华为防火墙USG6000通过WEB图形界面配置案例

网络拓扑图

通过WEB方式登录到防火墙

通过Web方式登录USG6000V：教程

登录成功

配置防火墙使内网用户通过PAT方式上网

防火墙上新建一个Nat Pool，供内网用户以NAT方式访问外网

配置Nat策略

配置策略，使得trust区域可以访问untrust区域

配置默认路由，指向R1

设置到达Nat Pool的静态路由，指向一个空接口，防止路由黑洞

配置防火墙使得外网用户能访问企业DMZ区域的FTP服务器(双向nat)

先配置服务器对外静态映射

防火墙上配置一个策略，使得untrust区域能访问DMZ区域

配置nat pool地址池，目的是作为外网用户访问内网服务器后nat的内网地址

配置一个nat策略。注意，这个nat策略和内网nat外网有所不同！！！

最后配置一个到达服务器对外地址的静态路由，防止路由黑洞

WEB界面配置完成

内网用户与FTP-Server配置

• PC1
  
• FTP-Server
  

配置代码

• FW

dis current-configuration  显示防火墙的运行配置

    
    

    
    
1

[USG6000V1]dis current-configuration 
2020-12-02 05:10:12.380 
!Software Version V500R005C10SPC300
#
sysname FW
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable
#
undo telnet server enable
undo telnet ipv6 server enable
#
 update schedule location-sdb weekly Sun 04:29
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 feedback type threat-log enable
 feedback type pdns enable
#
 update schedule ips-sdb daily 01:03
 update schedule av-sdb daily 01:03
 update schedule sa-sdb daily 01:03
 update schedule cnc daily 01:03
 update schedule file-reputation daily 01:03
#
ip vpn-instance default
 ipv4-family
#
ip-link check enable
ip-link name Linktest vpn-instance default
 destination 0.0.0.0/0.0.0.0 interface GigabitEthernet0/0/0 mode icmp next-hop 1
.1.1.2
#
ip address-set FTP_Server type object
 address 0 10.1.2.100 mask 32
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin
  password cipher @%@%Zrwy:l}UIX`r(g+IY`OVqb^q${UL$9Sr[@{C_yFj6fV)b^tq@%@%
  service-type web terminal
  level 15

manager-user api-admin
password cipher @%@%RbIt"|>Pz2NW1b@+[5@*lAb@{Q@w,<X<:FM\"=aDmHAbCl@%@%
level 15

manager-user admin
password cipher @%@%/#t."\i!CN:fcaLL.SLY9e%>]n*,Vrv~4DZU.{ &N6r8:e%A9@%@%
service-type web terminal
level 15

role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin

l2tp-group default-lns

interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface Virtual-if0

interface NULL0

firewall zone local
set priority 100

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0

firewall zone untrust
set priority 5

firewall zone dmz
set priority 50

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2 1.1.1.2 track ip-link Linkt
est description 链路故障检测
ip route-static 1.1.1.100 255.255.255.255 NULL0 track ip-link Linktest
ip route-static 1.1.1.105 255.255.255.255 NULL0 track ip-link Linktest

undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1

firewall detect ftp

nat server FTP zone untrust protocol tcp global 1.1.1.100 ftp inside 10.1.2.1 f
tp no-reverse unr-route

user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20

pki realm default

sa

location

nat address-group “Nat pool” 0
mode pat
section 0 1.1.1.105 1.1.1.106

nat address-group “DMZ pool” 1
mode pat
route enable
section 0 10.1.2.100 10.1.2.100

multi-linkif
mode proportion-of-weight

right-manager server-group

device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group

user-manage server-sync tsm

security-policy
rule name FTP
description 外网访问FTP的安全策略
source-zone untrust
destination-zone dmz
service ftp
action permit

auth-policy

traffic-policy

policy-based-route

nat-policy
rule name Nat
source-zone trust
destination-zone untrust
action source-nat address-group “Nat pool”
rule name “DMZ NAT”
source-zone untrust
destination-zone dmz
destination-address address-set FTP_Server
service ftp
action source-nat address-group “DMZ pool”

quota-policy

pcp-policy

dns-transparent-policy

rightm-policy

return

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20
• 21
• 22
• 23
• 24
• 25
• 26
• 27
• 28
• 29
• 30
• 31
• 32
• 33
• 34
• 35
• 36
• 37
• 38
• 39
• 40
• 41
• 42
• 43
• 44
• 45
• 46
• 47
• 48
• 49
• 50
• 51
• 52
• 53
• 54
• 55
• 56
• 57
• 58
• 59
• 60
• 61
• 62
• 63
• 64
• 65
• 66
• 67
• 68
• 69
• 70
• 71
• 72
• 73
• 74
• 75
• 76
• 77
• 78
• 79
• 80
• 81
• 82
• 83
• 84
• 85
• 86
• 87
• 88
• 89
• 90
• 91
• 92
• 93
• 94
• 95
• 96
• 97
• 98
• 99
• 100
• 101
• 102
• 103
• 104
• 105
• 106
• 107
• 108
• 109
• 110
• 111
• 112
• 113
• 114
• 115
• 116
• 117
• 118
• 119
• 120
• 121
• 122
• 123
• 124
• 125
• 126
• 127
• 128
• 129
• 130
• 131
• 132
• 133
• 134
• 135
• 136
• 137
• 138
• 139
• 140
• 141
• 142
• 143
• 144
• 145
• 146
• 147
• 148
• 149
• 150
• 151
• 152
• 153
• 154
• 155
• 156
• 157
• 158
• 159
• 160
• 161
• 162
• 163
• 164
• 165
• 166
• 167
• 168
• 169
• 170
• 171
• 172
• 173
• 174
• 175
• 176
• 177
• 178
• 179
• 180
• 181
• 182
• 183
• 184
• 185
• 186
• 187
• 188
• 189
• 190
• 191
• 192
• 193
• 194
• 195
• 196
• 197
• 198
• 199
• 200
• 201
• 202
• 203
• 204
• 205
• 206
• 207
• 208
• 209
• 210
• 211
• 212
• 213
• 214
• 215
• 216
• 217
• 218
• 219
• 220
• 221
• 222
• 223
• 224

• R1

  显示R1配置

 
 

 
 
1

interface GigabitEthernet0/0/0
 ip address 1.1.1.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 12.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ospf 1 router-id 1.1.1.1 
 area 0.0.0.0 
  network 12.1.1.1 0.0.0.0 
#

 
 

 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14

• R2

  显示R2配置

 
 

 
 
1

#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
 ip address 12.1.1.2 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ospf 1 router-id 2.2.2.2 
 area 0.0.0.0 
  network 12.1.1.2 0.0.0.0 
#

 
 

 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14

官方参考文档

官方参考文档: USG6000 NAT和NAT SERVER应用配置案例

需要华为、H3C全方向认证资料和知名培训机构视频（IA、IP、IE）的同学关注公众号咨询哦。CSDN粉丝有福利！！！

欢迎关注微信公众号：新网工李白
“免费获取华为认证学习资料培训机构视频、软考学习资料和求职简历模板。”