H3C-Firewall-配置实例.doc

防火墙作为出口网关，联通光纤、电信光纤、电信ADSL出口，防火墙接H3C二层交换机，H3C二层交换机接内网服务器和下面的二层交换机（内网用户都接这里）。 由于客户是静态设置地址，所以这里是没有DHCP配置的。 一、上网设置： #域配置 zone name Management id 0 priority 100 import interface GigabitEthernet0/0 zone name Local id 1 priority 100 zone name Trust id 2 priority 85 import interface GigabitEthernet0/2 zone name DMZ id 3 priority 50 zone name Untrust id 4 priority 5 import interface Dialer1 import interface GigabitEthernet0/3 import interface GigabitEthernet0/4 import interface GigabitEthernet0/5 #内网网关 interface GigabitEthernet0/2 ip address 192.168.100.254 255.255.0.0 port link-mode route nat outbound 3090 #电信出口 interface GigabitEthernet0/3 port link-mode route ip address 219.137.182.2xx 255.255.255.248 nat outbound 2000 address-group 1 #联通出口 interface GigabitEthernet0/4 port link-mode route ip address 218.107.10.xx 255.255.255.248 nat outbound 2000 address-group 2 #PPPOE电信ADSL interface GigabitEthernet0/5 port link-mode route pppoe-client dial-bundle-number 1 #设定拨号访问组的拨号控制列表 dialer-rule 1 ip permit #PPPOE配置 interface Dialer1 nat outbound 2000 link-protocol ppp ppp chap user gzDSLxxxxxxxx@163.gd ppp chap password cipher $c$3$cft8cT2sYcO4XYUDKRgfw0R0HOSTSDh69HbN ppp pap local-user gzDSLxxxxxxxx@163.gd password cipher $c$3$mXUOjqFP3BKfa52muz92y7JBlMMsjjNzxGVL ppp ipcp dns request ip address ppp-negotiate dialer user pppoeclient dialer-group 1 dialer bundle 1 #DNS服务器 dns resolve dns proxy enable dns server 202.96.128.166 dns server 8.8.8.8 #NAT动态地址池 nat address-group 1 219.137.182.2xx 219.137.182.206 level 1 nat address-group 2 218.107.10.xx 218.107.10.xy level 1 #NAT使用的ACL acl number 2000 rule 0 permit source 192.168.0.0 0.0.255.255 #出口路由 ip route-static 0.0.0.0 0.0.0.0 Dialer1 ip route-static 0.0.0.0 0.0.0.0 219.137.182.201 ip route-static 0.0.0.0 0.0.0.0 218.107.10.41 preference 100 二、策略路由 #策略路由使用的ACL acl number 3088 //匹配内部服务器地址 rule 0 permit ip source 192.168.16.39 0 rule 1 permit ip source 192.168.100.1 0 rule 2 permit ip source 192.168.100.161 0 rule 3 permit ip source 192.168.100.162 0 rule 4 permit ip source 192.168.100.164 0 rule 101 deny ip acl number 3089 //匹配内网用户地址段 rule 0 permit ip source 192.168.0.0 0.0.255.255 rule 101 deny ip #新建策略路由 policy-based-route wan permit node 10 if-match acl 3088 apply ip-address next-hop 219.137.182.201 //服务器走电信出口 policy-based-route wan permit node 11 if-match acl 3089 apply ip-address next-hop 218.107.10.41 //内网用户走联通出口 #策略路由的应用 interface GigabitEthernet0/2 ip policy-based-route wan 三、外网访问内部服务器NAT interface GigabitEthernet0/3 nat server protocol tcp global 219.137.182.2xx 5872 inside 192.168.100.164 5872 nat server protocol tcp global 219.137.182.2xx 81 inside 192.168.100.164 81 nat server protocol tcp global 219.137.182.2xx 89 inside 192.168.100.1 89 nat server protocol tcp global 219.137.182.2xx 5366 inside 192.168.100.162 5366 nat server 1 protocol tcp global current-interface 8081 inside 192.168.100.162 8081 nat server protocol tcp global 219.137.182.2xx 8088 inside 192.168.100.1 8088 ip address 219.137.182.2xx 255.255.255.248 # interface GigabitEthernet0/4 nat server protocol tcp global 218.107.10.xx 8088 inside 192.168.100.1 8088 nat server protocol tcp global 218.107.10.xx 81 inside 192.168.100.164 81 nat server protocol tcp global 218.107.10.xx 5872 inside 192.168.100.164 5872 nat server 1 protocol tcp global current-interface 89 inside 192.168.100.1 89 nat server 2 protocol tcp global current-interface 5366 inside 192.168.100.162 5366 nat server 3 protocol tcp global current-interface 8081 inside 192.168.100.162 8081 #允许Untrust区域访问内网服务器地址组地址 interzone source Untrust destination Trust rule 0 permit source-ip any_address destination-ip server_group service any_service rule enable 四、内网用户通过公网地址访问内部服务器NAT #公网地址访问内网服务器NAT使用的ACL acl number 3090 rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.16.39 0 rule 1 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.1 0 rule 2 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.161 0 rule 3 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.162 0 rule 4 