欢迎光临
我们一直在努力

华为Eudemon1000E-G策略配置

源目地址双向映射

(黄底为云内地址即私网地址)

安全策略

安全策略规则的创建、复制、移动和重命名都在security-policy视图下完成。

security-policy

rule name Chengzaiwang_to_Heyingyun_1//命令用来创建安全策略规则,并进入安全策略规则视图

source-zone Chengzaiwang

destination-zone Heyingyun

source-address 200.31.20.68 mask 255.255.255.192

destination-address 192.168.102.7 mask 255.255.255.255

service protocol tcp source-port 1 to 65535 destination-port 22 23

action permit

rule name Heyingyun_to_Chengzaiwang_1

source-zone Heyingyun

destination-zone Chengzaiwang

source-address 192.168.102.7 mask 255.255.255.255

destination-address 200.31.20.68 mask 255.255.255.192

service protocol icmp

service protocol tcp source-port 1 to 65535 destination-port 1 to 65535

action permit

地址转换策略:

nat server Chengzaiwang_to_Heyingyun_1 zone Chengzaiwang global 172.30.80.2 inside 192.168.102.7 unr-route //双向映射

源地址映射


安全策略

security-policy

rule name Heyingyun_to_Chengzaiwang_2

source-zone Heyingyun

destination-zone Chengzaiwang

source-address 192.168.101.128 mask 255.255.255.255

source-address 192.168.101.96 mask 255.255.255.255

source-address 192.168.101.236 mask 255.255.255.255

source-address 192.168.101.85 mask 255.255.255.255

source-address 192.168.101.165 mask 255.255.255.255

source-address 192.168.101.220 mask 255.255.255.255

destination-address 200.16.62.135 mask 255.255.255.255

service protocol icmp

service protocol tcp source-port 1 to 65535 destination-port 22 873

action permit

NAT策略

ip address-set Heyingyun-add_1 type object

address 0 192.168.101.128 0

address 1 192.168.101.96 0

address 2 192.168.101.236 0

address 3 192.168.101.85 0

address 4 192.168.101.165 0

address 5 192.168.101.220 0

#

nat address-group addgrp_172.17.1.63(addgrp_172.17.1.63为名)

mode pat

route enable

section 0 172.17.1.63 172.17.1.63

#

nat-policy

rule name Heyingyun_to_Chengzaiwang_2

source-zone Heyingyun

destination-zone Chengzaiwang

source-address address-set Heyingyun-add_1

destination-address 200.16.62.135 mask 255.255.255.255

action source-nat address-group addgrp_172.17.1.63

#

#ip address-set命令用来创建地址对象或地址组,并进入对应视图。

#object 指定类型为地址对象。

#nat address-group命令用来配置地址池。

目的地址映射


安全策略

rule name Chengzaiwang_to_Heyingyun_2

source-zone Chengzaiwang

destination-zone Heyingyun

source-address 200.16.62.135 mask 255.255.255.255

destination-address 192.168.101.236 mask 255.255.255.255

service protocol tcp source-port 1 to 65535 destination-port 22 873

action permit

地址映射

nat server Chengzaiwang_to_Heyingyun_8 zone Chengzaiwang global 172.17.1.62 inside 192.168.101.236 no-reverse unr-route //加上no-reverse命令只做单向映射。

#

做地址映射时,注意本地需要有映射IP。

#no-reverse表示不创建反向server map,如果不配置就表示正反向server map都创建。

其他注意事项

接口视图下配置:

#service-manage ping permit //service-manage命令用来允许管理员ping

安全策略视图下:

#default action permit //配置缺省安全策略的动作为允许(调测阶段用)

#default action deny

新开的子接口注意add interface命令用来将接口加入到安全区域。

firewall zone name Heyingyun id 6

set priority 20

add interface Eth-Trunk3

add interface Eth-Trunk3.500

add interface Eth-Trunk3.501

新开的域注意与local域放通

rule name local_to_Zhuanshuyun

source-zone local

destination-zone Zhuanshuyun

action permit

rule name Zhuanshuyun_to_local

source-zone Zhuanshuyun

destination-zone local

action permit

查看会话表:

display firewall session table verbose source inside x.x.x.x

display firewall session table verbose destination global x.x.x.x

防火墙流统示例:
acl number 3333
rule 5 permit ip source 172.31.20.83 0 destination 172.30.80.2 0
rule 10 permit ip source 172.31.20.83 0 destination 192.168.102.7 0
rule 15 permit ip source 172.30.80.2 0 destination 172.31.20.83 0
rule 20 permit ip source 192.168.102.7 0 destination 172.31.20.83 0
#
[Eudemon1000E]diagnose
[Eudemon1000E-diagnose]reset firewall statistics acl all
Results of ACL-based packet statistics will be reset! Continue?[Y/N]:y
[Eudemon1000E-diagnose]firewall statistics acl 3333 enable
[Eudemon1000E-diagnose]display firewall statistics acl
#
[Eudemon1000E-diagnose]undo firewall statistics acl
[Eudemon1000E]undo acl 3333 (+B)
#
步骤:
先配置acl
然后在diagnose视图firewall statistic acl 3333 enable
然后发起访问后display firewall statistic acl查看是否有包
使用完后undo firewall statistic acl
并把acl也删除

赞(5) 打赏
未经允许不得转载:知行合一 » 华为Eudemon1000E-G策略配置
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

知行合一

清华大学万门大学

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