No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Procedure

Configuration Procedure

Procedure

  1. Configure IP addresses for interfaces.

    # Configure IP addresses for the interfaces of FW_A.

    <FW_A> system-view
    [FW_A] interface GigabitEthernet 1/0/1
    [FW_A-GigabitEthernet1/0/1] ip address 1.1.1.2 24
    [FW_A-GigabitEthernet1/0/1] gateway 1.1.1.254
    [FW_A-GigabitEthernet1/0/1] quit
    [FW_A] interface GigabitEthernet 1/0/2
    [FW_A-GigabitEthernet1/0/2] ip address 2.2.2.2 24
    [FW_A-GigabitEthernet1/0/2] gateway 2.2.2.254
    [FW_A-GigabitEthernet1/0/2] quit
    [FW_A] interface GigabitEthernet 1/0/3
    [FW_A-GigabitEthernet1/0/3] ip address 10.10.0.1 24
    [FW_A-GigabitEthernet1/0/3] quit
    [FW_A] interface GigabitEthernet 1/0/4
    [FW_A-GigabitEthernet1/0/4] ip address 10.1.1.1 16
    [FW_A-GigabitEthernet1/0/4] quit
    [FW_A] interface GigabitEthernet 1/0/5
    [FW_A-GigabitEthernet1/0/5] portswitch
    [FW_A-GigabitEthernet1/0/5] quit

    # Similarly, configure IP addresses of the interfaces of FW_B.

  2. Assign the interfaces to security zones.

    Create the security zones ISP1, ISP2, and Heart on FW_A, setting their priorities to 15, 20, and 75 respectively.

    [FW_A] firewall zone name ISP1
    [FW_A-zone-ISP1] set priority 15
    [FW_A-zone-ISP1] quit
    [FW_A] firewall zone name ISP2
    [FW_A-zone-ISP2] set priority 20
    [FW_A-zone-ISP2] quit
    [FW_A] firewall zone name Heart
    [FW_A-zone-Heart] set priority 75
    [FW_A-zone-Heart] quit

    # Assign the interfaces of FW_A to the security zones.

    [FW_A] firewall zone ISP1
    [FW_A-zone-ISP1] add interface GigabitEthernet 1/0/1
    [FW_A-zone-ISP1] quit
    [FW_A] firewall zone ISP2
    [FW_A-zone-ISP2] add interface GigabitEthernet 1/0/2
    [FW_A-zone-ISP2] quit
    [FW_A] firewall zone Heart
    [FW_A-zone-Heart] add interface GigabitEthernet 1/0/3
    [FW_A-zone-Heart] quit
    [FW_A] firewall zone trust
    [FW_A-zone-trust] add interface GigabitEthernet 1/0/4
    [FW_A-zone-trust] quit

    # Similarly, assign the interfaces of FW_B to the security zones.

  3. Configure default routes.

    # Configure the IP-links, checking whether the links provided by the ISPs are normal.

    [FW_A] ip-link check enable
    [FW_A] ip-link name ip_link_1
    [FW_A-iplink-ip_link_1] destination 1.1.1.254 interface GigabitEthernet1/0/1
    [FW_A-iplink-ip_link_1] quit
    [FW_A] ip-link name ip_link_2
    [FW_A-iplink-ip_link_2] destination 2.2.2.254 interface GigabitEthernet1/0/2
    [FW_A-iplink-ip_link_2] quit

    # Configure two default routes on FW_A, setting their next hops respectively to the access points of the two ISPs.

    [FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 track ip-link ip_link_1
    [FW_A] ip route-static 0.0.0.0 0.0.0.0 2.2.2.254 track ip-link ip_link_2

    # Similarly, configure the IP-links and defaults routes on FW_B.

  4. Configure intelligent uplink selection.

    # Configure global intelligent uplink selection, setting load balancing based on link quality.

    [FW_A] multi-interface
    [FW_A-multi-inter] mode priority-of-link-quality
    [FW_A-multi-inter] add interface GigabitEthernet1/0/1
    [FW_A-multi-inter] add interface GigabitEthernet1/0/2
    [FW_A-multi-inter] priority-of-link-quality protocol tcp-simple
    [FW_A-multi-inter] priority-of-link-quality parameter delay jitter loss
    [FW_A-multi-inter] priority-of-link-quality interval 3 times 5
    [FW_A-multi-inter] priority-of-link-quality table aging-time 60
    [FW_A-multi-inter] quit

