthernet1/0/1] quit
[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[FW-GigabitEthernet1/0/3] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 1/0/1
[FW-zone-untrust] quit
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet 1/0/3
[FW-zone-trust] quit

2.配置FW作为DHCP Server。

开启DHCP功能。

[FW] dhcp enable

创建接口地址池并为内网PC配置网关地址和DNS Server地址。

[FW] interface GigabitEthernet 1/0/3
[FW-GigabitEthernet1/0/3] dhcp select interface
[FW-GigabitEthernet1/0/3] dhcp server ip-range 10.3.0.1 10.3.0.254
[FW-GigabitEthernet1/0/3] dhcp server dns-list 1.2.2.2
[FW-GigabitEthernet1/0/3] dhcp server gateway-list 10.3.0.1
[FW-GigabitEthernet1/0/3] quit

3.配置安全策略,允许内部网络中的PC访问Internet。
[FW] security-policy
[FW-security-policy] rule name policy_sec_1
[FW-security-policy-sec_policy_1] source-address 10.3.0.0 mask 255.255.255.0
[FW-security-policy-sec_policy_1] source-zone trust
[FW-security-policy-sec_policy_1] destination-zone untrust
[FW-security-policy-sec_policy_1] action permit
[FW-security-policy-sec_policy_1] quit
[FW-security-policy] quit

4.配置NAT策略,当内部网络中的PC访问Internet时进行地址转换。
[FW] nat-policy
[FW-policy-nat] rule name policy_nat_1
[FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 mask 255.255.255.0
[FW-policy-nat-rule-policy_nat_1] source-zone trust
[FW-policy-nat-rule-policy_nat_1] egress-interface GigabitEthernet 1/0/1
[FW-policy-nat-rule-policy_nat_1] action source-nat easy-ip
[FW-policy-nat-rule-policy_nat_1] quit
[FW-policy-nat] quit

5.配置NAT策略,当内部网络中的PC访问Internet时进行地址转换。
[FW] nat-policy
[FW-policy-nat] rule name policy_ftp1
[FW-policy-nat-rule-policy_ftp1] source-zone trust
[FW-policy-nat-rule-policy_ftp1] destination-address 1.1.1.2 32
[FW-policy-nat-rule-policy_ftp1] service protocol tcp destination-port 2121
[FW-policy-nat-rule-policy_ftp1] action destination-nat static port-to-port 10.3.0.30 21
[FW-policy-nat-rule-policy_ftp1] quit
[FW-policy-nat] quit

6.配置缺省路由,指定下一跳地址为1.1.1.254。
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254

如何查看全局的配置脚本
[FW]#display current-configuration
#
dhcp enable
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.0
dhcp select interface
dhcp server ip-range 10.3.0.1 10.3.0.254
dhcp server gateway-list 10.3.0.1
dhcp server dns-list 9.9.9.9
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 10.3.0.0 24
action source-nat easy-ip
#
nat-policy
rule name policy_ftp1
source-zone untrust
destination-address 1.1.1.2 32
action destination-nat static port-to-port 10.3.0.30 21
#
return

This entry was posted in 网络安全, 计算机网络 and tagged , . Bookmark the permalink.