No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Verification

Verification

  • Verify the IPv4 services.

    1. After the configuration is complete, access the FTP Server on the Internet using PC1 on the private IPv4 network.

      C:\Documents and Settings\Administrator>ftp 1.1.3.1
      Connected to 1.1.3.1.
      220 FTP service ready.
      User (1.1.3.1:(none)): admin
      331 Password required for admin.
      Password:
      230 User logged in.
      ftp>
    2. Run the display firewall session table verbose command on the CPE to check the address translation.

      [CPE] display firewall session table verbose
       Current Total Sessions : 2                                                     
        ftp  VPN:public --> public  ID: ab016391fa4c03558d54c16fac122 
        Zone: untrust --> trust  TTL: 00:00:10 Left: 00:00:03
        Interface: GigabitEthernet1/0/2  NextHop: 10.1.1.2  MAC: 0018-8239-1e5c    
        <--packets:20 bytes:1168   -->packets:26 bytes:1150                           
        192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21  PolicyName:policy_sec_1  
                                                                                      
        ftp-data  VPN:public --> public  ID: ab016391fa4c03558d54c16acd159            
        Zone: untrust--> trust  TTL: 00:00:10  Left: 00:00:07                         
        Interface: GigabitEthernet1/0/0  NextHop: 192.168.0.2  MAC: 0018-826f-b3f4 
        <--packets:3 bytes:124   -->packets:5 bytes:370                               
        1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034]  PolicyName:policy_nat_1 

      According to the output 192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21 and 1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034], you can learn that private IPv4 address 192.168.0.2 of the user is translated to private IPv4 address 10.1.1.1 of the carrier. The session information indicates that the control channel and data channel are enabled.

    3. Run the display firewall session table verbose command on the CGN to check the address translation.

      [CGN] display firewall session table verbose
       Current total sessions: 2                                                      
       ftp VPN: public --> public  ID: a38f36333beb0f5654453374                  
       Zone: trust --> untrust Slot: 6 CPU: 2 TTL: 00:10:00 Left: 00:09:56            
       Interface: GigabitEthernet1/0/0 Nexthop: 1.1.1.2                             
       <--packets: 15 bytes: 676 -->packets: 17 bytes: 764                               
       10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21  PolicyName:policy_nat_1 
                                                                                      
       ftp-data VPN: public --> public  ID: a48f3636f5030144b54453ad0                  
       Zone: untrust --> trust Slot: 6 CPU: 2 TTL: 00:00:10 Left: 00:00:07            
       Interface: GigabitEthernet1/0/2 Nexthop: 10.1.2.2                              
       <--packets: 3 bytes: 124 -->packets: 5 bytes: 370                              
       1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362]  PolicyName:policy_nat_1 
      

      According to the output 10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21 and 1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362], you can learn that private IPv4 address 10.1.1.1 of the carrier is translated to public IPv4 address 1.1.2.4 (an address in the address pool). The session information indicates that the control channel and data channel are enabled.

    4. Run the display cpe-user information cpe-ipv4 10.1.1.1 command in any view of the CGN to check the details about the CPE user at 10.1.1.1.

      [CGN] display cpe-user information cpe-ipv4 10.1.1.1 slot 6 cpu 2
       This operation will take a few minutes. Press 'Ctrl+C' to break ...
       UserTbl item(s) on slot 6 cpu 2                                    
       --------------------------------------------------------------------
       Scene: NAT444  DstZone: untrust CPEIP: 10.1.1.1                 
       TTL: 40   LeftTime: 34 Increase Count: 0  VPN: public                
       PoolID: addressgroup1  SectionID: 1  PublicIP: 1.1.2.4  StartPort: 2048
       PortNumber: 256  PortTotal: 256  Used Port Number: 1         
      

      As shown in the preceding command output, the source addresses of service flows sent by the CPE at 10.1.1.1 are translated into 1.1.2.4. The port range is from 2048 to 2303, containing 256 ports.

  • Verify the IPv6 services.

    1. After the 6RD tunnel is configured, ping the interface address of the 6RD tunnel of the CGN from the CPE.

      <CPE> ping ipv6 22:0:102:100::1
        PING 22:0:102:100::1 : 56  data bytes, press CTRL_C to break                  
          Reply from 22:0:102:100::1                                                  
          bytes=56 Sequence=1 hop limit=64  time = 90 ms                              
          Reply from 22:0:102:100::1                                                  
          bytes=56 Sequence=2 hop limit=64  time = 100 ms                             
          Reply from 22:0:102:100::1                                                  
          bytes=56 Sequence=3 hop limit=64  time = 40 ms                              
          Reply from 22:0:102:100::1                                                  
          bytes=56 Sequence=4 hop limit=64  time = 60 ms                              
          Reply from 22:0:102:100::1                                                  
          bytes=56 Sequence=5 hop limit=64  time = 40 ms                              
                                                                                      
        --- 22:0:102:100::1 ping statistics ---                                       
          5 packet(s) transmitted                                                     
          5 packet(s) received                                                        
          0.00% packet loss                                                           
          round-trip min/avg/max = 40/66/100 ms
      [CGN] display ipv6 interface tunnel 1
      Tunnel1 current state : UP
      IPv6 protocol current state : UP
      IPv6 is enabled, link-local address is FE80::101:101
        Global unicast address(es):
          22:0:102:100::1, subnet is 22:0:102:100::/64
        Joined group address(es):
          FF02::1:FF00:1
          FF02::1:FF01:101
          FF02::2
        MTU is 1500 bytes
        ND reachable time is 30000 milliseconds
        ND retransmit interval is 1000 milliseconds
        ND stale time is 1200 seconds 
    2. Ping the interface address of the CGN that connects to the IPv6 network from the CPE, that is, the address of the GigabitEthernet 1/0/1 interface.

      <CPE> ping ipv6 3000::1
        PING 3000::1 : 56  data bytes, press CTRL_C to break                  
          Reply from 3000::1                                                  
          bytes=56 Sequence=1 hop limit=64  time = 90 ms                      
          Reply from 3000::1                                                  
          bytes=56 Sequence=2 hop limit=64  time = 100 ms                     
          Reply from 3000::1                                                  
          bytes=56 Sequence=3 hop limit=64  time = 40 ms                      
          Reply from 3000::1                                                  
          bytes=56 Sequence=4 hop limit=64  time = 60 ms                      
          Reply from 3000::1                                                  
          bytes=56 Sequence=5 hop limit=64  time = 40 ms                      
                                                                              
        --- 3000::1 ping statistics ---                                       
          5 packet(s) transmitted                                             
          5 packet(s) received                                                
          0.00% packet loss                                                   
          round-trip min/avg/max = 40/66/100 ms

      If the ping is successful, the IPv6 route between the CPE to the CGN works properly.

    3. On PC2, ping PC3.

      C:\> ping6 3000::2
      from 22:0:101:100::1 with 32 bytes of data:
      Reply from 3000::2: time<1ms
      Reply from 3000::2: time<1ms
      Reply from 3000::2: time<1ms
      Reply from 3000::2: time<1ms
      Ping statistics for 3000::2:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-seconds:
          Minimum = 0ms, Maximum = 0ms, Average = 0ms

      If the ping is successful, the configurations of devices on the entire network are correct.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16763

Downloads: 721

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next