No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Procedure

Configuration Procedure

Procedure

  • Configure the CPE.
    1. Enable the IPv6 packet forwarding function.

      <CPE> system-view 
      [CPE] ipv6

    2. Set an interface address and add the interface to the Trust zone.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CPE] interface GigabitEthernet 1/0/0 
      [CPE-GigabitEthernet1/0/0] ip address 192.168.0.1 255.255.255.0 
      [CPE-GigabitEthernet1/0/0] quit 
      [CPE] firewall zone trust 
      [CPE-zone-trust] add interface GigabitEthernet 1/0/0 
      [CPE-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CPE] interface GigabitEthernet 1/0/2 
      [CPE-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0 
      [CPE-GigabitEthernet1/0/2] quit 
      [CPE] firewall zone untrust 
      [CPE-zone-untrust] add interface GigabitEthernet 1/0/2 
      [CPE-zone-untrust] quit

    3. Configure a security policy.

      [CPE] security-policy
      [CPE-policy-security] rule name policy1
      [CPE-policy-security-policy1] source-zone trust untrust
      [CPE-policy-security-policy1] destination-zone trust untrust
      [CPE-policy-security-policy1] action permit
      [CPE-policy-security-policy1] quit
      [CPE-policy-security] rule name policy2
      [CPE-policy-security-policy2] source-zone local untrust
      [CPE-policy-security-policy2] destination-zone local untrust
      [CPE-policy-security-policy2] action permit
      [CPE-policy-security-policy2] quit
      [CPE-policy-security] quit

    4. Configure the NAT function to translate the private IPv4 addresses of the users into the private IPv4 addresses of the carrier.

      [CPE] nat-policy
      [CPE-policy-nat] rule name policy_nat_1
      [CPE-policy-nat-rule-policy_nat_1] source-zone trust
      [CPE-policy-nat-rule-policy_nat_1] destination-zone untrust
      [CPE-policy-nat-rule-policy_nat_1] source-address 192.168.0.0 24
      [CPE-policy-nat-rule-policy_nat_1] action source-nat easy-ip
      [CPE-policy-nat-rule-policy_nat_1] quit
      [CPE-policy-nat] quit

      # Configure NAT ALG for the Trust-Untrust interzone to ensure the proper running of the FTP service.

      NOTE:

      Enable the ASPF functions for the corresponding services. This section uses the FTP protocol as an example.

      [CPE] firewall interzone trust untrust 
      [CPE-interzone-trust-untrust] detect ftp 
      [CPE-interzone-trust-untrust] quit

    5. Configure the 6RD tunnel.

      # Configure the interface Tunnel1 of the 6RD tunnel.

      [CPE] interface Tunnel 1 
      [CPE-Tunnel1] tunnel-protocol ipv6-ipv4 6rd 
      [CPE-Tunnel1] ipv6 enable 
      [CPE-Tunnel1] source 10.1.1.1 
      [CPE-Tunnel1] ipv6-prefix 22::/32 
      [CPE-Tunnel1] ipv4-prefix length 8 
      [CPE-Tunnel1] border-relay address 10.1.2.1
      [CPE-Tunnel1] quit
      NOTE:

      After the 6RD prefix and IPv4 prefix length are configured, the CPE automatically calculates the 6RD delegated prefix. When you run the display interface Tunnel 1 command, the 6RD delegated prefix is displayed. You can configure the IPv6 address for the Tunnel interface based on this 6RD delegated prefix.

      # View the calculated 6RD delegated prefix.

      [CPE] display interface Tunnel 1
      Tunnel1 current state : UP                                                      
      Line protocol current state : UP                                              
      Description: Tunnel1 Interface                          
      Route Port,The Maximum Transmit Unit is 1500                                    
      Internet protocol processing : disabled                                         
      Encapsulation is TUNNEL, loopback not set                                       
      Tunnel source 10.1.1.1(GigabitEthernet1/0/2), destination auto                  
      Tunnel protocol/transport IPV6 over IPv4(6rd)                                   
      ipv6 prefix 22::/32                                                             
      ipv4 prefix length 8                                                            
      6RD Operational, Delegated Prefix is 22:0:101:100::/56                          

