配置H3C防火墙设备 H3C防火墙的配置
H3CF100-S\u534e\u4e09\u9632\u706b\u5899\u600e\u4e48\u8bbe\u7f6e\uff1f1.\u8def\u7531\u5668\u63a5\u51fa\u6765\u7684\u7ebf\u63a5\u5230\u9632\u706b\u5899WLAN\u53e3.\u7136\u540e\u9632\u706b\u5899LAN\u53e3\u63a5\u5230\u5185\u90e8\u4ea4\u6362\u673a.
2.\u8fdb\u5165\u9632\u706b\u5899weB\u914d\u7f6e\u9875\u9762\u914d\u7f6eWLAN IP192.168.1.2 \u7f51\u5173192.168.1.1 DNS61.233.154.33 \u3002LAN\u53e3\u4e00\u822c\u4e0d\u7528\u8bbe\u7f6e\u3002\u5185\u7f51\u7535\u8111\u8bbe\u7f6eIP 192.168.1.3-254 \u7f51\u5173192.168.1.2 DNS 61.233.154.33 \u3002
3.\u7136\u540e\u518d\u9632\u706b\u5899\u8bbe\u7f6e\u7b56\u7565:any\u5230any\u901a\u4fe1 \u5141\u8bb8,\u7aef\u53e3\u5168\u90e8 \u5c31ok\u4e86
ps\uff1a\u9632\u706b\u5899DNS\u4e5f\u53ef\u4ee5\u8bbe\u7f6e\u6210\u4e3a192.168.1.1 \u610f\u601d\u662f\u8ba9\u8def\u7531\u53bb\u89e3\u6790\u5916\u7f51DNS
\u4e00\u822c\u63a5\u6cd5\u662f\uff1a\u4e92\u8054\u7f51\u2014\u2014\u9632\u706b\u5899\u2014\u2014\u8def\u7531\u5668\u2014\u2014\u4ea4\u6362\u673a\uff0c\u9632\u706b\u5899\u505aNAT\u5730\u5740\u8f6c\u6362\u53ca\u6d41\u91cf\u63a7\u5236\uff0c\u8def\u7531\u5668\u53ef\u505aDHCP\u670d\u52a1\u5668\uff0c\u4ea4\u6362\u673a\u53ef\u505aVLAN\u5212\u5206\u3002
\u5f88\u62b1\u6b49\u7684\u544a\u8bc9\u4f60\u3002H3C\u7684\u9632\u706b\u5899\u5f53\u4f60\u5e94\u7528\u5728\u6865\u6a21\u5f0f\u65f6\uff0c\u57fa\u4e8e\u4e8c\u5c42\u4ee5\u4e0a\u7684\u534f\u8bae\u5747\u4e0d\u597d\u4f7f\u3002
\u56e0\u4e3a\u5f53\u9632\u706b\u5899\u5de5\u4f5c\u5728\u6865\u4e5f\u5c31\u662f\u4e8c\u5c42\u65f6\uff0c\u4e09\u5c42\u4ee5\u4e0a\u6570\u636e\u65e0\u6cd5\u8bc6\u522b\u51fa\u6765\u3002\u4e5f\u5c31\u505a\u4e0d\u4e86\u63a7\u5236\u3002\u57fa\u672c\u76f8\u5f53\u4e8e\u5e9f\u7269\u3002
\u4f60\u5c06\u6b64\u9632\u706b\u5899\u4fee\u6539\u6210\u8def\u7531\u6a21\u5f0f\u5c31\u597d\u4e86\u3002
系统视图下配置ip route-static 0.0.0.0 0.0.0.0 下一跳地址(公网网关地址)
ACL number 2001
rule permit source 192.168.2.0 0.0.0.255
返回接口E4/0/0下
nat outbound 2001
本人H3C服务中心工程师
全套命令如下,注:2000-2999是基本访问控制列表,3000-3999是高级访问控制列表,这个区间内都可以用的,基本是只能定义源地址,高级是可以定义源地址目的地址和端口号
#
firewall packet-filter default permit
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255
#
interface Ethernet0/3
ip address 1.1.1.1 255.255.255.252
nat outbound 3000
#
interface Ethernet0/4
ip address 192.168.2.254 255.255.255.0
#
firewall zone trust
add interface Ethernet0/4
#
firewall zone untrust
add interface Ethernet0/3
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
注:#号为分隔符
绛旓細1.鎵撳紑娴忚鍣紝杈撳叆192.168.0.1 2.杈撳叆鐢ㄦ埛鍚嶏紙admin锛夈佸瘑鐮侊紙admin锛変互鍙婇獙璇佺爜锛堟敞鎰忓ぇ灏忓啓锛夊悗杩涘叆閰嶇疆鐣岄潰銆 3.鍏堟妸绔彛鍔犲叆鐩稿簲鐨勫煙銆傚缃戝彛灏卞姞鍏ntrust鍩燂紝鍐呯綉鍙e氨鍔犲叆Trust鍙c璁惧绠$悊鈥斿畨鍏ㄥ煙DMZ锛岀紪杈慣rust鍜孶ntrust鍖哄煙锛岀偣鍑荤紪杈戞寜閽 瀹夊叏鍩熺殑榛樿绾у埆锛孧anagemnet...
