No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the NAT Server and Smart DNS

Configuring the NAT Server and Smart DNS

Context

NOTE:

Smart DNS requires a content security group license. It also requires dynamic loading of the corresponding component.

For the USG9500, smart DNS requires that the SPC-APPSEC-FW is in position. Otherwise, the function is unavailable.

Procedure

  1. Configure the NAT server.
    1. Configure the NAT server function, mapping the private addresses of web servers to public addresses for access of users of ISP 1 and ISP 2.

      HRP_M[FW_A] nat server policy_web1 zone isp1_1 protocol tcp global 1.1.1.15 8080 inside 10.0.10.10 www
      HRP_M[FW_A] nat server policy_web2 zone isp1_2 protocol tcp global 1.1.2.15 8080 inside 10.0.10.10 www
      HRP_M[FW_A] nat server policy_web3 zone isp2_1 protocol tcp global 2.2.2.15 8080 inside 10.0.10.10 www
      HRP_M[FW_A] nat server policy_web4 zone isp2_2 protocol tcp global 2.2.3.15 8080 inside 10.0.10.10 www
      

    2. Configure the NAT server function, mapping the private addresses of FTP servers to public addresses for access of users of ISP 1 and ISP 2.

      HRP_M[FW_A] nat server policy_ftp1 zone isp1_1 protocol tcp global 1.1.1.16 ftp inside 10.0.10.11 ftp
      HRP_M[FW_A] nat server policy_ftp2 zone isp1_2 protocol tcp global 1.1.2.16 ftp inside 10.0.10.11 ftp
      HRP_M[FW_A] nat server policy_ftp3 zone isp2_1 protocol tcp global 2.2.2.16 ftp inside 10.0.10.11 ftp
      HRP_M[FW_A] nat server policy_ftp4 zone isp2_2 protocol tcp global 2.2.3.16 ftp inside 10.0.10.11 ftp
      

    3. Configure the NAT server function, mapping the private addresses of DNS servers to public addresses for access of users of ISP 1 and ISP 2.

      HRP_M[FW_A] nat server policy_dns1 zone isp1_1 protocol tcp global 1.1.1.17 domain inside 10.0.10.20 domain
      HRP_M[FW_A] nat server policy_dns2 zone isp1_2 protocol tcp global 1.1.2.17 domain inside 10.0.10.20 domain
      HRP_M[FW_A] nat server policy_dns3 zone isp2_1 protocol tcp global 2.2.2.17 domain inside 10.0.10.20 domain
      HRP_M[FW_A] nat server policy_dns4 zone isp2_2 protocol tcp global 2.2.3.17 domain inside 10.0.10.20 domain
      

  2. Configure sticky load balancing.

    NOTE:

    To enable sticky load balancing, configure IP addresses and gateway addresses for interfaces. IP addresses and gateway addresses have been completed in Configuring Interfaces and Security Zones and Configuring Intelligent Uplink Selection and Routes.

    Interface configuration does not support backup. Therefore, you need to configure sticky load balancing on both FW_A and FW_B.

    HRP_M[FW_A] interface Eth-Trunk 1.1
    HRP_M[FW_A-Eth-Trunk1.1] redirect-reverse next-hop 1.1.1.6
    HRP_M[FW_A-Eth-Trunk1.1] quit
    HRP_M[FW_A] interface Eth-Trunk 2.1
    HRP_M[FW_A-Eth-Trunk2.1] redirect-reverse next-hop 2.2.2.6
    HRP_M[FW_A-Eth-Trunk2.1] quit
    HRP_M[FW_A] interface Eth-Trunk 1.2
    HRP_M[FW_A-Eth-Trunk1.2] redirect-reverse next-hop 1.1.2.6
    HRP_M[FW_A-Eth-Trunk1.2] quit
    HRP_M[FW_A] interface Eth-Trunk 2.2
    HRP_M[FW_A-Eth-Trunk2.2] redirect-reverse next-hop 2.2.3.6
    HRP_M[FW_A-Eth-Trunk2.2] quit
    HRP_S[FW_B] interface Eth-Trunk 1.1
    HRP_S[FW_B-Eth-Trunk1.1] redirect-reverse next-hop 1.1.1.6
    HRP_S[FW_B-Eth-Trunk1.1] quit
    HRP_S[FW_B] interface Eth-Trunk 2.1
    HRP_S[FW_B-Eth-Trunk2.1] redirect-reverse next-hop 2.2.2.6
    HRP_S[FW_B-Eth-Trunk2.1] quit
    HRP_S[FW_B] interface Eth-Trunk 1.2
    HRP_S[FW_B-Eth-Trunk1.2] redirect-reverse next-hop 1.1.2.6
    HRP_S[FW_B-Eth-Trunk1.2] quit
    HRP_S[FW_B] interface Eth-Trunk 2.2
    HRP_S[FW_B-Eth-Trunk2.2] redirect-reverse next-hop 2.2.3.6
    HRP_S[FW_B-Eth-Trunk2.2] quit
    

