No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Procedure

Configuration Procedure

Procedure

  • Configure the CPE .
    1. Enable the IPv6 packet forwarding function.

      <CPE> system-view 
      [CPE] ipv6

    2. Set addresses for interfaces and add the interfaces to security zones.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CPE] interface GigabitEthernet 1/0/0
      [CPE-GigabitEthernet1/0/0] ip address 192.168.0.1 255.255.255.0
      [CPE-GigabitEthernet1/0/0] quit
      [CPE] firewall zone trust
      [CPE-zone-trust] add interface GigabitEthernet 1/0/0
      [CPE-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/1 interface.

      [CPE] interface GigabitEthernet 1/0/1
      [CPE-GigabitEthernet1/0/1] ipv6 enable
      [CPE-GigabitEthernet1/0/1] ipv6 address 2000::1 64
      [CPE-GigabitEthernet1/0/1] quit
      [CPE] firewall zone trust
      [CPE-zone-trust] add interface GigabitEthernet 1/0/1
      [CPE-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CPE] interface GigabitEthernet 1/0/2
      [CPE-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0
      [CPE-GigabitEthernet1/0/2] quit
      [CPE] firewall zone untrust
      [CPE-zone-untrust] add interface GigabitEthernet 1/0/2
      [CPE-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/3 interface.

      [CPE] interface GigabitEthernet 1/0/3
      [CPE-GigabitEthernet1/0/3] ipv6 enable
      [CPE-GigabitEthernet1/0/3] ipv6 address 3000::1 64
      [CPE-GigabitEthernet1/0/3] quit
      [CPE] firewall zone untrust
      [CPE-zone-untrust] add interface GigabitEthernet 1/0/3
      [CPE-zone-untrust] quit

    3. Configure a security policy.

      [CPE] security-policy
      [CPE-policy-security] rule name policy_sec_1
      [CPE-policy-security-rule-policy_sec_1] source-zone trust
      [CPE-policy-security-rule-policy_sec_1] destination-zone untrust
      [CPE-policy-security-rule-policy_sec_1] source-address 192.168.0.0 24
      [CPE-policy-security-rule-policy_sec_1] action permit
      [CPE-policy-security-rule-policy_sec_1] quit
      [CPE-policy-security] rule name policy_sec_2
      [CPE-policy-security-rule-policy_sec_2] source-zone trust
      [CPE-policy-security-rule-policy_sec_2] destination-zone untrust
      [CPE-policy-security-rule-policy_sec_2] source-address 2000::2 64
      [CPE-policy-security-rule-policy_sec_2] action permit
      [CPE-policy-security-rule-policy_sec_2] quit
      [CPE-policy-security] rule name policy_sec_3
      [CPE-policy-security-rule-policy_sec_3] source-zone untrust
      [CPE-policy-security-rule-policy_sec_3] destination-zone local
      [CPE-policy-security-rule-policy_sec_3] action permit
      [CPE-policy-security-rule-policy_sec_3] quit
      [CPE-policy-security] quit

    4. # Configure a NAT policy.

      [CPE] nat-policy
      [CPE-policy-nat] rule name policy_nat_1
      [CPE-policy-nat-rule-policy_nat_1] source-zone trust
      [CPE-policy-nat-rule-policy_nat_1] destination-zone untrust
      [CPE-policy-nat-rule-policy_nat_1] source-address 192.168.0.0 24
      [CPE-policy-nat-rule-policy_nat_1] action source-nat easy-ip
      [CPE-policy-nat-rule-policy_nat_1] quit
      [CPE-policy-nat] quit

      # Configure the NAT ALG between the Trust zone and the Untrust zone so that the server can provide FTP services externally.

