No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Verification

Configuration Verification

  • Verify the IPv4 services.

    1. After the configuration is complete, access the FTP service provided by the server on the Internet using PC1 on the private IPv4 network.

      C:\Documents and Settings\Administrator>ftp 1.1.3.1
      Connected to 1.1.3.1.
      220 FTP service ready.
      User (1.1.3.1:(none)): admin
      331 Password required for admin.
      Password:
      230 User logged in.
      ftp>
    2. Run the display firewall session table verbose command on the CPE to check the session information.

      [CPE] display firewall session table verbose
       Current Total Sessions : 2                                                     
        ftp  VPN:public --> public  ID: ab016391fa4c03558d54c16fac122                
        Zone: trust--> untrust  TTL: 00:10:00  Left: 00:09:59                     
        Interface: Tunnel1  NextHop: 1.1.3.1  MAC: 0000-0000-0000       
        <--packets:8 bytes:498   -->packets:12 bytes:541                              
        192.168.0.2:1035+->1.1.3.1:21  PolicyName: ---                   
                                                                                      
        ftp-data  VPN:public --> public  ID: ab016391fa4c03558d54c16acd159               
        Zone: untrust--> trust  TTL: 00:00:10  Left: 00:00:00                     
        Interface: GigabitEthernet1/0/0  NextHop: 192.168.0.2  MAC: 0018-826f-b3f4 
        <--packets:3 bytes:124   -->packets:5 bytes:370                               
        1.1.3.1:20-->192.168.0.2:1036  PolicyName: ---                       

      The output shows that the outbound interface is the Tunnel1 interface and the tunnel is successfully established.

  • Verify the IPv6 services.

    1. Ping the interface address of the CGN that connects to the IPv6 network from the CPE, that is, the address of the GigabitEthernet 1/0/2 interface.

      <CPE> ping ipv6 4000::1
        PING 4000::1 : 56  data bytes, press CTRL_C to break                  
          Reply from 4000::1                                                  
          bytes=56 Sequence=1 hop limit=64  time = 90 ms                      
          Reply from 4000::1                                                  
          bytes=56 Sequence=2 hop limit=64  time = 100 ms                     
          Reply from 4000::1                                                  
          bytes=56 Sequence=3 hop limit=64  time = 40 ms                      
          Reply from 4000::1                                                  
          bytes=56 Sequence=4 hop limit=64  time = 60 ms                      
          Reply from 4000::1                                                  
          bytes=56 Sequence=5 hop limit=64  time = 40 ms                      
                                                                              
        --- 4000::1 ping statistics ---                                       
          5 packet(s) transmitted                                             
          5 packet(s) received                                                
          0.00% packet loss                                                   
          round-trip min/avg/max = 40/66/100 ms

      If the CGN can be successfully pinged, the IPv6 routes to the CPE and CGN are configured. On the CPE and CGN, you can run the display ospfv3 routing command to view the OSPFv3 routing tables.

      [CPE] display ospfv3 routing
      OSPFv3 Process (1)                                                              
         Destination                                            Metric                
           Next-hop                                                                   
           2000::/64                                            1                     
           directly connected, GigabitEthernet1/0/1                                   
           3000::/64                                            1                     
           directly connected, GigabitEthernet1/0/2                                   
        IA 4000::/64                                           2                 
            via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/2                        
        IA 5000::/64                                           3                     
            via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/2                        

      According to the OSPFv3 routing table, you can learn that the CPE learns the routes from the CGN to the IPv6 MAN and IPv6 Internet.

      [CGN] display ospfv3 routing
      OSPFv3 Process (1)                                                              
         Destination                                                 Metric           
           Next-hop                                                                   
        IA 2000::/64                                                     3        
             via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/2                         
        IA 3000::/64                                                     2        
             via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/2                         
           4000::/64                                                     1            
            directly connected, GigabitEthernet1/0/2                                  
           5000::/64                                                     1            
            directly connected, GigabitEthernet1/0/1                                  

      According to the OSPFv3 routing table, you can learn that the CGN learns the routes from the CPE to the IPv6 MAN and IPv6 users.

    2. On PC2, ping PC3.

      C:\> ping6 5000::2
      from 2000::2 with 32 bytes of data:
      Reply from 5000::2: time<1ms
      Reply from 5000::2: time<1ms
      Reply from 5000::2: time<1ms
      Reply from 5000::2: time<1ms
      Ping statistics for 5000::2:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-seconds:
          Minimum = 0ms, Maximum = 0ms, Average = 0ms

      If PC3 is pinged through, the configurations of the IPv6 routes on the entire network are correct.

  • Enable an IPv6 user to access the IPv4 Internet.

    1. Ping domain name www.example.com on PC2

      Pinging 6000::ca01:301 with 32 bytes of data:
      
      Reply from 6000::ca01:301: time=23ms
      Reply from 6000::ca01:301: time=6ms
      Reply from 6000::ca01:301: time=12ms
      Reply from 6000::ca01:301: time=33ms
      
      Ping statistics for 6000::ca01:301:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-seconds:
          Minimum = 6ms, Maximum = 33ms, Average = 18ms

      The IPv4 address of the server can be successfully pinged on the PC.

    2. In any view of the CGN, run the display firewall ipv6 session table command to check the NAT64 session table.

      <CGN> display firewall ipv6 session table
       Slot: 6 CPU: 1                                                                 
      NAT64: icmp6 VPN: public --> public  2000::2.44152[1.1.2.14:10296] --> 6000::CA01:301.2048[1.1.3.1:2048]

      According to the NAT64 session table, you can learn the translation mapping between IPv6 addresses and IPv4 addresses.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18318

Downloads: 765

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next