No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

HUAWEI Firewall Comprehensive Configuration Examples

This document describes the application scenarios and configuration methods in typical projects of the firewall.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Source NAT

Configuring Source NAT

Procedure

  1. Configure NAT address pool pool_isp1_1 and specify the address pool type to be NAPT.

    HRP_M[FW_A] nat address-group pool_isp1_1
    HRP_M[FW_A-address-group-pool_isp1_1] mode pat
    HRP_M[FW_A-address-group-pool_isp1_1] section 1.1.1.10 1.1.1.12
    HRP_M[FW_A-address-group-pool_isp1_1] route enable
    HRP_M[FW_A-address-group-pool_isp1_1] quit
    
    NOTE:

    You can run the route enable command to generate a UNR for addresses in the NAT address pool. The UNR functions the same as a black-hole route. It can prevent a routing loop.

  2. Configure the NAT policy between the Trust and isp1_1 zones to translate source addresses of packets from the Trust zone to addresses in pool_isp1_1.

    HRP_M[FW_A] nat-policy
    HRP_M[FW_A-policy-nat] rule name policy_nat1
    HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust
    HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone isp1_1
    HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group pool_isp1_1
    HRP_M[FW_A-policy-nat-rule-policy_nat1] quit
    HRP_M[FW_A-policy-nat] quit

  3. Configure NAT address pool pool_isp1_2 and specify the address pool type to be NAPT.

    HRP_M[FW_A] nat address-group pool_isp1_2
    HRP_M[FW_A-address-group-pool_isp1_2] mode pat
    HRP_M[FW_A-address-group-pool_isp1_2] section 1.1.2.10 1.1.2.12
    HRP_M[FW_A-address-group-pool_isp1_2] route enable
    HRP_M[FW_A-address-group-pool_isp1_2] quit
    

  4. Configure the NAT policy between the Trust and isp1_2 zones to translate source addresses of packets from the Trust zone to addresses in pool_isp1_2.

    HRP_M[FW_A] nat-policy
    HRP_M[FW_A-policy-nat] rule name policy_nat2
    HRP_M[FW_A-policy-nat-rule-policy_nat2] source-zone trust
    HRP_M[FW_A-policy-nat-rule-policy_nat2] destination-zone isp1_2
    HRP_M[FW_A-policy-nat-rule-policy_nat2] action source-nat address-group pool_isp1_2
    HRP_M[FW_A-policy-nat-rule-policy_nat2] quit
    HRP_M[FW_A-policy-nat] quit

  5. Configure NAT address pool pool_isp2_1 and specify the address pool type to be NAPT.

    HRP_M[FW_A] nat address-group pool_isp2_1
    HRP_M[FW_A-address-group-pool_isp2_1] mode pat
    HRP_M[FW_A-address-group-pool_isp2_1] section 2.2.2.10 2.2.2.12
    HRP_M[FW_A-address-group-pool_isp2_1] route enable
    HRP_M[FW_A-address-group-pool_isp2_1] quit
    

  6. Configure the NAT policy between the Trust and isp2_1 zones to translate source addresses of packets from Trust zone to addresses in pool_isp2_1.

    HRP_M[FW_A] nat-policy
    HRP_M[FW_A-policy-nat] rule name policy_nat3
    HRP_M[FW_A-policy-nat-rule-policy_nat3] source-zone trust
    HRP_M[FW_A-policy-nat-rule-policy_nat3] destination-zone isp2_1
    HRP_M[FW_A-policy-nat-rule-policy_nat3] action source-nat address-group pool_isp2_1
    HRP_M[FW_A-policy-nat-rule-policy_nat3] quit
    HRP_M[FW_A-policy-nat] quit

  7. Configure NAT address pool pool_isp2_2 and specify the address pool type to be NAPT.

    HRP_M[FW_A] nat address-group pool_isp2_2
    HRP_M[FW_A-address-group-pool_isp2_2] mode pat
    HRP_M[FW_A-address-group-pool_isp2_2] section 2.2.3.10 2.2.3.12
    HRP_M[FW_A-address-group-pool_isp2_2] route enable
    HRP_M[FW_A-address-group-pool_isp2_2] quit
    

  8. Configure the NAT policy between the Trust and isp2_2 zones to translate source addresses of packets from Trust zone to addresses in pool_isp2_2.

