No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Verification

Verification

  • Verify the IPv4 services.

    1. After the configuration is complete, PC1 on the private IPv4 network can be used to access the FTP service provided by the server on the Internet.

      C:\Documents and Settings\Administrator>ftp 1.1.3.1
      Connected to 1.1.3.1.
      220 FTP service ready.
      User (1.1.3.1:(none)): admin
      331 Password required for admin.
      Password:
      230 User logged in.
      ftp>
    2. Run the display firewall session table verbose command on the CPE to check the address translation.

      [CPE] display firewall session table verbose
       Current Total Sessions : 2                                                     
        ftp  VPN:public --> public  ID: ab016391fa4c03558d54c16fac122                 
        Zone: trust--> untrust  TTL: 00:10:00  Left: 00:09:59                         
        Interface: GigabitEthernet1/0/2  NextHop: 10.1.1.2  MAC: 0018-8239-1e5c    
        <--packets:20 bytes:1168   -->packets:26 bytes:1150                           
        192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21    PolicyName:policy_sec_1     
                                                                                      
        ftp-data  VPN:public --> public  ID: ab016391fa4c03558d54c16acd159            
        Zone: untrust--> trust  TTL: 00:00:10  Left: 00:00:07                         
        Interface: GigabitEthernet1/0/0  NextHop: 192.168.0.2  MAC: 0018-826f-b3f4 
        <--packets:3 bytes:124   -->packets:5 bytes:370                               
        1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034]  PolicyName:policy_nat_1     

      According to output 192.168.0.2:1031[10.1.1.1:2054]+->1.1.3.1:21 and 1.1.3.1:20-->10.1.1.1:15363[192.168.0.2:1034], you can learn that IPv4 address 192.168.0.2 of the user's private network is translated to the carrier's IPv4 address 10.1.1.1. The session information indicates that the control channel and data channel are enabled.

    3. Run the display firewall session table verbose command on the CGN to check the address translation.

      [CGN] display firewall session table verbose
       Current total sessions: 2                                                      
       ftp VPN: public --> public  ID: a38f36333beb0f5654453374                
       Zone: trust --> untrust Slot: 6 CPU: 2 TTL: 00:10:00 Left: 00:09:56            
       Interface: GigabitEthernet1/0/0 Nexthop: 1.1.1.2                             
       <--packets: 0 bytes: 0 -->packets: 17 bytes: 764                               
       10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21   PolicyName:policy_nat_1 
                                                                                      
       ftp-data VPN: public --> public  ID: a48f3636f5030144b54453ad0                 
       Zone: untrust --> trust Slot: 6 CPU: 2 TTL: 00:00:10 Left: 00:00:07            
       Interface: GigabitEthernet1/0/2 Nexthop: 10.1.2.2                              
       <--packets: 3 bytes: 124 -->packets: 5 bytes: 370                              
       1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362]  PolicyName:policy_nat_1 
      

      According to the output 10.1.1.1:2054[1.1.2.4:10550] +-> 1.1.3.1:21 and 1.1.3.1:20 --> 1.1.2.4:61578[10.1.1.1:15362], you can learn that IPv4 address 10.1.1.1 of the carrier's private network is translated to IPv4 Internet address 1.1.2.4 (an address in the address pool). The session information indicates that the control channel and data channel are enabled.

    4. Run the display cpe-user information cpe-ipv4 10.1.1.1 command in any view of the CGN to check the details about the CPE user at 10.1.1.1.

      [CGN] display cpe-user information cpe-ipv4 10.1.1.1 slot 6 cpu 2
       This operation will take a few minutes. Press 'Ctrl+C' to break ...
       UserTbl item(s) on slot 6 cpu 2                                    
       --------------------------------------------------------------------
       Scene: NAT444  DstZone: untrust CPEIP: 10.1.1.1                 
       TTL: 40   LeftTime: 34 Increase Count: 0  VPN: public                
       PoolID: addressgroup1  SectionID: 1  PublicIP: 1.1.2.4  StartPort: 2048
       PortNumber: 256  PortTotal: 256  Used Port Number: 1         
      

      As shown in the preceding command output, the source addresses of service flows sent by the CPE at 10.1.1.1 are translated into 1.1.2.4. The port range is from 2048 to 2303, containing 256 ports.