绛旓細1銆侀鍏堟垜浠繘鍏H3C闃茬伀澧鐣岄潰锛屾帴鐫杩涘叆WEB灏嗘帴鍙f敼涓轰簩灞傛ā寮忥紝2銆佸湪灏嗕簩灞傛ā寮忕殑鎺ュ彛鍒掑埌Trust瀹夊叏鍩熶腑銆3銆佺偣鍑荤晫闈㈠乏渚у揩鎹疯彍鍗曟爮閲岀殑闃茬伀澧欓夐」銆4銆佽繘琛閰嶇疆瀹夊叏绛栫暐锛屽畨鍏ㄧ瓥鐣ラ厤缃畬濡傚浘銆5銆侀厤缃叾浠栫綉娈靛彧鑳借闂叾涓殑鏈嶅姟鍣ㄣ6銆丏HCP 瑕佸惎鐢 DHCP涓户dhcp-relay锛岃繖鏍烽厤缃氨瀹屾垚浜嗐
绛旓細鎵撳紑IE娴忚鍣紝鍦↖E鍦板潃鏍忎腑杈撳叆192.168.0.1(涓嶅悓鍝佺墝璺敱鍣ㄥ彲鑳界櫥褰曠殑缃戝叧鍦板潃浼氭湁涓嶅悓姣斿鏈夌殑鏄192.168.1.1鐨勭綉鍏筹紝璺敱鍣ㄥ簳闈㈢殑璐存潯涓婁竴鑸兘娉ㄦ槑锛屽寘鎷敤鎴峰悕鍜屽瘑鐮)銆傦紝鐒跺悗鍥炶溅锛屽嚭鏉ヤ竴涓敤鎴峰悕瀵嗙爜鐨勭櫥褰曞皬椤甸潰锛屽垵濮嬬敤鎴峰悕鍜屽瘑鐮侀粯璁ら兘鏄痑dmin锛岃緭鍏ヤ箣鍚庯紝鐐光濈‘瀹氣滆繘鍏ヨ矾鐢卞櫒璁剧疆鐣岄潰銆...
绛旓細1銆閰嶇疆瑕佹眰 1锛闃茬伀澧鐨凟0/2鎺ュ彛涓篢RUST鍖哄煙锛宨p鍦板潃鏄細192.168.254.1/29锛2锛夐槻鐏鐨凟1/2鎺ュ彛涓篣NTRUST鍖哄煙锛宨p鍦板潃鏄細202.111.0.1/27锛3锛夊唴缃戞湇鍔″櫒瀵瑰缃戝仛涓瀵逛竴鐨勫湴鍧鏄犲皠锛192.168.254.2銆192.168.254.3鍒嗗埆鏄犲皠涓202.111.0.2銆202.111.0.3锛4锛夊唴缃戞湇鍔″櫒璁块棶澶栫綉涓嶅仛闄愬埗...
