配置环境:EVE-NG模拟器导入华为HUSG0000V镜像来操作
配置参考文档:
https://support.huawei.com/enterprise/zh/doc/EDOC1000118079?section=j005
https://support.huawei.com/enterprise/zh/doc/EDOC1000118079?section=j009
需求:防火墙通过静态IPv4地址接入互联网
IP地址:10.189.189.234/24
默认网关:10.189.189.1
DNS Server地址:218.30.19.40
内部网络中的PC使用私网网段:10.3.0.0/24实现互通,由FW为PC分配私网地址、DNS Server地址等网络参数
内部网络中的PC可以访问Internet
操作步骤
0、基础设置
<USG6000V2>undo terminal monitor #关闭终端显示调试/日志/告警信息功能
<USG6000V2>system
[USG6000V2]display interface brief
[USG6000V2]sysname FW #修改设备名称为FW
1、配置各个接口IP地址并将其加入对应的安全区域
[FW]interface GigabitEthernet 1/0/0
[FW-GigabitEthernet1/0/0]ip address 10.189.189.234 255.255.255.0 #外网接口
[FW-GigabitEthernet1/0/0]quit
[FW]interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1]ip address 10.3.0.1 255.255.255.0 #内网接口
[FW-GigabitEthernet1/0/1]quit
[FW]firewall zone untrust
[FW-zone-untrust]add interface GigabitEthernet 1/0/0
[FW-zone-untrust]quit
[FW]firewall zone trust
[FW-zone-trust]add interface GigabitEthernet 1/0/1
[FW-zone-trust]quit
2、配置FW作为DHCP Server
[USG6000V2]dhcp enable #开启DHCP功能
#创建接口地址池并为内网PC配置网关地址和DNS Server地址
[FW]interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1]dhcp select interface
[FW-GigabitEthernet1/0/1]dhcp server ip-range 10.3.0.1 10.3.0.254
[FW-GigabitEthernet1/0/1]dhcp server dns-list 218.30.19.40
[FW-GigabitEthernet1/0/1]dhcp server gateway-list 10.3.0.1
[FW-GigabitEthernet1/0/1]quit
3、配置安全策略,允许内部网络中的PC访问Internet
[FW]security-policy
[FW-policy-security]rule name policy_sec_1
[FW-policy-security-rule-policy_sec_1]source-address 10.3.0.0 mask 255.255.255.0
[FW-policy-security-rule-policy_sec_1]source-zone trust
[FW-policy-security-rule-policy_sec_1]destination-zone untrust
[FW-policy-security-rule-policy_sec_1]action permit
[FW-policy-security-rule-policy_sec_1]quit
[FW-policy-security]quit
4、配置NAT策略,当内部网络中的PC访问Internet时进行地址转换
[FW]nat-policy
[FW-policy-nat]rule name policy_nat_1
[FW-policy-nat-rule-policy_nat_1]source-address 10.3.0.0 mask 255.255.255.0
[FW-policy-nat-rule-policy_nat_1]source-zone trust
[FW-policy-nat-rule-policy_nat_1]egress-interface GigabitEthernet 1/0/0
[FW-policy-nat-rule-policy_nat_1]action source-nat easy-ip
[FW-policy-nat-rule-policy_nat_1]quit
[FW-policy-nat]quit
5、配置缺省路由,指定下一跳地址为10.189.189.1
[FW]ip route-static 0.0.0.0 0.0.0.0 10.189.189.1
6、开启web界面、ssh访问
[FW]interface GigabitEthernet 1/0/0
[FW-GigabitEthernet1/0/0]display this
[FW-GigabitEthernet1/0/0]undo shutdown
Info: Interface GigabitEthernet1/0/0 is not shutdown.
[FW-GigabitEthernet1/0/0]service-manage enable
[FW-GigabitEthernet1/0/0]service-manage all permit
[FW-GigabitEthernet1/0/0]return
<FW>display ip interface brief
<FW>save
结果验证
1、查看接口GigabitEthernet 1/0/0的详细信息,检查其公网地址配置是否正确,物理状态和IPv4状态是否均为Up
[USG6000V2]display interface GigabitEthernet 1/0/0
GigabitEthernet1/0/1 current state : UP
Line protocol current state : UP
Internet Address is 10.189.189.234/24
2、在内部网络中的PC上通过ipconfig/all命令检查网卡是否正确分配到私网地址和DNS地址
3、检查内部网络中的PC是否能通过域名访问Internet,若能访问,则表示配置成功。
https://10.189.189.234:8443/
默认账密:admin/Admin@123
登录成功后需要修改密码
至此,华为HUSG0000V防火墙配置完成。