    # Similarly, configure intelligent uplink selection on FW_B.

  5. Configure PBR.

    [FW_A] policy-based-route
    [FW_A-policy-pbr] rule name pbr_1
    [FW_A-policy-pbr-rule-pbr_1] description pbr_1
    [FW_A-policy-pbr-rule-pbr_1] source-zone trust
    [FW_A-policy-pbr-rule-pbr_1] application category Business_Systems
    [FW_A-policy-pbr-rule-pbr_1] track ip-link ip_link_1
    [FW_A-policy-pbr-rule-pbr_1] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.254
    [FW_A-policy-pbr-rule-pbr_1] quit
    [FW_A-policy-pbr] rule name pbr_2
    [FW_A-policy-pbr-rule-pbr_2] description pbr_2
    [FW_A-policy-pbr-rule-pbr_2] source-zone trust
    [FW_A-policy-pbr-rule-pbr_2] application category Entertainment sub-category VoIP
    [FW_A-policy-pbr-rule-pbr_2] application category Entertainment sub-category PeerCasting
    [FW_A-policy-pbr-rule-pbr_2] track ip-link ip_link_2
    [FW_A-policy-pbr-rule-pbr_2] action pbr egress-interface GigabitEthernet 1/0/2 next-hop 2.2.2.254
    [FW_A-policy-pbr-rule-pbr_2] quit
    

    # Similarly, configure PBR on FW_B.

  6. Configure OSPF.

    # Configure OSPF on FW_A.

    [FW_A] router id 1.1.1.2
    [FW_A] ospf 100
    [FW_A-ospf-100] default-route-advertise
    [FW_A-ospf-100] area 0
    [FW_A-ospf-100-area-0.0.0.0] network 1.1.1.0 0.0.0.255
    [FW_A-ospf-100-area-0.0.0.0] network 10.1.0.0 0.0.255.255
    [FW_A-ospf-100-area-0.0.0.0] quit
    [FW_A-ospf-100] quit

    # Configure OSPF on FW_B.

    [FW_B] router id 2.2.2.3
    [FW_B] ospf 100
    [FW_B-ospf-100] default-route-advertise
    [FW_B-ospf-100] area 0
    [FW_B-ospf-100-area-0.0.0.0] network 2.2.2.0 0.0.0.255
    [FW_B-ospf-100-area-0.0.0.0] network 10.2.0.0 0.0.255.255
    [FW_B-ospf-100-area-0.0.0.0] quit
    [FW_B-ospf-100] quit

  7. Configure hot standby.

    # Configure VRRP groups on FW_A, setting their states to Active.

    [FW_A] interface GigabitEthernet 1/0/1
    [FW_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 active
    [FW_A-GigabitEthernet1/0/1] quit
    [FW_A] interface GigabitEthernet 1/0/2
    [FW_A-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 2.2.2.1 24 active
    [FW_A-GigabitEthernet1/0/2] quit

    # Specify the Heartbeat interface on FW_A and enable hot standby.

    [FW_A] hrp interface GigabitEthernet 1/0/3 remote 10.10.0.2
    [FW_A] hrp enable

    # Configure VRRP groups on FW_B, setting their states to Standby.

    [FW_B] interface GigabitEthernet 1/0/1
    [FW_B-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 standby
    [FW_B-GigabitEthernet1/0/1] quit
    [FW_B] interface GigabitEthernet 1/0/2
    [FW_B-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 2.2.2.1 24 standby
    [FW_B-GigabitEthernet1/0/2] quit

    # Specify the Heartbeat interface on FW_B and enable hot standby.

    [FW_B] hrp interface GigabitEthernet 1/0/3 remote 10.10.0.1
    [FW_B] hrp enable

  8. Configure users, user groups, and their authentication.

    # Create groups and users for senior management.

    HRP_M[FW_A] user-manage group /default/management
    HRP_M[FW_A-usergroup-/default/management] quit
    HRP_M[FW_A] user-manage user user_0001
    HRP_M[FW_A-localuser-user_0001] alias Tom
    HRP_M[FW_A-localuser-user_0001] parent-group /default/management
    HRP_M[FW_A-localuser-user_0001] password Admin@123
    HRP_M[FW_A-localuser-user_0001] quit

    # Similarly, create the groups marketing, research, and onbusiness, and create all users of every department/group according to the corporate organizational structure.