      # Configure the IPv6 address for the Tunnel1 interface based on the 6RD delegated prefix.

      [CPE-Tunnel1] ipv6 address 22:0:101:100::1 56 
      [CPE-Tunnel1] quit

      # Add the Tunnel1 interface to the Untrust zone.

      [CPE] firewall zone untrust 
      [CPE-zone-untrust] add interface Tunnel 1 
      [CPE-zone-untrust] quit

      # Configure the IPv6 address for the GigabitEthernet 1/0/1 interface.

      [CPE] interface GigabitEthernet 1/0/1 
      [CPE-GigabitEthernet1/0/1] ipv6 address 22:0:101:101::1 64 
      [CPE-GigabitEthernet1/0/1] quit 
      [CPE] firewall zone trust 
      [CPE-zone-trust] add interface GigabitEthernet 1/0/1 
      [CPE-zone-trust] quit

    6. Configure routes.

      # Configure the static IPv4 route from the CGN to the MAN. Assume that the next hop address of the CPE to the MAN is 10.1.1.2.

      [CPE] ip route-static 10.1.2.0 255.255.255.0 10.1.1.2

      # Configure the route from the CPE to the 6RD tunnel interface of the CGN.

      [CPE] ipv6 route-static 22:: 32 Tunnel 1

      # Configure the static route from the CGN to the IPv6 network. Set the next hop address to the IPv6 address of the Tunnel interface of the CGN.

      [CPE] ipv6 route-static 3000:: 64 22:0:102:100::1

  • Configure the CGN.
    1. Enable the IPv6 packet forwarding function.

      <CGN> system-view 
      [CGN] ipv6

    2. Set an interface address and add the interface to the Trust zone.

      # Configure the IP address for the GigabitEthernet 1/0/0 interface.

      [CGN] interface GigabitEthernet 1/0/0 
      [CGN-GigabitEthernet1/0/0] ip address 1.1.1.1 255.255.255.0 
      [CGN-GigabitEthernet1/0/0] quit 
      [CGN] firewall zone untrust 
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/0 
      [CGN-zone-untrust] quit

      # Configure the IP address for the GigabitEthernet 1/0/2 interface.

      [CGN] interface GigabitEthernet 1/0/2 
      [CGN-GigabitEthernet1/0/2] ip address 10.1.2.1 255.255.255.0 
      [CGN-GigabitEthernet1/0/2] quit 
      [CGN] firewall zone trust 
      [CGN-zone-trust] add interface GigabitEthernet 1/0/2 
      [CGN-zone-trust] quit

      # Configure the IP address for the GigabitEthernet 1/0/1 interface.

      [CGN] interface GigabitEthernet 1/0/1 
      [CGN-GigabitEthernet1/0/1] ipv6 enable 
      [CGN-GigabitEthernet1/0/1] ipv6 address 3000::1 64 
      [CGN-GigabitEthernet1/0/1] quit 
      [CGN] firewall zone untrust 
      [CGN-zone-untrust] add interface GigabitEthernet 1/0/1 
      [CGN-zone-untrust] quit

      # Configure a security policy.

      [CGN] security-policy
      [CGN-policy-security] rule name policy1
      [CGN-policy-security-policy1] source-zone trust untrust
      [CGN-policy-security-policy1] destination-zone trust untrust
      [CGN-policy-security-policy1] action permit
      [CGN-policy-security-policy1] quit
      [CGN-policy-security] rule name policy2
      [CGN-policy-security-policy2] source-zone local trust
      [CGN-policy-security-policy2] destination-zone local trust
      [CGN-policy-security-policy2] action permit
      [CGN-policy-security-policy2] quit
      [CGN-policy-security] quit

    3. Configure the NAT function to translate the private IP addresses of the carrier to the public IPv4 addresses.

      # Configure the NAT address pool. Set the size of the pre-allocated port block to 256.

      [CGN] nat address-group addressgroup1
      [CGN-address-group-addressgroup1] mode pat
      [CGN-address-group-addressgroup1] route enable
      [CGN-address-group-addressgroup1] section 1 1.1.2.1 1.1.2.5
      [CGN-address-group-addressgroup1] port-block-size 256
      [CGN-address-group-addressgroup1] quit

