华为防火墙USG配置

内网：

配置GigabitEthernet 0/0/1加入Trust区域

[USG5300] firewall zone trust

[USG5300-zone-untrust] add interface GigabitEthernet 0/0/1

外网：

配置GigabitEthernet 0/0/2加入Untrust区域

[USG5300] firewall zone untrust

[USG5300-zone-untrust] add interface GigabitEthernet 0/0/2

DMZ：

[USG5300] firewall zone dmz

[USG5300-zone-untrust] add interface GigabitEthernet 0/0/3

[USG5300-zone-untrust] quit

1.4.1 Trust和Untrust域间：允许内网用户访问公网

policy 1：允许源地址为10.10.10.0/24的网段的报文通过

[USG5300] policy interzone trust untrust outbound

[USG5300-policy-interzone-trust-untrust-outbound] policy 1

[USG5300-policy-interzone-trust-untrust-outbound-1] policy source 10.10.10.0 0.0.0.255 [USG5300-policy-interzone-trust-untrust-outbound-1] action permit

[USG5300-policy-interzone-trust-untrust-outbound-1] quit

如果是允许所有的内网地址上公网可以用以下命令：

[USG2100]firewall packet-filter default permit interzone trust untrust direction outbound //必须

1.4.2 DMZ和Untrust域间：从公网访问内部服务器

policy 2：允许目的地址为10.10.11.2，目的端口为21的报文通过

policy 3：允许目的地址为10.10.11.3，目的端口为8080的报文通过

[USG5300] policy interzone untrust dmz inbound

[USG5300-policy-interzone-dmz-untrust-inbound] policy 2

[USG5300-policy-interzone-dmz-untrust-inbound-2] policy destination 10.10.11.3 0

[USG5300-policy-interzone-dmz-untrust-inbound-2] policy service service-set ftp

[USG5300-policy-interzone-dmz-untrust-inbound-2] action permit

[USG5300-policy-interzone-dmz-untrust-inbound-2] quit

[USG5300-policy-interzone-dmz-untrust-inbound] policy 3

[USG5300-policy-interzone-dmz-untrust-inbound-3] policy destination 10.10.11.2 0

[USG5300-policy-interzone-dmz-untrust-inbound-3] policy service service-set http

[USG5300-policy-interzone-dmz-untrust-inbound-3] action permit

[USG5300-policy-interzone-dmz-untrust-inbound-3] quit

[USG5300-policy-interzone-dmz-untrust-inbound] quit

配置内部服务器：

system-view

[USG5300] nat server protocol tcp global 220.10.10.16 8080 inside 10.10.11.2 www [USG5300] nat server protocol tcp global 220.10.10.17 ftp inside 10.10.11.3 ftp

NAT

2、通过公网接口的方式

创建Trust区域和Untrust区域之间的NAT策略，确定进行NAT转换的源地址范围192.168.1.0/24网段，并且将其与外网接口GigabitEthernet 0/0/4进行绑定。

[USG] nat-policy interzone trust untrust outbound

[USG-nat-policy-interzone-trust-untrust-outbound] policy 0

[USG-nat-policy-interzone-trust-untrust-outbound-0] policy source 192.168.1.0 0.0.0.255 [USG-nat-policy-interzone-trust-untrust-outbound-0] action source-nat

[USG-nat-policy-interzone-trust-untrust-outbound-0] easy-ip GigabitEthernet 0/0/4 [USG-nat-policy-interzone-trust-untrust-outbound-0] quit

3、直接在接口启用nat

如果是针对内网用户上公网做nat，需要在内网接口使用

[USG-GigabitEthernet0/0/0]nat enable

2.10 配置策略路由

配置要求：10.10.167.0走218.201.135.177，10.10.168.0走58.57.15.53。

1、创建acl

acl number 3000

rule 1 permit ip source 10.10.167.0 0.0.0.255

acl number 3001

rule 1 permit ip source 10.10.168.0 0.0.0.255

2、创建策略路由

policy-based-route internet permit node 0

if-match acl 3000

apply ip-address next-hop 218.201.135.177

policy-based-route internet permit node 1

if-match acl 3001

apply ip-address next-hop 58.57.15.53

3、将策略路由引用到入接口（内网口）

ip policy-based-route internet

4、配置默认路由，配置策略路由的时候不需要配置明细路由。 ip route-static 0.0.0.0 0.0.0.0 218.201.135.177

ip route-static 0.0.0.0 0.0.0.0 58.57.15.53

检查配置：

dis policy-based-route