    # Configure the AD server.

    The parameters set here must be consistent with those set on the AD server.

    HRP_M[FW_A] ad-server template auth_server_ad
    HRP_M[FW_A-ad-auth_server_ad] ad-server authentication 10.3.0.251 88
    HRP_M[FW_A-ad-auth_server_ad] ad-server authentication base-dn dc=cce,dc=com
    HRP_M[FW_A-ad-auth_server_ad] ad-server authentication manager cn=administrator,cn=users Admin@123
    HRP_M[FW_A-ad-auth_server_ad] ad-server authentication host-name ad.cce.com
    HRP_M[FW_A-ad-auth_server_ad] ad-server authentication ldap-port 389
    HRP_M[FW_A-ad-auth_server_ad] ad-server user-filter sAMAccountName
    HRP_M[FW_A-ad-auth_server_ad] ad-server group-filter ou
    HRP_M[FW_A-ad-auth_server_ad] quit

    # Configure the authentication domain.

    HRP_M[FW_A] aaa
    HRP_M[FW_A-aaa] domain cce.com
    HRP_M[FW_A-aaa-domain-cce.com] service-type internetaccess
    HRP_M[FW_A-aaa-domain-cce.com] quit
    HRP_M[FW_A] quit

    # Configure the import-from-server policy, and import users.

    HRP_M[FW] user-manage import-policy policy_import from ad
    HRP_M[FW-import-policy_import] server template auth_server_ad
    HRP_M[FW-import-policy_import] server basedn dc=cce,dc=com
    HRP_M[FW-import-policy_import] destination-group /cce.com
    HRP_M[FW-import-policy_import] user-attribute sAMAccountName
    HRP_M[FW-import-policy_import] import-type user-group
    HRP_M[FW-import-policy_import] import-override enable
    HRP_M[FW-import-policy_import] quit
    HRP_M[FW] execute user-manage import-policy policy_import

    # Configure the new user option of the authentication domain.

    HRP_M[FW] aaa
    HRP_M[FW-aaa] domain cce.com
    HRP_M[FW-aaa-domain-cce.com] new-user add-temporary group /cce.com auto-import policy_import
    HRP_M[FW-aaa-domain-cce.com] quit
    HRP_M[FW-aaa] quit

    # Configure single-sign-on parameters of the AD server.

    HRP_M[FW] user-manage single-sign-on ad
    HRP_M[FW-sso-ad] mode no-plug-in
    HRP_M[FW-sso-ad] no-plug-in traffic server-ip 10.3.0.251 port 88
    HRP_M[FW-sso-ad] no-plug-in interface GigabitEthernet1/0/5
    HRP_M[FW-sso-ad] enable
    HRP_M[FW-sso-ad] quit
    

    # Configure the online user timeout time to 480 minutes.

    HRP_M[FW] user-manage online-user aging-time 480

  9. Configure security policies. After hot standby is enabled, the security policies of FW_A are automatically replicated to FW_B.

    # Configure URL filtering profile profile_url, setting the URL filtering control level to medium.

    HRP_M[FW_A] profile type url-filter name profile_url
    HRP_M[FW_A-profile-url-filter-profile_url] category pre-defined control-level medium
    HRP_M[FW_A-profile-url-filter-profile_url] category pre-defined action allow
    HRP_M[FW_A-profile-url-filter-profile_url] quit
    

    # Configure security policies for senior management.

    HRP_M<FW_A> system-view
    HRP_M[FW_A] security-policy
    HRP_M[FW_A-policy-security] rule name policy_sec_management
    HRP_M[FW_A-policy-security-rule-policy_sec_management] source-zone trust
    HRP_M[FW_A-policy-security-rule-policy_sec_management] destination-zone ISP1
    HRP_M[FW_A-policy-security-rule-policy_sec_management] destination-zone ISP2
    HRP_M[FW_A-policy-security-rule-policy_sec_management] profile av default
    HRP_M[FW_A-policy-security-rule-policy_sec_management] profile ips default
    HRP_M[FW_A-policy-security-rule-policy_sec_management] profile url-filter profile_url
    HRP_M[FW_A-policy-security-rule-policy_sec_management] user user-group /default/management
    HRP_M[FW_A-policy-security-rule-policy_sec_management] action permit
    HRP_M[FW_A-policy-security-rule-policy_sec_management] quit
    HRP_M[FW_A-policy-security] quit