      # Configure a NAT policy.

      [CGN] nat-policy
      [CGN-policy-nat] rule name policy_nat_1
      [CGN-policy-nat-rule-policy_nat_1] source-zone trust
      [CGN-policy-nat-rule-policy_nat_1] destination-zone untrust
      [CGN-policy-nat-rule-policy_nat_1] source-address 10.1.1.0 24
      [CGN-policy-nat-rule-policy_nat_1] action source-nat address-group addressgroup1
      [CGN-policy-nat-rule-policy_nat_1] quit
      [CGN-policy-nat] quit

      # Configure NAT ALG for the Trust-Untrust interzone to ensure the proper running of the FTP service.

      NOTE:

      Enable the ASPF functions for the corresponding services. This section uses the FTP protocol as an example.

      [CGN] firewall interzone trust untrust
      [CGN-interzone-trust-untrust] detect ftp
      [CGN-interzone-trust-untrust] quit

    4. Configure the 6RD tunnel.

      # Configure the interface Tunnel1 of the 6RD tunnel.

      [CGN] interface Tunnel 1
      [CGN-Tunnel1] tunnel-protocol ipv6-ipv4 6rd
      [CGN-Tunnel1] ipv6 enable
      [CGN-Tunnel1] source 10.1.2.1
      [CGN-Tunnel1] ipv6-prefix 22::/32
      [CGN-Tunnel1] ipv4-prefix length 8
      
      NOTE:

      After the 6RD prefix and IPv4 prefix length are configured, the CGN automatically calculates the 6RD delegated prefix. When you run the display interface Tunnel 1 command, the 6RD delegated prefix is displayed. You can configure the IPv6 address for the Tunnel interface based on this 6RD delegated prefix.

      # View the calculated 6RD delegated prefix.

      [CGN] display interface Tunnel 1
      Tunnel1 current state : UP                                                      
      Line protocol current state : UP                                              
      Description: Tunnel1 Interface                          
      Route Port,The Maximum Transmit Unit is 1500                                    
      Internet protocol processing : disabled                                         
      Encapsulation is TUNNEL, loopback not set                                       
      Tunnel source 10.1.2.1(GigabitEthernet1/0/2), destination auto                  
      Tunnel protocol/transport IPV6 over IPv4(6rd)                                   
      ipv6 prefix 22::/32                                                             
      ipv4 prefix length 8                                                            
      6RD Operational, Delegated Prefix is 22:0:102:100::/56                          

      # Configure the IPv6 address for the Tunnel interface based on the 6RD delegated prefix.

      [CGN-Tunnel1] ipv6 address 22:0:102:100::1 56 
      [CGN-Tunnel1] quit

      # Add the Tunnel1 interface to the Untrust zone.

      [CGN] firewall zone trust 
      [CGN-zone-untrust] add interface Tunnel 1 
      [CGN-zone-untrust] quit

    5. Configure routes.

      Configure the static IPv4 route to the MAN interface of the CPE. Assume that the next hop address of the CGN to the MAN is 10.1.2.2.

      [CGN] ip route-static 10.1.1.0 255.255.255.0 10.1.2.2

      Configure the static IPv4 route to the FTP Server on the Internet. Assume that the next hop address of the CGN to the WAN is 1.1.1.2.

      [CGN] ip route-static 1.1.3.1 255.255.255.255 1.1.1.2

      # Configure the route to the 6RD tunnel interface and 6RD domain of the CPE.

      [CGN] ipv6 route-static 22:: 32 Tunnel 1

  • Configure the FTP Server.

    In normal situations, the ISP is responsible for configuring the FTP servers. This topic describes only the key points of FTP Server configuration.

    • Set the IP address of the FTP Server to 1.1.3.1/32.
    • The route to the addresses in the address pool of the CGN must be configured for the FTP Server.

  • Configure PC1, PC2, and PC3.

    You must specify gateways for each PC. The configuration methods of PC addresses and routes vary with operating systems of the PCs. The configuration methods are not described here.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 16566

Downloads: 712

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next