  • Verify the IPv6 services.

    1. Ping the interface address of the CGN that connects to the IPv6 network from the CPE, that is, the address of the GigabitEthernet 1/0/3 interface.

      <CPE> ping ipv6 4000::1
        PING 4000::1 : 56  data bytes, press CTRL_C to break                  
          Reply from 4000::1                                                  
          bytes=56 Sequence=1 hop limit=64  time = 90 ms                      
          Reply from 4000::1                                                  
          bytes=56 Sequence=2 hop limit=64  time = 100 ms                     
          Reply from 4000::1                                                  
          bytes=56 Sequence=3 hop limit=64  time = 40 ms                      
          Reply from 4000::1                                                  
          bytes=56 Sequence=4 hop limit=64  time = 60 ms                      
          Reply from 4000::1                                                  
          bytes=56 Sequence=5 hop limit=64  time = 40 ms                      
                                                                              
        --- 4000::1 ping statistics ---                                       
          5 packet(s) transmitted                                             
          5 packet(s) received                                                
          0.00% packet loss                                                   
          round-trip min/avg/max = 40/66/100 ms

      The CGN can be successfully pinged and the IPv6 routes to the CPE and CGN are configured. On the CPE and CGN, you can run the display ospfv3 routing command to view the OSPFv3 routing tables.

      [CPE] display ospfv3 routing
      OSPFv3 Process (1)                                                              
         Destination                                            Metric                
           Next-hop                                                                   
           2000::/64                                            1                     
           directly connected, GigabitEthernet1/0/1                                   
           3000::/64                                            1                     
           directly connected, GigabitEthernet1/0/3                                   
        IA 4000::/64                                           2                 
            via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/3                        
        IA 5000::/64                                           3                     
            via FE80::218:82FF:FE39:1E5C, GigabitEthernet1/0/3                        

      According to the OSPFv3 routing table, you can learn that the CPE learns the routes from the CGN to the IPv6 MAN and IPv6 Internet.

      [CGN] display ospfv3 routing
      OSPFv3 Process (1)                                                              
         Destination                                                 Metric           
           Next-hop                                                                   
        IA 2000::/64                                                     3        
             via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/3                         
        IA 3000::/64                                                     2        
             via FE80::222:A1FF:FE30:22, GigabitEthernet1/0/3                         
           4000::/64                                                     1            
            directly connected, GigabitEthernet1/0/3                                  
           5000::/64                                                     1            
            directly connected, GigabitEthernet1/0/1                                  

      According to the OSPFv3 routing table, you can learn that the CGN learns the routes from the CPE to the IPv6 MAN and IPv6 users.

    2. On PC2, ping PC3.

      C:\> ping6 5000::2
      from 2000::2 with 32 bytes of data:
      Reply from 5000::2: time<1ms
      Reply from 5000::2: time<1ms
      Reply from 5000::2: time<1ms
      Reply from 5000::2: time<1ms
      Ping statistics for 5000::2:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-seconds:
          Minimum = 0ms, Maximum = 0ms, Average = 0ms

      PC3 is successfully pinged and the configurations of IPv6 routes on the entire network are correct.

  • Enable an IPv6 user to access the IPv4 Internet.

    1. Ping domain name www.example.com on PC2.

      Pinging 6000::0101:301 with 32 bytes of data:
      
      Reply from 6000::0101:301: time=23ms
      Reply from 6000::0101:301: time=6ms
      Reply from 6000::0101:301: time=12ms
      Reply from 6000::0101:301: time=33ms
      
      Ping statistics for 6000::0101:301:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-seconds:
          Minimum = 6ms, Maximum = 33ms, Average = 18ms

      The IPv4 address of the server can be pinged through on the PC.

    2. In any view of the CGN, run the display firewall ipv6 session table command to check the NAT64 session table.

      <CGN> display firewall ipv6 session table
       Slot: 6 CPU: 1                                                                 
      NAT64: icmp6 VPN: public --> public  2000::2.44152[1.1.2.14:10296] --> 6000::0101:301.2048[1.1.3.1:2048]

      According to the NAT64 session table, you can learn the mapping between IPv6 addresses and IPv4 addresses.

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18934

Downloads: 780

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next