    # Configure security policies for marketing employees.

    HRP_M[FW_A-policy-security] rule name policy_sec_marketing_1
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] source-zone trust
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] destination-zone ISP1
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] destination-zone ISP2
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] application category Entertainment sub-category Media_Sharing
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] application category Entertainment sub-category Game
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] action deny
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_1] quit
    HRP_M[FW_A-policy-security] rule name policy_sec_marketing_2
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] source-zone trust
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] destination-zone ISP1
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] destination-zone ISP2
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] profile av default
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] profile ips default
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] profile url-filter profile_url
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] user user-group /default/marketing
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] action permit
    HRP_M[FW_A-policy-security-rule-policy_sec_marketing_2] quit
    

    # Configure security policies for R&D employees.

    HRP_M[FW_A-policy-security] rule name policy_sec_research_1
    HRP_M[FW_A-policy-security-rule-policy_sec_research_1] source-zone trust
    HRP_M[FW_A-policy-security-rule-policy_sec_research_1] destination-zone ISP1
    HRP_M[FW_A-policy-security-rule-policy_sec_research_1] destination-zone ISP2
    HRP_M[FW_A-policy-security-rule-policy_sec_research_1] user user-group /default/research
    HRP_M[FW_A-policy-security-rule-policy_sec_research_1] application category Entertainment
    HRP_M[FW_A-policy-security-rule-policy_sec_research_1] action deny
    HRP_M[FW_A-policy-security-rule-policy_sec_research_1] quit
    HRP_M[FW_A-policy-security] rule name policy_sec_research_2
    HRP_M[FW_A-policy-security-rule-policy_sec_research_2] source-zone trust
    HRP_M[FW_A-policy-security-rule-policy_sec_research_2] destination-zone ISP1
    HRP_M[FW_A-policy-security-rule-policy_sec_research_2] destination-zone ISP2
    HRP_M[FW_A-policy-security-rule-policy_sec_research_2] profile av default
    HRP_M[FW_A-policy-security-rule-policy_sec_research_2] profile ips default
    HRP_M[FW_A-policy-security-rule-policy_sec_research_2] profile url-filter profile_url
    HRP_M[FW_A-policy-security-rule-policy_sec_research_2] user user-group /default/research
    HRP_M[FW_A-policy-security-rule-policy_sec_research_2] action permit
    HRP_M[FW_A-policy-security-rule-policy_sec_research_2] quit
    

    # Configure IPSec security policies.

    HRP_M[FW_A-policy-security] rule name policy_sec_ipsec_1
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-zone local
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-zone ISP1
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-zone ISP2
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-zone local
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-zone ISP1
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-zone ISP2
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-address 1.1.1.2 32
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] source-address 3.3.3.1 32
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-address 1.1.1.2 32
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] destination-address 3.3.3.1 32
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] action permit
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_1] quit
    HRP_M[FW_A-policy-security] rule name policy_sec_ipsec_2
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] source-zone trust
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] destination-zone ISP1
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] destination-zone ISP2
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] source-address 10.1.0.0 16
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] destination-address 192.168.1.0 24
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] profile av default
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] profile ips default
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] action permit
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_2] quit
    HRP_M[FW_A-policy-security] rule name policy_sec_ipsec_3
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] source-zone ISP1
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] source-zone ISP2
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] destination-zone trust
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] source-address 192.168.1.0 24
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] profile av default
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] profile ips default
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] action permit
    HRP_M[FW_A-policy-security-rule-policy_sec_ipsec_3] quit
    

    # Configure L2TP over IPSec security policies.

    HRP_M[FW-policy-security] rule name policy_sec_l2tp_ipsec_1
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] source-zone trust
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] destination-zone ISP1
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] destination-zone ISP2
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] source-address 10.1.1.1 16
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] destination-address range 10.1.1.2 10.1.1.100
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] action permit
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_1] quit
    HRP_M[FW-policy-security] rule name policy_sec_l2tp_ipsec_2
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] source-zone untrust
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] destination-zone trust
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] source-address range 10.1.1.2 10.1.1.100
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] destination-address 10.1.1.1 16
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] action permit
    HRP_M[FW-policy-security-rule-policy_sec_l2tp_ipsec_2] quit
    

