華為防火墻USG6000通過WEB圖形界面配置案例

網絡拓撲圖

通過WEB方式登錄到防火墻

通過Web方式登錄USG6000V：教程

登錄成功

配置防火墻使內網用戶通過PAT方式上網

防火墻上新建一個Nat Pool，供內網用戶以NAT方式訪問外網

配置Nat策略

配置策略，使得trust區域可以訪問untrust區域

配置默認路由，指向R1

設置到達Nat Pool的靜態路由，指向一個空接口，防止路由黑洞

配置防火墻使得外網用戶能訪問企業DMZ區域的FTP服務器(雙向nat)

先配置服務器對外靜態映射

防火墻上配置一個策略，使得untrust區域能訪問DMZ區域

配置nat pool地址池，目的是作為外網用戶訪問內網服務器后nat的內網地址

配置一個nat策略。注意，這個nat策略和內網nat外網有所不同?。?！

最后配置一個到達服務器對外地址的靜態路由，防止路由黑洞

WEB界面配置完成

內網用戶與FTP-Server配置

• PC1
  
• FTP-Server
  

配置代碼

• FW

dis current-configuration  顯示防火墻的運行配置

[USG6000V1]dis current-configuration 
2020-12-02 05:10:12.380 
!Software Version V500R005C10SPC300
#
sysname FW
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
 update schedule location-sdb weekly Sun 04:29
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 feedback type threat-log enable
 feedback type pdns enable
#
 update schedule ips-sdb daily 01:03
 update schedule av-sdb daily 01:03
 update schedule sa-sdb daily 01:03
 update schedule cnc daily 01:03
 update schedule file-reputation daily 01:03
#
ip vpn-instance default
 ipv4-family
#
ip-link check enable
ip-link name Linktest vpn-instance default
 destination 0.0.0.0/0.0.0.0 interface GigabitEthernet0/0/0 mode icmp next-hop 1
.1.1.2
#
ip address-set FTP_Server type object
 address 0 10.1.2.100 mask 32
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin
  password cipher @%@%Zrwy:l}UIX`r(g+IY`OVqb^q${UL$9Sr[@{C_yFj6fV)b^tq@%@%
  service-type web terminal
  level 15

 manager-user api-admin
  password cipher @%@%RbIt"|>Pz2NW1b@+[5@*lAb@{Q@w,<X<\:FM\\"=aDmHAbCl@%@%
  level 15

 manager-user admin
  password cipher @%@%/#t."\i!CN:fcaLL.SLY9e%>]n*,Vrv~4DZU.{&N6r8:e%A9@%@%
  service-type web terminal
  level 15

 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.0.1 255.255.255.0
 alias GE0/METH
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
#
firewall zone untrust
 set priority 5
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2 1.1.1.2 track ip-link Linkt
est description 鏈路故障檢測
ip route-static 1.1.1.100 255.255.255.255 NULL0 track ip-link Linktest
ip route-static 1.1.1.105 255.255.255.255 NULL0 track ip-link Linktest
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
 nat server FTP zone untrust protocol tcp global 1.1.1.100 ftp inside 10.1.2.1 f
tp no-reverse unr-route
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
nat address-group "Nat pool" 0
 mode pat
 section 0 1.1.1.105 1.1.1.106
#
nat address-group "DMZ pool" 1
 mode pat
 route enable
 section 0 10.1.2.100 10.1.2.100
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 rule name FTP
  description 外網訪問FTP的安全策略
  source-zone untrust
  destination-zone dmz
  service ftp
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
 rule name Nat
  source-zone trust
  destination-zone untrust
  action source-nat address-group "Nat pool"
 rule name "DMZ NAT"
  source-zone untrust
  destination-zone dmz
  destination-address address-set FTP_Server
  service ftp
  action source-nat address-group "DMZ pool"
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return

• R1

  顯示R1配置

interface GigabitEthernet0/0/0
 ip address 1.1.1.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 12.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ospf 1 router-id 1.1.1.1 
 area 0.0.0.0 
  network 12.1.1.1 0.0.0.0 
#

• R2

  顯示R2配置

#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
 ip address 12.1.1.2 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ospf 1 router-id 2.2.2.2 
 area 0.0.0.0 
  network 12.1.1.2 0.0.0.0 
#

官方參考文檔

官方參考文檔:
USG6000 NAT和NAT SERVER應用配置案例