绛旓細鍏蜂綋濡備笅銆傛湁涓ょNAT鐨閰嶇疆鏂瑰紡锛屼竴绉嶆槸鍩轰簬瀵硅薄缁勶紝鍙︿竴绉嶆槸浼犵粺鐨凙CL锛屽叾瀹炰袱鑰呭苟娌℃湁浠涔堝崄鍒嗗ぇ鐨勫尯鍒紝瀵硅薄缁勬槸浜轰负鐨勯鍏堝畾涔夊湴鍧缁勶紝鐒跺悗鍦ㄩ厤缃甆A...瀵硅薄缁勭殑鍒涘缓object-groupipaddressxxx//鍒涘缓涓涓璞$粍network[group-object|host|range|subnet]//纭畾IP瀵硅薄缁勭殑鍦板潃鑼冨洿锛屽叾涓璯ro...NAT绛栫暐...
绛旓細h3c闃茬伀澧濡備綍杩涜閰嶇疆锛屾帴涓嬫潵灏忕紪灏辨暀澶у濡備綍杩涜鎿嶄綔銆傞厤缃殑姝ラ濡備笅锛涙垜浠簲璇ラ鍏堣繛鎺ラ槻鐏寮鍚疻EB鍛戒护锛 ys security-zone name Trust import interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/0 port link-mode route ip address 100.0.0.1 ...
绛旓細1.璺敱鍣ㄦ帴鍑烘潵鐨勭嚎鎺ュ埌闃茬伀澧橶LAN鍙.鐒跺悗闃茬伀澧橪AN鍙f帴鍒板唴閮ㄤ氦鎹㈡満.2.杩涘叆闃茬伀澧檞eB閰嶇疆椤甸潰閰嶇疆WLAN IP192.168.1.2 缃戝叧192.168.1.1 DNS61.233.154.33 銆侺AN鍙d竴鑸笉鐢ㄨ缃傚唴缃戠數鑴戣缃甀P 192.168.1.3-254 缃戝叧192.168.1.2 DNS 61.233.154.33 銆3.鐒跺悗鍐闃茬伀澧欒缃绛栫暐:any鍒癮ny...
绛旓細鍒濆鍖閰嶇疆銆H3C銆塻ystem-view寮鍚闃茬伀澧鍔熻兘锛屽苟榛樿鍏佽鎵鏈夋暟鎹寘閫氳繃[H3C]firewall packet-filter enable[H3C]firewall packet-filter default permit鍒嗛厤绔彛鍖哄煙锛坲ntrust澶栫綉锛宼rust鍐呯綉锛涚鍙e彿璇峰弬鐓у疄闄呮儏鍐碉級[H3C] firewall zone untrust[H3C-zone-untrust] add interface Ethernet0/0[H3C] fire...
绛旓細int e3/0/0 鎺ュ彛鐣岄潰涓閰嶇疆 ip addess 鍦板潃 鎺╃爜 锛沬nt e4/0/0 鎺ュ彛鐣岄潰涓嬮厤缃 ip addess 192.168.2.254 24 绯荤粺瑙嗗浘涓嬮厤缃甶p route-static 0.0.0.0 0.0.0.0 涓嬩竴璺冲湴鍧锛堝叕缃戠綉鍏冲湴鍧锛堿CL number 2001 rule permit source 192.168.2.0 0.0.0.255 杩斿洖鎺ュ彛E4/0/0涓 nat ...
绛旓細1銆佺數鑴戜笂鍚姩鍚姩SecureCRT锛屾柊寤鸿繛鎺ワ紝Protocol璁剧疆涓衡淪erial鈥濓紝绔彛鏄綘浣跨敤鐨刄SB杞珻OM鍙g殑绔彛(鍏蜂綋閫氳繃璁惧绠$悊鍣ㄦ煡鐪)锛孊aud rate璁剧疆鈥9600鈥濓紝鐒跺悗鐐瑰嚮鈥淐onnect鈥濊繛鎺ュ埌闃茬伀澧欑殑Console鎺у埗鍙般2銆侀粯璁ゆ儏鍐H3C闃茬伀澧浼氬湪鐢ㄦ埛瑙嗗浘锛岃緭鍏ystem-view鍛戒护杩涜绯荤粺瑙嗗浘銆3銆佷娇鐢ㄥ懡浠よ鑾峰緱鍦ㄧ嚎甯姪锛屽彲浠...