    # Configure security policies for the AD server.

    HRP_M[FW_A-policy-security] rule name local_policy_ad_01
    HRP_M[FW_A-policy-security-rule-local_policy_ad_01] source-zone local
    HRP_M[FW_A-policy-security-rule-local_policy_ad_01] destination-zone trust
    HRP_M[FW_A-policy-security-rule-local_policy_ad_01] destination-address 10.3.0.251 32
    HRP_M[FW_A-policy-security-rule-local_policy_ad_01] action permit
    HRP_M[FW_A-policy-security-rule-local_policy_ad_01] quit
    HRP_M[FW_A-policy-security] rule name local_policy_ad_02
    HRP_M[FW_A-policy-security-rule-local_policy_ad_02] source-zone trust
    HRP_M[FW_A-policy-security-rule-local_policy_ad_02] destination-zone local
    HRP_M[FW_A-policy-security-rule-local_policy_ad_02] source-address 10.3.0.251 32
    HRP_M[FW_A-policy-security-rule-local_policy_ad_02] action permit
    HRP_M[FW_A-policy-security-rule-local_policy_ad_02] quit
    

    # Configure the security policy that allows extranet users to access the intranet servers.

    HRP_M[FW_A-policy-security] rule name policy_sec_server
    HRP_M[FW_A-policy-security-rule-policy_sec_server] source-zone ISP1
    HRP_M[FW_A-policy-security-rule-policy_sec_server] source-zone ISP2
    HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-zone trust
    HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-address 10.2.0.10 32
    HRP_M[FW_A-policy-security-rule-policy_sec_server] destination-address 10.2.0.11 32
    HRP_M[FW_A-policy-security-rule-policy_sec_server] action permit
    HRP_M[FW_A-policy-security-rule-policy_sec_server] quit
    HRP_M[FW_A-policy-security] quit

  10. Configure NAT. After hot standby is enabled, the NAT policies of FW_A are automatically synchronized to FW_B.

    # Configure NAT address pool nataddr.

    HRP_M[FW_A] nat address-group nataddr
    HRP_M[FW_A-nat-address-group-nataddr] mode pat
    HRP_M[FW_A-nat-address-group-nataddr] section 0 1.1.1.1 1.1.1.4
    HRP_M[FW_A-nat-address-group-nataddr] route enable
    HRP_M[FW_A-nat-address-group-nataddr] quit

    # Configure the NAT policy for traffic to the Internet, policy_nat_internet_01 and policy_nat_internet_02.

    HRP_M[FW_A] nat-policy
    HRP_M[FW_A-policy-nat] rule name policy_nat_internet_01
    HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] source-zone trust
    HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] destination-zone ISP1
    HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] action source-nat address-group nataddr
    HRP_M[FW_A-policy-nat-rule-policy_nat_internet_01] quit
    HRP_M[FW_A-policy-nat] rule name policy_nat_internet_02
    HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] source-zone trust
    HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] destination-zone ISP2
    HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] action source-nat address-group nataddr
    HRP_M[FW_A-policy-nat-rule-policy_nat_internet_02] quit
    

    # Configure the NAT policy for traffic to branches, policy_nat_ipsec_01 and policy_nat_ipsec_02.

    HRP_M[FW_A-policy-nat] rule name policy_nat_ipsec_01
    HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] source-zone trust
    HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] destination-zone ISP1
    HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] destination-address 192.168.1.0 24
    HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] action no-nat 
    HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_01] quit
    HRP_M[FW_A-policy-nat] rule name policy_nat_ipsec_02
    HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] source-zone trust
    HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] destination-zone ISP2
    HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] destination-address 192.168.1.0 24
    HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] action no-nat 
    HRP_M[FW_A-policy-nat-rule-policy_nat_ipsec_02] quit
    HRP_M[FW_A-policy-nat] quit

    # Configure the NAT server function.

    HRP_M[FW_A] nat server for_web_01 zone ISP1 protocol tcp global 1.1.1.5 8080 inside 10.2.0.10 www
    HRP_M[FW_A] nat server for_web_02 zone ISP2 protocol tcp global 2.2.2.5 8080 inside 10.2.0.10 www
    HRP_M[FW_A] nat server for_ftp_01 zone ISP1 protocol tcp global 1.1.1.6 ftp inside 10.2.0.11 ftp
    HRP_M[FW_A] nat server for_ftp_02 zone ISP2 protocol tcp global 2.2.2.6 ftp inside 10.2.0.11 ftp

    # Enable NAT ALG for FTP.

    HRP_M[FW_A] firewall interzone trust untrust
    HRP_M[FW_A-interzone-trust-untrust] detect ftp
    HRP_M[FW_A-interzone-trust-untrust] quit
    

  11. Configure attack defense. After hot standby is enabled, the attack defense configuration of FW_A is automatically synchronized to FW_B.