      [CPE] firewall interzone trust untrust
      [CPE-interzone-trust-untrust] detect ftp
      [CPE-interzone-trust-untrust] quit

    5. Configure the OSPFv3 protocol for routing the IPv6 services.

      [CPE] ospfv3
      [CPE-ospfv3-1] router-id 1.1.1.1
      [CPE-ospfv3-1] quit
      [CPE] interface GigabitEthernet1/0/3
      [CPE-GigabitEthernet1/0/3] ospfv3 1 area 0
      [CPE-GigabitEthernet1/0/3] quit
      [CPE] interface GigabitEthernet1/0/1
      [CPE-GigabitEthernet1/0/1] ospfv3 1 area 1
      [CPE-GigabitEthernet1/0/1] quit

    6. Configure the static IPv4 route.

      Configure the static IPv4 route to the CGN. Assume that the next hop address from the CPE to the IPv4 MAN is 10.1.1.2.

      [CPE] ip route-static 10.1.2.0 255.255.255.0 10.1.1.2

  • Configure the CGN.
    1. Enable the IPv6 packet forwarding function.

      <CGN> system-view
      [CGN] ipv6

    2. Configure the hash mode to be oriented to source IP address.

      [CGN] firewall hash-mode source-only

    3. Set addresses for interfaces and add the interfaces to security zones.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CGN] interface GigabitEthernet 1/0/0
      [CGN-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
      [CGN-GigabitEthernet1/0/0] quit
      [CGN] firewall zone untrust
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/0
      [CGN-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/1 interface.

      [CGN] interface GigabitEthernet 1/0/1
      [CGN-GigabitEthernet1/0/1] ipv6 enable
      [CGN-GigabitEthernet1/0/1] ipv6 address 5000::1 64
      [CGN-GigabitEthernet1/0/1] quit
      [CGN] firewall zone untrust
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/1
      [CGN-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CGN] interface GigabitEthernet 1/0/2
      [CGN-GigabitEthernet1/0/2] ip address 10.1.2.1 255.255.255.0
      [CGN-GigabitEthernet1/0/2] quit
      [CGN] firewall zone trust
      [CGN-zone-trust] add interface GigabitEthernet 1/0/2
      [CGN-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/3 interface.

      [CGN] interface GigabitEthernet 1/0/3
      [CGN-GigabitEthernet1/0/3] ipv6 enable
      [CGN-GigabitEthernet1/0/3] ipv6 address 4000::1 64
      [CGN-GigabitEthernet1/0/3] quit
      [CGN] firewall zone trust
      [CGN-zone-trust] add interface GigabitEthernet 1/0/3
      [CGN-zone-trust] quit

    4. Configure a security policy.

      [CGN] security-policy
      [CGN-policy-security] rule name policy1
      [CGN-policy-security-policy1] source-zone trust untrust
      [CGN-policy-security-policy1] destination-zone trust untrust
      [CGN-policy-security-policy1] action permit
      [CGN-policy-security-policy1] quit
      [CGN-policy-security] rule name policy2
      [CGN-policy-security-policy2] source-zone untrust
      [CGN-policy-security-policy2] destination-zone local
      [CGN-policy-security-policy2] action permit
      [CGN-policy-security-policy2] quit
      [CGN-policy-security] quit
      

    5. Configure the NAT function to translate the private IP addresses of the carrier to the public IPv4 addresses.

      # Configure the NAT address pool.

      [CGN] nat address-group addressgroup1
      [CGN-address-group-addressgroup1] mode pat
      [CGN-address-group-addressgroup1] route enable
      [CGN-address-group-addressgroup1] section 1 1.1.2.1 1.1.2.5
      [CGN-address-group-addressgroup1] port-block-size 256
      [CGN-address-group-addressgroup1] quit

      # Configure a NAT policy.

      [CGN] nat-policy
      [CGN-policy-nat] rule name policy_nat_1
      [CGN-policy-nat-rule-policy_nat_1] source-zone trust
      [CGN-policy-nat-rule-policy_nat_1] destination-zone untrust
      [CGN-policy-nat-rule-policy_nat_1] source-address 10.1.1.0 24
      [CGN-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1
      [CGN-policy-nat-rule-policy_nat_1] quit
      [CGN-policy-nat] quit

      # Configure the NAT ALG between the Trust zone and the Untrust zone so that the server can provide FTP services externally.

