微思网络 WISDOMNET 专注高端,技术为王 华为防火墙USG2000实验文档 电信网络 IP:202.100.1.2 E0/0 IP:202.100.1.1 2600 Secowny G0/0/0 S0/0 IP:201.100.1.2 USG2000 IP:192.168.1.1 E0/0/0 IP:202.200.1.1 G0/0/1 S0/0 IP:201.100.1.3 IP:202.200 1.2 E0/0 CISCO 2600 IP:192.168.1.2 E0/0 网通网络 2600 telnet 服务器 要求:通过配置华为防火墙实现本地telnet服务器能够通过NAT上网.并且,访间电信网络 链路时走电信,访间网通链路时走网通. 具体配置如下: 华为USG 2000 Username:admin Password:Admin@ 123 批注[canhongl]:认用户 名和密码 system-view 批注[camhong2]:进入配置 模式 [USG2205BSR]sysname huawei 批注[canhong3]:命名 [huaweilinterface GigabitEthernet O/0/0 批注[canhong4]:进入接口 TEL:0592-2236681 HTTP:/WWW.XMWS.CN
微思网络 WISDOMNET 专注高端,技术为王 [huawei-GigabitEthermet0/0/0]description #iconn to dianxin link### 批注[canhong5]:对接口描 述 [huawei-GigabitEthernet0/0/0jip address 202.100.1.1 255.255.255.0 批注[canhong6]:配置IP [huawei-GigabitEthernet0/0/0]undo shutdown 批注[cahong7]:启用接口 [huawei-GigabitEthernet0/0/0]quit 批注[canhong8]:退出接口 模式 [huaweilinterface GigabitEthernet 0/0/1 [huawei-GigabitEthernet0/0/1]description ###conn to yidong link## [huawei-GigabitEthernet0/0/1jip address 202.200.1.1 255.255.255.0 [huawei-GigabitEthernet0/0/1 Jundo shutdown [huawei-GigabitEthernet0/0/1]quit [huaweilinterface Vlanif 1 [huawei-Vlanif1 |description ###conn to local### [huawei-Vlanif1jip address 192.168.1.1 255.255.255.0 [huawei-Vlanif1 Jundo shutdown [huawei-Vlanif1quit [huawei]firewall zone trust 批注[anong9]:进入信认 区域信认区域默认安全等级 为85 [huawei-zone-trust Jundo add interface GigabitEthernet O/0/0 TEL:0592-2236681 -2 - HTTP:/WWW.XMWS.CN
微思网络 WISDOMNET 专注高端,技术为王 [huawei-zone-trust Jundo add interface GigabitEthernet O/0/1 批注[anong10]默认 G0/0和G0MV1属于信认区 域.由于本实验,这两个楼口连 接外网应把这两个接口从信 认区域移出加入到非信认区 城中 [huawei-zone-trust Jadd interface Vlanif 1 批注[canhong11]:把 VLANIF1加入信认区域 [huawei]firewall zone name Dianxin 批注[canong12]:重新建个 新的区域,向名为dianxim,设 置安全等级为4.并把G0/00 [huawei-zone-dianxin]set priority 4 加入该区域 [huawei-zone-dianxinJadd interface GigabitEthernet 0/0/0 [huawei-zone-dianxin]quit [huaweilfirewall zone name Yidong [huawei-zone-yidong]set priority 3 [huawei-zone-yidong Jadd interface GigabitEthernet 0/0/1 批注[canong13]:重新建个 新的区域,命名为yidong.设置 安全等级为3.并把G0MV1加 [huawei-zone-yidong]quit 入该区域 [huawei]acl number 2000 批注[canhong14]:配置一个 ACL2000.设置现则允许内 网192168.1.0的网段 [huawei-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255 TEL:0592-2236681 3 - HTTP:/WWW.XMWS.CN
微思网络 WISDOMNET 专注高端,技术为王 [huawei-acl-basic-2000]quit [huawei]firewall interzone trust dianxin 批注[eamhong15]:进入信认 区城和diaxin [huawei-interzone-trust-dianxin]packet-filter 2000 outbound 批注[canhong16]:包过滤的 出口方向应用ACL.2000 [huawei-interzone-trust-dianxin]nat outbound 2000 interface GigabitEthermet 0/0/0 批注 [canhong17]:ACL. 2000 与接口GO0做PAT [huawei-interzone-trust-dianxin]quit [huawei]firewall interzone trust yidong [huawei-interzone-trust-yidongJnat outbound 2000 interface GigabitEthermet 0/0/1 批注 [canheng18]:同上 [huawei-interzone-trust-yidong]quit [huaweijuser-interface vty 0 4 批注[canhong19];进入接口 VTY.启用验证模式为密码 模式 [huawei-ui-vty0-4]authentication-mode password [huawei-ui-vty0-4]quit [huaweilip route-static 0.0.0.0 0.0.0.0 202.100.1.2 批注[canhong20]:配置致认 路由到达电信 [huaweilip route-static 27.8.0.0 255.248.0.0 202.200.1.2 [huaweiljip route-static ...... ...... 202.200.1.2 [huawei]ip route-static 222.160.0.0 255.252.0.0 202.200.1.2 批注[canhong21]:配置明细 路由到网通的路由,约有683 条明细路由 TEL:0592-2236681 HTTP:/WWW.XMWS.CN
微思网络 WISDOMNET 专注高端,技术为王 [huaweil firewall packet-filter default permit interzone local dianxin direction inbound [huaweil firewall packet-filter default permit interzone local dianxin direction outbound [huawei]| firewall packet-filter default permit interzone trust dianxin direction inbound [huaweil firewall packet-filter default permit interzone trust dianxin direction outbound [huaweil| firewall packet-filter default permit interzone local yidong direction inbound [huaweil firewall packet-filter default permit interzone local yidong direction outbound [huawei]l firewall packet-filter default permit interzone trust yidong direction inbound [huaweil firewall packet-filter default permit interzone trust yidong direction outbound 批注[canhong22]:配置包过 ,允许dixin、yidong与 locdl、tust 之间的入方向和 如图:电信网络、网通网络和telnet服务器配置略!
出方向,没有允许的话,则外 网无法PING通防火墙的出接 口 验证: 内网192.168.1.2分别PING电信与网通. inside#ping 202.100.1.2 Type escape sequence to abort. Sending 5 100-byte ICMP Echos to 202.100.1.2 timeout is 2 seconds: !!!1 Success rate is 100 percent (5/5) round-trip min/avg/max = 4/4/4 ms inside#ping 202.200.1.2 oqe o osubas adess ad Sending 5 100-byte ICMP Echos to 202.200.1.2 timeout is 2 seconds: !!!1 TEL:0592-2236681 5 - HTTP:/WWW.XMWS.CN
![H3C SecPath F5020[5040]防火墙产品日常维护指导书.pdf](https://www.guifanku.com/wp-content/themes/puretext/timthumb.php?src=https://www.guifanku.com/wp-content/uploads/2025/02/thumb865080.jpg&h=150&w=200&zc=1)
