No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Procedure

Configuration Procedure

Procedure

  • Configure the CPE.
    1. Enable the IPv6 packet forwarding function.

      <CPE> system-view 
      [CPE] ipv6

    2. Set addresses for interfaces and add the interfaces to security zones.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CPE] interface GigabitEthernet 1/0/0
      [CPE-GigabitEthernet1/0/0] ip address 192.168.0.1 255.255.255.0
      [CPE-GigabitEthernet1/0/0] quit
      [CPE] firewall zone trust
      [CPE-zone-trust] add interface GigabitEthernet 1/0/0
      [CPE-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/1 interface.

      [CPE] interface GigabitEthernet 1/0/1
      [CPE-GigabitEthernet1/0/1] ipv6 enable
      [CPE-GigabitEthernet1/0/1] ipv6 address 2000::1 64
      [CPE-GigabitEthernet1/0/1] quit
      [CPE] firewall zone trust
      [CPE-zone-trust] add interface GigabitEthernet 1/0/1
      [CPE-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CPE] interface GigabitEthernet 1/0/2
      [CPE-GigabitEthernet1/0/2] ipv6 enable
      [CPE-GigabitEthernet1/0/2] ipv6 address 3000::1 64
      [CPE-GigabitEthernet1/0/2] quit
      [CPE] firewall zone untrust
      [CPE-zone-untrust] add interface GigabitEthernet 1/0/2
      [CPE-zone-untrust] quit

    3. Configure an IPv4 over IPv6 tunnel.

      # Configure the interface Tunnel1 of the IPv4 over IPv6 tunnel.

      [CPE] interface Tunnel 1
      [CPE-Tunnel1] tunnel-protocol ipv4-ipv6
      [CPE-Tunnel1] source 3000::1
      [CPE-Tunnel1] destination 4000::1
      [CPE-Tunnel1] ip address 10.1.1.1 255.255.255.0
      [CPE-Tunnel1] quit
      

      # Add the Tunnel1 to the Untrust zone.

      [CPE] firewall zone untrust
      [CPE-zone-untrust] add interface tunnel 1
      [CPE-zone-untrust] quit

    4. Configure the security policy.

      [CPE] security-policy
      [CPE-policy-security] rule name policy1
      [CPE-policy-security-policy1] source-zone trust untrust
      [CPE-policy-security-policy1] destination-zone trust untrust
      [CPE-policy-security-policy1] action permit
      [CPE-policy-security-policy1] quit
      [CPE-policy-security] rule name policy2
      [CPE-policy-security-policy2] source-zone local untrust
      [CPE-policy-security-policy2] destination-zone local untrust
      [CPE-policy-security-policy2] action permit
      [CPE-policy-security-policy2] quit
      [CPE-policy-security] quit

    5. Configure OSPFv3 for routing the IPv6 services.

      [CPE] ospfv3
      [CPE-ospfv3-1] router-id 1.1.1.1
      [CPE-ospfv3-1] quit
      [CPE] interface GigabitEthernet1/0/2
      [CPE-GigabitEthernet1/0/2] ospfv3 1 area 0
      [CPE-GigabitEthernet1/0/2] quit
      [CPE] interface GigabitEthernet1/0/1
      [CPE-GigabitEthernet1/0/1] ospfv3 1 area 1
      [CPE-GigabitEthernet1/0/1] quit

    6. Configure the default IPv4 route for the tunnel.

      [CPE] ip route-static 0.0.0.0 0.0.0.0 tunnel 1

  • Configure the CGN.
    1. Enable the IPv6 packet forwarding function.

      <CGN> system-view 
      [CGN] ipv6

    2. Configure the hash mode to be oriented to source IP address.

      [CGN] firewall hash-mode source-only

    3. Set addresses for interfaces and add the interfaces to security zones.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CGN] interface GigabitEthernet 1/0/0
      [CGN-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0
      [CGN-GigabitEthernet1/0/0] quit
      [CGN] firewall zone untrust
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/0
      [CGN-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/1 interface.

      [CGN] interface GigabitEthernet 1/0/1
      [CGN-GigabitEthernet1/0/1] ipv6 enable
      [CGN-GigabitEthernet1/0/1] ipv6 address 5000::1 64
      [CGN-GigabitEthernet1/0/1] quit
      [CGN] firewall zone untrust
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/1
      [CGN-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CGN] interface GigabitEthernet 1/0/2
      [CGN-GigabitEthernet1/0/2] ipv6 enable
      [CGN-GigabitEthernet1/0/2] ipv6 address 4000::1 64
      [CGN-GigabitEthernet1/0/2] quit
      [CGN] firewall zone trust
      [CGN-zone-trust] add interface GigabitEthernet 1/0/2
      [CGN-zone-trust] quit

    4. Configure a security policy.

      [CGN] security-policy
      [CGN-policy-security] rule name policy1
      [CGN-policy-security-policy1] source-zone trust untrust
      [CGN-policy-security-policy1] destination-zone trust untrust
      [CGN-policy-security-policy1] action permit
      [CGN-policy-security-policy1] quit
      [CGN-policy-security] rule name policy2
      [CGN-policy-security-policy2] source-zone local trust
      [CGN-policy-security-policy2] destination-zone local trust
      [CGN-policy-security-policy2] action permit
      [CGN-policy-security-policy2] quit
      [CGN-policy-security] quit