    HRP_M[FW_A] firewall defend land enable
    HRP_M[FW_A] firewall defend smurf enable
    HRP_M[FW_A] firewall defend fraggle enable
    HRP_M[FW_A] firewall defend ip-fragment enable
    HRP_M[FW_A] firewall defend tcp-flag enable
    HRP_M[FW_A] firewall defend winnuke enable
    HRP_M[FW_A] firewall defend source-route enable
    HRP_M[FW_A] firewall defend teardrop enable
    HRP_M[FW_A] firewall defend route-record enable
    HRP_M[FW_A] firewall defend time-stamp enable
    HRP_M[FW_A] firewall defend ping-of-death enable
    

  12. Configure traffic policies. After hot standby is enabled, the traffic policies of FW_A are automatically replicated to FW_B.

    # Configure the time range.

    HRP_M[FW_A] time-range work_time
    HRP_M[FW_A-time-range-work_time] period-range 09:00:00 to 18:00:00 working-day
    HRP_M[FW_A-time-range-work_time] quit

    # Configure the traffic profile that restricts P2P traffic, profile_p2p.

    HRP_M[FW_A] traffic-policy
    HRP_M[FW_A-policy-traffic] profile profile_p2p
    HRP_M[FW_A-policy-traffic-profile-profile_p2p] bandwidth maximum-bandwidth whole upstream 2000000
    HRP_M[FW_A-policy-traffic-profile-profile_p2p] bandwidth maximum-bandwidth whole downstream 6000000
    HRP_M[FW_A-policy-traffic-profile-profile_p2p] bandwidth connection-limit whole both 10000
    HRP_M[FW_A-policy-traffic-profile-profile_p2p] quit

    # Configure the traffic policy that restricts P2P traffic, policy_bandwidth_p2p.

    HRP_M[FW_A-policy-traffic] rule name policy_bandwidth_p2p
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] source-zone trust
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] destination-zone ISP1
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] destination-zone ISP2
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] application category Entertainment sub-category PeerCasting
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] application category General_Internet sub-category FileShare_P2P
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] action qos profile profile_p2p
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_p2p] quit

    # Configure the traffic profile that guarantees the bandwidth for email and ERP applications.

    HRP_M[FW_A-policy-traffic] profile profile_email
    HRP_M[FW_A-policy-traffic-profile-profile_email] bandwidth guaranteed-bandwidth whole upstream 4000000
    HRP_M[FW_A-policy-traffic-profile-profile_email] bandwidth guaranteed-bandwidth whole downstream 4000000
    HRP_M[FW_A-policy-traffic-profile-profile_email] quit

    # Configure the traffic policy that guarantees the bandwidth for email and ERP applications.

    HRP_M[FW_A-policy-traffic] rule name policy_email
    HRP_M[FW_A-policy-traffic-rule-policy_email] source-zone trust
    HRP_M[FW_A-policy-traffic-rule-policy_email] destination-zone ISP1
    HRP_M[FW_A-policy-traffic-rule-policy_email] destination-zone ISP2
    HRP_M[FW_A-policy-traffic-rule-policy_email] application app LotusNotes OWA
    HRP_M[FW_A-policy-traffic-rule-policy_email] time-range work_time
    HRP_M[FW_A-policy-traffic-rule-policy_email] action qos profile profile_email
    HRP_M[FW_A-policy-traffic-rule-policy_email] quit
    

    # Configure the traffic profile for senior management.

    [FW] traffic-policy
    HRP_M[FW_A-policy-traffic] profile profile_management
    HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth guaranteed-bandwidth whole upstream 200000
    HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth guaranteed-bandwidth whole downstream 200000
    HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth maximum-bandwidth per-ip upstream 20000
    HRP_M[FW_A-policy-traffic-profile-profile_management] bandwidth maximum-bandwidth per-ip downstream 20000
    HRP_M[FW_A-policy-traffic-profile-profile_dep_a] quit

    # Configure the traffic policy for senior management.

    HRP_M[FW_A-policy-traffic] rule name policy_bandwidth_management
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] source-zone ISP1
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] source-zone ISP2
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] destination-zone trust
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] user user-group /default/management
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] action qos profile profile_management
    HRP_M[FW_A-policy-traffic-rule-policy_bandwidth_management] quit

  13. Configure PSec VPN. After hot standby is enabled, the IPSec VPN configuration of FW_A is automatically synchronized to FW_B.