  3. Configure smart DNS.

    DNS servers are deployed in the intranet and records the mapping between web and FTP servers and public IP addresses. When a user of an ISP requests to access an intranet server, smart DNS ensures that the address allocated by the ISP to the server is obtained and thereby increases the access speed. For example, when a user of ISP 1 requests to access the web server 10.0.10.10, the ISP 1 address 1.1.1.15 of the server can be obtained; when a user of ISP 2 requests to access the web server 10.0.10.10, the ISP 1 address 2.2.2.15 of the server can be obtained.

    HRP_M[FW_A] dns-smart enable
    HRP_M[FW_A] dns-smart group 1 type multi
    HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 1.1 map 1.1.1.15
    HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 2.1 map 2.2.2.15
    HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 1.2 map 1.1.2.15
    HRP_M[FW_A-dns-smart-group-1] out-interface Eth-Trunk 2.2 map 2.2.3.15
    HRP_M[FW_A-dns-smart-group-1] quit
    HRP_M[FW_A] dns-smart group 2 type multi
    HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 1.1 map 1.1.1.16
    HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 2.1 map 2.2.2.16
    HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 1.2 map 1.1.2.16
    HRP_M[FW_A-dns-smart-group-2] out-interface Eth-Trunk 2.2 map 2.2.3.16
    HRP_M[FW_A-dns-smart-group-2] quit
    

  4. Configure a black-hole route to the public address of the NAT server to prevent routing loops between the firewall and ISP routers.

    Route configuration does not support backup. Therefore, you need to configure black-hole routes on both FW_A and FW_B.

    HRP_M[FW_A] ip route-static 1.1.1.15 32 NULL 0
    HRP_M[FW_A] ip route-static 1.1.1.16 32 NULL 0
    HRP_M[FW_A] ip route-static 1.1.1.17 32 NULL 0
    HRP_M[FW_A] ip route-static 2.2.2.15 32 NULL 0
    HRP_M[FW_A] ip route-static 2.2.2.16 32 NULL 0
    HRP_M[FW_A] ip route-static 2.2.2.17 32 NULL 0
    HRP_M[FW_A] ip route-static 1.1.2.15 32 NULL 0
    HRP_M[FW_A] ip route-static 1.1.2.16 32 NULL 0
    HRP_M[FW_A] ip route-static 1.1.2.17 32 NULL 0
    HRP_M[FW_A] ip route-static 2.2.3.15 32 NULL 0
    HRP_M[FW_A] ip route-static 2.2.3.16 32 NULL 0
    HRP_M[FW_A] ip route-static 2.2.3.17 32 NULL 0
    HRP_S[FW_B] ip route-static 1.1.1.15 32 NULL 0
    HRP_S[FW_B] ip route-static 1.1.1.16 32 NULL 0
    HRP_S[FW_B] ip route-static 1.1.1.17 32 NULL 0
    HRP_S[FW_B] ip route-static 2.2.2.15 32 NULL 0
    HRP_S[FW_B] ip route-static 2.2.2.16 32 NULL 0
    HRP_S[FW_B] ip route-static 2.2.2.17 32 NULL 0
    HRP_S[FW_B] ip route-static 1.1.2.15 32 NULL 0
    HRP_S[FW_B] ip route-static 1.1.2.16 32 NULL 0
    HRP_S[FW_B] ip route-static 1.1.2.17 32 NULL 0
    HRP_S[FW_B] ip route-static 2.2.3.15 32 NULL 0
    HRP_S[FW_B] ip route-static 2.2.3.16 32 NULL 0
    HRP_S[FW_B] ip route-static 2.2.3.17 32 NULL 0
    

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18697

Downloads: 773

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next