      NOTE:

      Enable the ASPF functions for the corresponding services. This section uses the FTP protocol as an example.

      [CGN] firewall interzone trust untrust
      [CGN-interzone-trust-untrust] detect ftp
      [CGN-interzone-trust-untrust] quit

    6. Configure the static IPv4 route.

      Configure the static IPv4 route to the CPE. Assume that the next hop address from the CGN to the IPv4 MAN is 10.1.2.2.

      [CGN] ip route-static 10.1.1.0 255.255.255.0 10.1.2.2

      Configure the static IPv4 route to the FTP server on the Internet. Assume that the next hop address of the CGN to the Internet is 1.1.1.2.

      [CGN] ip route-static 1 1.3.1 255.255.255.255 1.1.1.2

    7. Configure the OSPFv3 protocol for routing the IPv6 services.

      [CGN] ospfv3
      [CGN-ospfv3-1] router-id 2.2.2.2
      [CGN-ospfv3-1] quit
      [CGN] interface GigabitEthernet1/0/3
      [CGN-GigabitEthernet1/0/3] ospfv3 1 area 0
      [CGN-GigabitEthernet1/0/3] quit
      [CGN] interface GigabitEthernet1/0/1
      [CGN-GigabitEthernet1/0/1] ospfv3 1 area 2
      [CGN-GigabitEthernet1/0/1] quit

    8. Configure the NAT64 function.

      # Configure IPv4 NAT address pool 2 and set the address range to 1.1.2.11 to 1.1.2.15. Use the addresses in the NAT address pool as the IPv4 addresses after the NAT64 processing.

      [CGN] nat address-group addressgroup2
      [CGN-address-group-addressgroup2] mode pat
      [CGN-address-group-addressgroup2] route enable
      [CGN-address-group-addressgroup2] section 1 1.1.2.11 1.1.2.15
      [CGN-address-group-addressgroup2] quit

      # Set the NAT64 prefix to 6000::/96.

      [CGN] nat64 prefix 6000:: 96

      # Configure a NAT64 policy.

      [CGN] nat-policy
      [CGN-policy-nat] rule name policy_nat64
      [CGN-policy-nat-rule-policy_nat64] nat-type nat64
      [CGN-policy-nat-rule-policy_nat64] source-zone trust
      [CGN-policy-nat-rule-policy_nat64] destination-zone untrust
      [CGN-policy-nat-rule-policy_nat64] source-address 2000:: 64
      [CGN-policy-nat-rule-policy_nat64] action source-nat address-group addressgroup2
      [CGN-policy-nat-rule-policy_nat64] quit
      [CGN-policy-nat] quit

      # Configure the blackhole route to advertise the NAT64 prefix.

      [CGN] ipv6 route-static 6000:: 96 NULL 0

      # Introduce the blackhole route with the NAT64 prefix to the OSPFv3 protocol.

      [CGN] ospfv3
      [CGN-ospfv3-1] import-route static
      [CGN-ospfv3-1] quit

  • Configure the DNS64 device.

    Set the NAT64 prefix of the DNS64 device to 6000::/96, which is the same as that configured on the CGN.

    Set the routes between the DNS64 to the PC and server to ensure reachability.

    On the DNS64 device, set the IPv6 address that corresponds to domain name www.example.com to 6000::ca01:301.

  • Configure the server.

    In normal situations, the ISP is responsible for configuring the server. This topic describes only the key points of server configuration.

    • Set the IP address of the FTP server to 1.1.3.1/32.
    • The route to the addresses in the address pool of the CGN must be configured for the FTP Server.
    • The server provides both FTP and HTTP services.

  • Configure PC1, PC2, and PC3.

    You must specify gateways for each PC. (The configuration methods of PC addresses and routes vary with the operating systems of the PCs. The configuration methods are not described here.)

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16808

Downloads: 721

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next