    # Configure IPSec on FW_A at the headquarters.

    HRP_M[FW_A] acl 3000 
    HRP_M[FW_A-acl-adv-3000] rule permit ip source 10.1.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
    HRP_M[FW_A-acl-adv-3000] quit
    HRP_M[FW_A] ipsec proposal tran1
    HRP_M[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha1
    HRP_M[FW_A-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    HRP_M[FW_A-ipsec-proposal-tran1] quit
    HRP_M[FW_A] ike proposal 10
    HRP_M[FW_A-ike-proposal-10] authentication-method pre-share
    HRP_M[FW_A-ike-proposal-10] prf hmac-sha1
    HRP_M[FW_A-ike-proposal-10] encryption-algorithm 3des
    HRP_M[FW_A-ike-proposal-10] dh group5
    HRP_M[FW_A-ike-proposal-10] integrity-algorithm hmac-sha2-256
    HRP_M[FW_A-ike-proposal-10] quit
    HRP_M[FW_A] ike peer headquarters
    HRP_M[FW_A-ike-peer-headquarters] ike-proposal 10
    HRP_M[FW_A-ike-peer-headquarters] pre-shared-key Admin@123
    HRP_M[FW_A-ike-peer-headquarters] quit
    HRP_M[FW_A] ipsec policy-template temp 1
    HRP_M[FW_A-ipsec-policy-templet-temp-1] security acl 3000
    HRP_M[FW_A-ipsec-policy-templet-temp-1] proposal tran1
    HRP_M[FW_A-ipsec-policy-templet-temp-1] ike-peer headquarters
    HRP_M[FW_A-ipsec-policy-templet-temp-1] quit
    HRP_M[FW_A] ipsec policy policy1 1 isakmp template temp
    HRP_M[FW_A] interface GigabitEthernet 1/0/1
    HRP_M[FW_A-GigabitEthernet 1/0/1] ipsec policy policy1
    HRP_M[FW_A-GigabitEthernet 1/0/1] quit

    # Configure IPSec on FW_C of a branch.

    [FW_C] acl 3000 
    [FW_C-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 10.1.0.0 0.0.255.255
    [FW_C-acl-adv-3000] quit
    [FW_C] ipsec proposal tran1
    [FW_C-ipsec-proposal-tran1] esp authentication-algorithm sha1
    [FW_C-ipsec-proposal-tran1] esp encryption-algorithm aes-128
    [FW_C-ipsec-proposal-tran1] quit
    [FW_C] ike proposal 10
    [FW_C-ike-proposal-10] authentication-method pre-share
    [FW_C-ike-proposal-10] prf hmac-sha1
    [FW_C-ike-proposal-10] encryption-algorithm 3des
    [FW_C-ike-proposal-10] dh group5
    [FW_C-ike-proposal-10] integrity-algorithm hmac-sha2-256
    [FW_C-ike-proposal-10] quit
    [FW_C] ike peer branch
    [FW_C-ike-peer-branch] ike-proposal 10
    [FW_C-ike-peer-branch] pre-shared-key Admin@123
    [FW_C-ike-peer-branch] remote-address 1.1.1.1
    [FW_C-ike-peer-branch] quit
    [FW_C] ipsec policy policy2 1 isakmp
    [FW_C-ipsec-policy-isakmp-policy2-1] security acl 3000
    [FW_C-ipsec-policy-isakmp-policy2-1] proposal tran1
    [FW_C-ipsec-policy-isakmp-policy2-1] ike-peer branch
    [FW_C-ipsec-policy-isakmp-policy2-1] quit
    [FW_C] interface GigabitEthernet 1/0/1
    [FW_C-GigabitEthernet 1/0/1] ipsec policy policy2
    [FW_C-GigabitEthernet 1/0/1] quit