    5. Configure the DS-Lite function.

      # Configure the Tunnel1 interface for the DS-Lite tunnel.

      [CGN] interface Tunnel 1
      [CGN-Tunnel1] tunnel-protocol ipv4-ipv6 ds-lite
      [CGN-Tunnel1] source 4000::1
      [CGN-Tunnel1] ip address 10.1.1.2 255.255.255.0
      [CGN-Tunnel1] quit
      

      # Add the Tunnel1 to the Trust zone.

      [CGN] firewall zone trust
      [CGN-zone-trust] add interface tunnel 1
      [CGN-zone-trust] quit

      # Configure the NAT address pool.

      [CGN] nat address-group addressgroup1
      [CGN-address-group-addressgroup1] route enable
      [CGN-address-group-addressgroup1] section 1 1.1.2.1 1.1.2.5
      [CGN-address-group-addressgroup1] quit

      # Configure the DS-Lite NAT policy.

      [CGN] nat-policy
      [CGN-policy-nat] rule name policy_nat_1
      [CGN-policy-nat-rule-policy_nat_1] nat-type ds-lite
      [CGN-policy-nat-rule-policy_nat_1] source-zone trust
      [CGN-policy-nat-rule-policy_nat_1] destination-zone untrust
      [CGN-policy-nat-rule-policy_nat_1] source-address 3000::1 64
      [CGN-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1
      [CGN-policy-nat-rule-policy_nat_1] quit
      [CGN-policy-nat] quit

      # Configure the NAT ALG between the Trust zone and the Untrust zone so that the server can provide FTP services externally.

      [CGN] firewall interzone trust untrust
      [CGN-interzone-trust-untrust] detect ftp
      [CGN-interzone-trust-untrust] quit

    6. Configure the static IPv4 route.

      Configure the static IPv4 route to the FTP server on the Internet. Assume that the next hop address of the CGN to the Internet is 1.1.1.2.

      [CGN] ip route-static 1.1.3.1.255.255.255.255 1.1.1.2

    7. Configure OSPFv3 for routing the IPv6 services.

      [CGN] ospfv3
      [CGN-ospfv3-1] router-id 2.2.2.2
      [CGN-ospfv3-1] quit
      [CGN] interface GigabitEthernet1/0/2
      [CGN-GigabitEthernet1/0/2] ospfv3 1 area 0
      [CGN-GigabitEthernet1/0/2] quit
      [CGN] interface GigabitEthernet1/0/1
      [CGN-GigabitEthernet1/0/1] ospfv3 1 area 2
      [CGN-GigabitEthernet1/0/1] quit

    8. Configure the NAT64 function.

      # Configure IPv4 NAT address pool 2 and set the address range to 1.1.2.11 to 1.1.2.15. Use the addresses in the NAT address pool as the IPv4 addresses after the NAT64 processing.

      [CGN] nat address-group addressgroup2
      [CGN-address-group-addressgroup2] mode pat
      [CGN-address-group-addressgroup2] route enable
      [CGN-address-group-addressgroup2] section 1 1.1.2.11 1.1.2.15
      [CGN-address-group-addressgroup2] quit

      # Set the NAT64 prefix to 6000::/96.

      [CGN] nat64 prefix 6000:: 96

      # Configure the NAT64 policy.

      [CGN] nat-policy
      [CGN-policy-nat] rule name policy_nat64
      [CGN-policy-nat-rule-policy_nat64] nat-type nat64
      [CGN-policy-nat-rule-policy_nat64] source-zone trust
      [CGN-policy-nat-rule-policy_nat64] destination-zone untrust
      [CGN-policy-nat-rule-policy_nat64] source-address 2000:: 64
      [CGN-policy-nat-rule-policy_nat64] action source-nat address-group addressgroup2
      [CGN-policy-nat-rule-policy_nat64] quit
      [CGN-policy-nat] quit

      # Configure the blackhole route to advertise the NAT64 prefix.

      [CGN] ipv6 route-static 6000:: 96 NULL 0

      # Introduce the blackhole route with the NAT64 prefix to the OSPFv3 protocol.

      [CGN] ospfv3
      [CGN-ospfv3-1] import-route static
      [CGN-ospfv3-1] quit

  • Configure the DNS64 device.

    Set the NAT64 prefix of the DNS64 device to 6000::/96, which is the same as that configured on the CGN.

    Set the routes between the DNS64 to the PC and server to ensure reachability.

    On the DNS64 device, set the IPv6 address that corresponds to domain name www.example.com to 6000::ca01:301.

  • Configure the server.

    In normal situations, the ISP is responsible for configuring the servers. This topic describes only the key points of server configuration.

    • Set the IP address of the FTP Server to 1.1.3.1/32.
    • The route to addresses in the address pool of the CGN must be configured for the FTP Server.
    • The server provides both FTP and HTTP services.

  • Configure PC1, PC2, and PC3.

    You must specify gateways for each PC. The configuration methods of PC addresses and routes vary with the operating systems of the PCs. The configuration methods are not described here.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16518

Downloads: 710

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next