No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Using an Advanced ACL to Configure the Firewall Function

Example for Using an Advanced ACL to Configure the Firewall Function

Networking Requirements

As shown in Figure 5-19, an enterprise network running the Web, FTP, and Telnet services accesses an external network through GE1/0/0 and joins a VLAN through Eth2/0/0.

The enterprise network segment is 10.10.10.0/24 and the IP addresses of the Web server, FTP server, and Telnet server are 10.10.10.5/24, 10.10.10.6/24, and 10.10.10.7/24.

To ensure security, the Router provides the firewall function. Only specified users are allowed to access internal servers of the enterprise and only internal servers of the enterprise are allowed to access the external network.

Figure 5-19  Using advanced an ACL to configure the firewall function

Configuration Roadmap

The following configurations are performed on the Router. The configuration roadmap is as follows:

  1. Configure zones on the internal and external networks.
  2. Configure an interzone and enable the firewall function in the interzone.
  3. Configure advanced ACLs to restrict the rights to access the internal servers and external network.
  4. Configure ACL-based packet filtering in the interzone.

Procedure

  1. Configure zones.

    # Configure a zone on the internal network.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] firewall zone company
    [Router-zone-company] priority 12
    [Router-zone-company] quit
    

    # Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces. Add VLANIF 100 to the zone company.

    [Router] vlan batch 100
    [Router] interface ethernet 2/0/0
    [Router-Ethernet2/0/0] port link-type access
    [Router-Ethernet2/0/0] port default vlan 100
    [Router-Ethernet2/0/0] quit
    [Router] interface vlanif 100 
    [Router-Vlanif100] ip address 10.10.10.1 255.255.255.0
    [Router-Vlanif100] zone company
    [Router-Vlanif100] quit

    # Configure a zone on the external network.

    [Router] firewall zone external
    [Router-zone-external] priority 5
    [Router-zone-external] quit
    

    # Add GigabitEthernet 1/0/0 to the zone external.

    [Router] interface gigabitethernet 1/0/0 
    [Router-gigabitethernet1/0/0] ip address 10.39.10.8 255.255.255.0
    [Router-gigabitethernet1/0/0] zone external
    [Router-gigabitethernet1/0/0] quit
    

  2. Configure an interzone.

    [Router] firewall interzone company external
    [Router-interzone-company-external] firewall enable
    [Router-interzone-company-external] quit
    

  3. Configure ACL 3001.

    # Create ACL 3001.

    [Router] acl 3001
    

    # Configure a rule in ACL 3001 to allow specified users to access internal servers.

    [Router-acl-adv-3001] rule permit tcp source 1.2.3.4 0.0.0.0 destination 10.10.10.5 0.0.0.0
    [Router-acl-adv-3001] rule permit tcp source 1.2.3.4 0.0.0.0 destination 10.10.10.6 0.0.0.0
    [Router-acl-adv-3001] rule permit tcp source 1.2.3.4 0.0.0.0 destination 10.10.10.7 0.0.0.0
    

    # Configure a rule in ACL 3001 to prevent other users from accessing any host of the enterprise.

    [Router-acl-adv-3001] rule deny ip
    [Router-acl-adv-3001] quit

  4. Configure ACL 3002.

    # Create ACL 3002.

    [Router] acl 3002

    # Configure a rule in ACL 3002 to allow internal servers to access the external network.

    [Router-acl-adv-3002] rule permit ip source 10.10.10.5 0.0.0.0
    [Router-acl-adv-3002] rule permit ip source 10.10.10.6 0.0.0.0
    [Router-acl-adv-3002] rule permit ip source 10.10.10.7 0.0.0.0

    # Configure a rule in ACL 3002 to prevent other users of the enterprise from accessing the external network.

    [Router-acl-adv-3002] rule deny ip
    [Router-acl-adv-3002] quit

  5. Configure ACL-based packet filtering in the interzone.

    [Router] firewall interzone company external
    [Router-interzone-company-external] packet-filter 3001 inbound
    [Router-interzone-company-external] packet-filter 3002 outbound
    [Router-interzone-company-external] quit
    

  6. Verify the configuration.

    # After the configuration is complete, only the host at 1.2.3.4 can access internal servers and only internal servers can access the external network.

    # Run the display firewall interzone [ zone-name1 zone-name2 ] command on the Router. The result is as follows:

    [Router] display firewall interzone company external 
    interzone company external                                                       
     firewall enable                                                                
     packet-filter default deny inbound                                             
     packet-filter default permit outbound                                          
     packet-filter 3001 inbound                                                     
     packet-filter 3002 outbound      

Configuration Files

Configuration file of the Router

#
 sysname Router
#                                                                               
 vlan batch 100                                                       
#                                                                               
acl number 3001                                                                 
 rule 5 permit tcp source 1.2.3.4 0 destination 10.10.10.5 0   
 rule 10 permit tcp source 1.2.3.4 0 destination 10.10.10.6 0  
 rule 15 permit tcp source 1.2.3.4 0 destination 10.10.10.7 0  
 rule 20 deny ip                                                                
acl number 3002                                                                 
 rule 5 permit ip source 10.10.10.5 0                                     
 rule 10 permit ip source 10.10.10.6 0                                     
 rule 15 permit ip source 10.10.10.7 0                                     
 rule 20 deny ip                                                                
#
interface Vlanif100  
 ip address 10.10.10.1 255.255.255.0    
 zone company                                         
# 
firewall zone company                                                             
 priority 12                                                                    
#                                                                               
firewall zone external                                                           
 priority 5                                                                     
#                                                                               
firewall interzone company external                                                
 firewall enable                                                                
 packet-filter 3001 inbound                                                     
 packet-filter 3002 outbound                                                     
#                                                                               
interface Ethernet2/0/0                                                        
 port link-type access                                                          
 port default vlan 100                                                          
#                                                                               
interface GigabitEthernet1/0/0
 ip address 10.39.10.8 255.255.255.0
 zone external
#
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 125398

Downloads: 228

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next