  14. Configure L2TP over IPSec.

    # Enable L2TP.

    HRP_M[FW_A] l2tp enable

    # Configure L2TP access users and an authentication scheme.

    HRP_M[FW_A] ip pool pool1
    HRP_M[FW_A-ip-pool-pool1] section 1 10.1.1.2 10.1.1.100
    HRP_M[FW_A-ip-pool-pool1] quit
    HRP_M[FW_A] user-manage user vpdnuser
    HRP_M[FW_A-localuser-vpdnuser] password Hello123
    HRP_M[FW_A-localuser-vpdnuser] quit
    HRP_M[FW_A] aaa
    HRP_M[FW_A_aaa] authentication-scheme default 
    HRP_M[FW_A_aaa-authen-default] authentication-mode local
    HRP_M[FW_A_aaa-authen-default] quit
    HRP_M[FW_A-aaa] service-scheme l2tp 
    HRP_M[FW_A-aaa-service-l2tp] ip-pool pool1
    HRP_M[FW_A-aaa-service-l2tp] quit 
    HRP_M[FW_A-aaa] domain net1
    HRP_M[FW_A-aaa-domain-net1] service-type internetaccess l2tp
    HRP_M[FW_A-aaa-domain-net1] authentication-scheme default
    HRP_M[FW_A-aaa-domain-net1] service-scheme l2tp
    

    # Configure the virtual interface template, and add it to a security zone.

    HRP_M[FW_A] interface Virtual-Template 1
    HRP_M[FW_A-Virtual-Template1] ppp authentication-mode chap pap
    HRP_M[FW_A-Virtual-Template1] ip address 10.11.1.1 255.255.255.0
    HRP_M[FW_A-Virtual-Template1] remote service-scheme l2tp
    HRP_M[FW_A-Virtual-Template1] quit
    HRP_M[FW_A] firewall zone untrust 
    HRP_M[FW_A-zone-untrust] add interface Virtual-Template 1
    HRP_M[FW_A-zone-untrust] quit
    NOTE:

    The IP address of the virtual interface must not be an address in the configured address pool or the address of any other interface.

    The service scheme for allocating the peer IP address must be consistent with that configured in the AAA domain. Otherwise, the LNS cannot allocate an address to the client.

    # Create an L2TP group, bind the virtual interface template, and configure tunnel authentication.

    HRP_M[FW_A] l2tp-group 1
    HRP_M[FW_A-l2tp1] allow l2tp virtual-template 1 remote client1
    HRP_M[FW_A-l2tp1] tunnel name lns
    HRP_M[FW_A-l2tp1] tunnel authentication
    HRP_M[FW_A-l2tp1] tunnel password cipher Password@123
    HRP_M[FW_A-l2tp1] quit

    # Similarly, configure L2TP over IPSec on FW_B.

    # Configure the client on the terminals of mobile employees.

    The L2TP client must be installed on the terminals of mobile employees. The client is connected to the Internet through dialup. The Secoway VPN Client is taken as an example.

    1. Open the Secoway VPN Client, select an existing connection, and click Properties.

      NOTE:

      This step should be performed when the VPN Client is disconnected from the dialup connection.

      If no connection exists, click New to create a connection following the instructions.

    2. Configure the basic information in the Basic Settings tab and enable an IPSec security protocol.

      See Figure 5-4 for the parameter settings. Enable the IPSec security protocol, and set the login password to "Hello123" and the identity authentication word to "Test!1234".

      NOTE:

      The IPSec identity authentication word set on the VPN Client must be consistent with the pre-shared key set on the LNS.

      Figure 5-4  Basic settings of the LAC

    3. If the user needs to access the Internet, select Allow access to Internet after successful connection (N) in the Basic Settings tab, and configure related routes in the Routing Settings tab.

      Figure 5-5  Selecting Allow access to Internet after successful connection (N)

      Figure 5-6  Adding a route

    4. Set L2TP properties in the L2TP Settings tab.

      See Figure 5-7 for the parameter settings. The tunnel name is client1. The authentication mode is CHAP. Enable tunnel authentication, and set the tunnel authentication password to "Password@123".

      Figure 5-7  L2TP settings of the LAC

    5. Set the basic information of IPSec in the IPSec Settings tab. See Figure 5-8 for the parameter settings.

      NOTE:

      When the VPN tunnel on the LNS side is L2TP over IPSec, the LNS does not perform tunnel authentication for the VPN Client. Therefore, it is not necessary to configure the L2TP Settings tab on the VPN Client.

      Figure 5-8  IPSec settings of the LAC

    6. Set the basic information of IKE in the IKE Settings tab. See Figure 5-9 for the parameter settings.

      Figure 5-9  IKE settings of the LAC

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18241

Downloads: 760

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next