H3C-Firewall-配置实例.doc

《H3C-Firewall-配置实例.doc》由会员分享，可在线阅读，更多相关《H3C-Firewall-配置实例.doc（22页珍藏版）》请在咨信网上搜索。

1、防火墙作为出口网关，联通光纤、电信光纤、电信ADSL出口，防火墙接H3C二层交换机，H3C二层交换机接内网服务器和下面的二层交换机（内网用户都接这里）。由于客户是静态设置地址，所以这里是没有DHCP配置的。一、上网设置：#域配置zone name Management id 0priority 100import interface GigabitEthernet0/0zone name Local id 1priority 100zone name Trust id 2priority 85import interface GigabitEthernet0/2zone name DMZ id

2、 3priority 50zone name Untrust id 4priority 5import interface Dialer1import interface GigabitEthernet0/3import interface GigabitEthernet0/4import interface GigabitEthernet0/5#内网网关interface GigabitEthernet0/2ip address 192.168.100.254 255.255.0.0port link-mode routenat outbound 3090#电信出口interface Gig

3、abitEthernet0/3port link-mode routeip address 219.137.182.2xx 255.255.255.248nat outbound 2000 address-group 1#联通出口interface GigabitEthernet0/4port link-mode routeip address 218.107.10.xx 255.255.255.248nat outbound 2000 address-group 2#PPPOE电信ADSLinterface GigabitEthernet0/5port link-mode routepppo

4、e-client dial-bundle-number 1#设定拨号访问组的拨号控制列表dialer-rule 1 ip permit#PPPOE配置interface Dialer1nat outbound 2000link-protocol pppppp chap user gzDSLxxxxxxxx163.gdppp chap password cipher $c$3$cft8cT2sYcO4XYUDKRgfw0R0HOSTSDh69HbNppp pap local-user gzDSLxxxxxxxx163.gd password cipher $c$3$mXUOjqFP3BKfa52

5、muz92y7JBlMMsjjNzxGVLppp ipcp dns requestip address ppp-negotiatedialer user pppoeclientdialer-group 1dialer bundle 1#DNS服务器dns resolvedns proxy enabledns server 202.96.128.166dns server 8.8.8.8#NAT动态地址池nat address-group 1 219.137.182.2xx 219.137.182.206 level 1nat address-group 2 218.107.10.xx 218.

6、107.10.xy level 1#NAT使用的ACLacl number 2000rule 0 permit source 192.168.0.0 0.0.255.255#出口路由ip route-static 0.0.0.0 0.0.0.0 Dialer1ip route-static 0.0.0.0 0.0.0.0 219.137.182.201ip route-static 0.0.0.0 0.0.0.0 218.107.10.41 preference 100二、策略路由#策略路由使用的ACLacl number 3088 /匹配内部服务器地址rule 0 permit ip sou

7、rce 192.168.16.39 0rule 1 permit ip source 192.168.100.1 0rule 2 permit ip source 192.168.100.161 0rule 3 permit ip source 192.168.100.162 0rule 4 permit ip source 192.168.100.164 0rule 101 deny ipacl number 3089 /匹配内网用户地址段rule 0 permit ip source 192.168.0.0 0.0.255.255rule 101 deny ip#新建策略路由policy-

8、based-route wan permit node 10if-match acl 3088apply ip-address next-hop 219.137.182.201 /服务器走电信出口policy-based-route wan permit node 11if-match acl 3089apply ip-address next-hop 218.107.10.41 /内网用户走联通出口#策略路由的应用interface GigabitEthernet0/2ip policy-based-route wan三、外网访问内部服务器NATinterface GigabitEthern

9、et0/3nat server protocol tcp global 219.137.182.2xx 5872 inside 192.168.100.164 5872nat server protocol tcp global 219.137.182.2xx 81 inside 192.168.100.164 81nat server protocol tcp global 219.137.182.2xx 89 inside 192.168.100.1 89nat server protocol tcp global 219.137.182.2xx 5366 inside 192.168.1

10、00.162 5366nat server 1 protocol tcp global current-interface 8081 inside 192.168.100.162 8081nat server protocol tcp global 219.137.182.2xx 8088 inside 192.168.100.1 8088ip address 219.137.182.2xx 255.255.255.248#interface GigabitEthernet0/4nat server protocol tcp global 218.107.10.xx 8088 inside 1

11、92.168.100.1 8088nat server protocol tcp global 218.107.10.xx 81 inside 192.168.100.164 81nat server protocol tcp global 218.107.10.xx 5872 inside 192.168.100.164 5872nat server 1 protocol tcp global current-interface 89 inside 192.168.100.1 89nat server 2 protocol tcp global current-interface 5366

12、inside 192.168.100.162 5366nat server 3 protocol tcp global current-interface 8081 inside 192.168.100.162 8081#允许Untrust区域访问内网服务器地址组地址interzone source Untrust destination Trustrule 0 permitsource-ip any_addressdestination-ip server_groupservice any_servicerule enable四、内网用户通过公网地址访问内部服务器NAT#公网地址访问内网服务