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.164 0 acl number 3091 rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.16.39 0 rule 1 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.1 0 rule 2 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.161 0 rule 3 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.162 0 rule 4 permit ip source 192.168.0.0 0.0.255.255 destination 192.168.100.164 0 rule 5 permit ip source 192.168.16.39 0 destination 192.168.0.0 0.0.255.255 rule 6 permit ip source 192.168.100.1 0 destination 192.168.0.0 0.0.255.255 rule 7 permit ip source 192.168.100.161 0 destination 192.168.0.0 0.0.255.255 rule 8 permit ip source 192.168.100.162 0 destination 192.168.0.0 0.0.255.255 rule 9 permit ip source 192.168.100.164 0 destination 192.168.0.0 0.0.255.255 interface GigabitEthernet0/2 nat outbound 3090 nat server protocol tcp global 219.137.182.2xx 8088 inside 192.168.100.1 8088 nat server protocol tcp global 218.107.10.xx 8088 inside 192.168.100.1 8088 nat server protocol tcp global 218.107.10.xx 81 inside 192.168.100.164 81 nat server protocol tcp global 219.137.182.2xx 81 inside 192.168.100.164 81 #匹配源地址为内网服务器目的地址为内网用户地址的数据包不作下一跳修改 policy-based-route wan deny node 9 if-match acl 3091 五、IPSec VPN #IPSec匹配流量 acl number 3501 rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.160.10.0 0.0.0.255 acl number 3502 rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 192.160.55.0 0.0.0.255 #IKE本端名称 ike local-name f100 #健康检测 ike dpd to_fg100_dpd time-out 3 #第一阶段ike提议 ike proposal 1 encryption-algorithm 3des-cbc dh group2 authentication-algorithm md5 # ike proposal 2 encryption-algorithm 3des-cbc dh group2 #第一阶段 IKE对等体 预共享密钥 野蛮模式 ike peer to_fg100_peer exchange-mode aggressive pre-shared-key cipher $c$3$UqO8Is+AdX579TINNmJkYll+lArkiRBOjfzzAg== id-type name remote-name fg100 nat traversal dpd to_fg100_dpd #第二阶段IPSec安全提议 ipsec transform-set to_fg100_prop encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm 3des #第二阶段IPSec模板 ipsec policy-template to_fg100_temp 1 security acl 3502 ike-peer to_fg100_peer transform-set to_fg100_prop sa duration traffic-based 1843200 sa duration time-based 3600 #创建一个policy ipsec policy to_fg100_poli 1 isakmp template to_fg100_temp #把policy挂在G0/3上 interface GigabitEthernet0/3 ipsec policy to_fg100_poli 六、SSL VPN #SSL使用的PKI证书 pki entity ssl common-name ssl # pki domain default crl check disable # pki domain domain ca identifier domain certificate request from ra crl check disable #SSL VPN配置 ssl server-policy default pki-domain default ssl server-policy access-policy pki-domain domain ssl server-policy h3c pki-domain h3c ssl server-policy sslvpn pki-domain domain #开启SSL VPN ssl-vpn server-policy access-policy ssl-vpn enable 七、其他设置 #管理口 interface GigabitEthernet0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 #开启telnet telnet server enable #web管理页面超时 web idle-timeout 50 #时间表 time-range office 07:00 to 19:00 daily #配置TFTP客户端的源地址（从PC导入ssl vpn证书） tftp client source interface GigabitEthernet0/0 八、默认设置 version 5.20, Release 5140 # sysname H3C # ftp server enable # undo voice vlan mac-address 00e0-bb00-0000 # vd Root id 1 # #本地用户 local-user admin password cipher $c$3$oGb5I9jYxOTH14goQ9eyldWLEVvfRG8M authorization-attribute level 3 service-type telnet service-type web #允许来宾用户管理员在Web页面上创建的来宾用户加入该用户组 user-group system group-attribute allow-guest # interface NULL0 # vlan 1 # qos policy 11 qos policy 1 #取消指定协议的ALG功能 undo alg dns undo alg rtsp undo alg h323 undo alg sip undo alg sqlnet undo alg pptp undo alg ils undo alg nbt undo alg msn undo alg qq undo alg tftp undo alg sccp undo alg gtp #命令用来使能会话双机热备功能 session synchronization enable #使能密码恢复功能（默认使能） password-recovery enable #控制vty接口的登陆认证方式 user-interface con 0 user-interface vty 0 4 authentication-mode scheme # #默认的Radius配置 domain system access-limit disable state active idle-cut disable self-service-url disable # interface GigabitEthernet0/1 port link-mode route #默认域 开启，名称是“system”； domain default enable system # load xml-configuration # load tr069-configuration