设为首页收藏本站language 语言切换
开启辅助访问 切换到宽版

鸿鹄论坛

 找回密码
 论坛注册

QQ登录

先注册再绑定QQ

鸿鹄论坛»鸿鹄论坛 ≡□≡思科认证≡□≡ CCNP求助答疑 紧急求助!!!!华为USG5500防火墙配置
返回列表 发新帖
查看: 4031|回复: 3
收起左侧

[求助] 紧急求助!!!!华为USG5500防火墙配置

[复制链接]
ahcjt000
发表于 2013-7-12 09:46:13 | 显示全部楼层 |阅读模式
配置一台USG5000的防火墙
这是客户的需求:

内网:10.108.100.240/24
电信外网:180.235.66.16 网关180.235.66.1/26
联通外网112.65.240.220 网关112.65.240.193/27
地址映射关系:一根网线上多个外网地址
112.65.240.221 10.108.100.12
180.235.66.10 10.108.100.110
180.235.66.12 10.108.100.12
180.235.66.14 10.108.100.113
180.235.66.13 10.108.100.114
这些安全策略
开放的端口
10.108.100.110 8080 80 21821
10.108.100.113 11034 11050 11060 6888 7888 8888 ICMP-ANY xmanage
10.108.100.113 80 21821
10.108.100.114 8080 80 21821
0回复
1楼2013-07-12 09:13删除 |我也说一句

狂人  痕流星

这是配置 经过测试 电信的网关能够ping通 而从外网pingNAT的几个外网地址不通,求高手指教!
dis cu
18:25:46 2013/07/10
#
sysname USG5500
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local untrust1 direction inbound
firewall packet-filter default permit interzone local untrust1 direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone trust untrust1 direction inbound
firewall packet-filter default permit interzone trust untrust1 direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
firewall packet-filter default permit interzone untrust1 untrust direction inbound
firewall packet-filter default permit interzone untrust1 untrust direction outbound
---- More ----[42D [42D firewall packet-filter default permit interzone dmz untrust1 direction inbound
firewall packet-filter default permit interzone dmz untrust1 direction outbound
#
nat server 0 global 112.65.240.221 inside 10.108.100.12 no-reverse
nat server 1 global 180.235.66.12 inside 10.108.100.12 no-reverse
nat server 2 global 180.235.66.10 inside 10.108.100.110
nat server 3 global 180.235.66.14 inside 10.108.100.113
nat server 4 global 180.235.66.13 inside 10.108.100.114
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
dns server 8.8.8.8
#
firewall statistic system enable
#
undo dns proxy
#
license-server domain lic.huawei.com
#
---- More ----[42D [42D web-manager enable
#
user-manage web-authentication port 8888
#
interface Cellular0/1/0
link-protocol ppp
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.108.100.240 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 180.235.66.16 255.255.255.192
nat enable
detect ftp
#
interface GigabitEthernet0/0/3
ip address 112.65.240.220 255.255.255.224
#
interface GigabitEthernet0/0/4
---- More ----[42D [42D#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/2
#
---- More ----[42D [42Dfirewall zone dmz
set priority 50
#
firewall zone name untrust1
set priority 20
add interface GigabitEthernet0/0/3
#
aaa
local-user admin password cipher %$%$~-2-M~fnb2Wf_{Q5Q{-"0\SJ%$%$
local-user admin service-type web terminal telnet
local-user admin level 15
local-user abc password cipher %$%$m2DTOPqk<-YycKFe]}760A8/%$%$
local-user abc service-type web terminal telnet
local-user abc level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
---- More ----[42D [42Dnqa-jitter tag-version 1 #
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/2 180.235.66.1
ip route-static 0.0.0.0 0.0.0.0 112.65.240.193 preference 80
#
banner enable
#
user-interface con 0
user-interface tty 2
authentication-mode password
modem both
user-interface vty 0 4
authentication-mode aaa
set authentication password cipher %$%$gxx\3ort$4FHz}.11<-;,5,#%$%$
protocol inbound all
#
ip service-set local110 type object
service 0 protocol tcp source-port 0 to 65535 destination-port 8080 description 10.108.100.110
service 1 protocol tcp source-port 0 to 65535 destination-port 21821 description 10.108.100.110
service 2 protocol tcp source-port 0 to 65535 destination-port 80 description 10.108.100.110
#
ip service-set local12 type object
---- More ----[42D [42D description 10.108.100.12
service 0 protocol tcp source-port 0 to 65535 destination-port 8888
service 1 protocol tcp source-port 0 to 65535 destination-port 6888
service 2 protocol tcp source-port 0 to 65535 destination-port 7888
service 3 protocol tcp source-port 0 to 65535 destination-port 11034
service 4 protocol tcp source-port 0 to 65535 destination-port 11050
service 5 protocol tcp source-port 0 to 65535 destination-port 11060
#
ip service-set local113 type object
description 10.108.100.113
service 0 protocol tcp source-port 0 to 65535 destination-port 80
service 1 protocol tcp source-port 0 to 65535 destination-port 21821
#
ip service-set local114 type object
description 10.108.100.114
service 0 protocol tcp source-port 0 to 65535 destination-port 8080
service 1 protocol tcp source-port 0 to 65535 destination-port 80
service 2 protocol tcp source-port 0 to 65535 destination-port 21821
#
slb
#
right-manager server-group
#
---- More ----[42D [42Dnat-policy interzone trust untrust outbound
policy 10
action source-nat
policy des address-group dianxin
easy-ip GigabitEthernet0/0/2
#
nat-policy interzone trust untrust1 outbound
policy 10
action source-nat
policy source 10.108.100.0 0.0.0.255
easy-ip GigabitEthernet0/0/3
#
return
ip address-group dianxin
addess
<USG5500>
回复

使用道具 举报

luori
发表于 2013-7-29 11:54:05 | 显示全部楼层
沙发 2013-7-29 11:54:05 回复 收起回复
回复 支持 反对

使用道具 举报

honghuhanmou
发表于 2020-8-21 10:33:36 | 显示全部楼层
ensp的防火墙USG6000V
地板 2020-8-21 10:33:36 回复 收起回复
回复 支持 反对

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 论坛注册

本版积分规则

QQ|Archiver|手机版|小黑屋|sitemap|鸿鹄论坛 ( 京ICP备14027439号 )  

GMT+8, 2025-4-27 22:07 , Processed in 0.068957 second(s), 25 queries , Redis On.  

  Powered by Discuz!

  © 2001-2025 HH010.COM

快速回复 返回顶部 返回列表