13、器NAT使用的ACLacl number 3090rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.16.39 0rule 1 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.1 0rule 2 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.161 0rule 3 permit ip source 192.168.0.0 0.0.255.255

14、destination 192.168.100.162 0rule 4 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.164 0acl number 3091rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.16.39 0rule 1 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.1 0rule 2 permit ip source 192.1

15、68.0.0 0.0.255.255 destination 192.168.100.161 0rule 3 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.162 0rule 4 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.164 0rule 5 permit ip source 192.168.16.39 0 destination 192.168.0.0 0.0.255.255rule 6 permit ip source

16、 192.168.100.1 0 destination 192.168.0.0 0.0.255.255rule 7 permit ip source 192.168.100.161 0 destination 192.168.0.0 0.0.255.255rule 8 permit ip source 192.168.100.162 0 destination 192.168.0.0 0.0.255.255rule 9 permit ip source 192.168.100.164 0 destination 192.168.0.0 0.0.255.255interface Gigabit

17、Ethernet0/2nat outbound 3090nat server protocol tcp global 219.137.182.2xx 8088 inside 192.168.100.1 8088nat server protocol tcp global 218.107.10.xx 8088 inside 192.168.100.1 8088nat server protocol tcp global 218.107.10.xx 81 inside 192.168.100.164 81nat server protocol tcp global 219.137.182.2xx

18、81 inside 192.168.100.164 81#匹配源地址为内网服务器目的地址为内网用户地址的数据包不作下一跳修改policy-based-route wan deny node 9if-match acl 3091五、IPSec VPN#IPSec匹配流量acl number 3501rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.160.10.0 0.0.0.255acl number 3502rule 0 permit ip source 192.168.0.0 0.0.255.255 destin

19、ation 192.160.55.0 0.0.0.255#IKE本端名称ike local-name f100#健康检测ike dpd to_fg100_dpdtime-out 3#第一阶段ike提议ike proposal 1encryption-algorithm 3des-cbcdh group2authentication-algorithm md5#ike proposal 2encryption-algorithm 3des-cbcdh group2#第一阶段 IKE对等体 预共享密钥 野蛮模式ike peer to_fg100_peerexchange-mode aggressi

20、vepre-shared-key cipher $c$3$UqO8Is+AdX579TINNmJkYll+lArkiRBOjfzzAg=id-type nameremote-name fg100nat traversaldpd to_fg100_dpd#第二阶段IPSec安全提议ipsec transform-set to_fg100_propencapsulation-mode tunneltransform espesp authentication-algorithm md5esp encryption-algorithm 3des#第二阶段IPSec模板ipsec policy-tem

21、plate to_fg100_temp 1security acl 3502ike-peer to_fg100_peertransform-set to_fg100_propsa duration traffic-based 1843200sa duration time-based 3600#创建一个policy ipsec policy to_fg100_poli 1 isakmp template to_fg100_temp#把policy挂在G0/3上interface GigabitEthernet0/3ipsec policy to_fg100_poli六、SSL VPN#SSL使

22、用的PKI证书pki entity sslcommon-name ssl#pki domain defaultcrl check disable#pki domain domainca identifier domaincertificate request from racrl check disable#SSL VPN配置ssl server-policy defaultpki-domain defaultssl server-policy access-policypki-domain domainssl server-policy h3cpki-domain h3cssl server

23、-policy sslvpnpki-domain domain#开启SSL VPNssl-vpn server-policy access-policyssl-vpn enable七、其他设置#管理口interface GigabitEthernet0/0port link-mode routeip address 192.168.0.1 255.255.255.0#开启telnettelnet server enable#web管理页面超时web idle-timeout 50#时间表time-range office 07:00 to 19:00 daily#配置TFTP客户端的源地址（从

24、PC导入ssl vpn证书）tftp client source interface GigabitEthernet0/0八、默认设置version 5.20, Release 5140#sysname H3C#ftp server enable#undo voice vlan mac-address 00e0-bb00-0000#vd Root id 1#本地用户local-user adminpassword cipher $c$3$oGb5I9jYxOTH14goQ9eyldWLEVvfRG8Mauthorization-attribute level 3service-type tel

25、netservice-type web#允许来宾用户管理员在Web页面上创建的来宾用户加入该用户组user-group systemgroup-attribute allow-guest#interface NULL0#vlan 1#qos policy 11qos policy 1#取消指定协议的ALG功能undo alg dnsundo alg rtspundo alg h323undo alg sipundo alg sqlnetundo alg pptpundo alg ilsundo alg nbtundo alg msnundo alg qqundo alg tftpundo al

26、g sccpundo alg gtp#命令用来使能会话双机热备功能session synchronization enable#使能密码恢复功能（默认使能）password-recovery enable#控制vty接口的登陆认证方式 user-interface con 0user-interface vty 0 4authentication-mode scheme#默认的Radius配置domain systemaccess-limit disablestate activeidle-cut disableself-service-url disable#interface GigabitEthernet0/1port link-mode route#默认域 开启，名称是“system”；domain default enable system#load xml-configuration#load tr069-configuration