    HRP_M[FW_A] nat-policy
    HRP_M[FW_A-policy-nat] rule name policy_nat4
    HRP_M[FW_A-policy-nat-rule-policy_nat4] source-zone trust
    HRP_M[FW_A-policy-nat-rule-policy_nat4] destination-zone isp2_2
    HRP_M[FW_A-policy-nat-rule-policy_nat4] action source-nat address-group pool_isp2_2
    HRP_M[FW_A-policy-nat-rule-policy_nat4] quit
    HRP_M[FW_A-policy-nat] quit

  9. Configure NAT ALG.
    1. Configure NAT ALG between Trust and isp1, between Trust and isp2, and between Trust and DMZ.

      HRP_M[FW_A] firewall interzone trust isp1_1
      HRP_M[FW_A-interzone-trust-isp1_1] detect ftp
      HRP_M[FW_A-interzone-trust-isp1_1] detect sip
      HRP_M[FW_A-interzone-trust-isp1_1] detect h323
      HRP_M[FW_A-interzone-trust-isp1_1] detect rtsp
      HRP_M[FW_A-interzone-trust-isp1_1] detect qq
      HRP_M[FW_A-interzone-trust-isp1_1] quit
      HRP_M[FW_A] firewall interzone trust isp1_2
      HRP_M[FW_A-interzone-trust-isp1_2] detect ftp
      HRP_M[FW_A-interzone-trust-isp1_2] detect sip
      HRP_M[FW_A-interzone-trust-isp1_2] detect h323
      HRP_M[FW_A-interzone-trust-isp1_2] detect rtsp
      HRP_M[FW_A-interzone-trust-isp1_2] detect qq
      HRP_M[FW_A-interzone-trust-isp1_2] quit
      HRP_M[FW_A] firewall interzone trust isp2_1
      HRP_M[FW_A-interzone-trust-isp2_1] detect ftp
      HRP_M[FW_A-interzone-trust-isp2_1] detect sip
      HRP_M[FW_A-interzone-trust-isp2_1] detect h323
      HRP_M[FW_A-interzone-trust-isp2_1] detect rtsp
      HRP_M[FW_A-interzone-trust-isp2_1] detect qq
      HRP_M[FW_A-interzone-trust-isp2_1] quit
      HRP_M[FW_A] firewall interzone trust isp2_2
      HRP_M[FW_A-interzone-trust-isp2_2] detect ftp
      HRP_M[FW_A-interzone-trust-isp2_2] detect sip
      HRP_M[FW_A-interzone-trust-isp2_2] detect h323
      HRP_M[FW_A-interzone-trust-isp2_2] detect rtsp
      HRP_M[FW_A-interzone-trust-isp2_2] detect qq
      HRP_M[FW_A-interzone-trust-isp2_2] quit
      HRP_M[FW_A] firewall interzone trust dmz
      HRP_M[FW_A-interzone-trust-dmz] detect ftp
      HRP_M[FW_A-interzone-trust-dmz] detect sip
      HRP_M[FW_A-interzone-trust-dmz] detect h323
      HRP_M[FW_A-interzone-trust-dmz] detect rtsp
      HRP_M[FW_A-interzone-trust-dmz] detect qq
      HRP_M[FW_A-interzone-trust-dmz] quit
      

    2. Configure NAT ALG between DMZ and isp1 and between DMZ and isp2.

      HRP_M[FW_A] firewall interzone dmz isp1_1
      HRP_M[FW_A-interzone-dmz-isp1_1] detect ftp
      HRP_M[FW_A-interzone-dmz-isp1_1] detect sip
      HRP_M[FW_A-interzone-dmz-isp1_1] detect h323
      HRP_M[FW_A-interzone-dmz-isp1_1] detect rtsp
      HRP_M[FW_A-interzone-dmz-isp1_1] detect qq
      HRP_M[FW_A-interzone-dmz-isp1_1] quit
      HRP_M[FW_A] firewall interzone dmz isp1_2
      HRP_M[FW_A-interzone-dmz-isp1_2] detect ftp
      HRP_M[FW_A-interzone-dmz-isp1_2] detect sip
      HRP_M[FW_A-interzone-dmz-isp1_2] detect h323
      HRP_M[FW_A-interzone-dmz-isp1_2] detect rtsp
      HRP_M[FW_A-interzone-dmz-isp1_2] detect qq
      HRP_M[FW_A-interzone-dmz-isp1_2] quit
      HRP_M[FW_A] firewall interzone dmz isp2_1
      HRP_M[FW_A-interzone-dmz-isp2_1] detect ftp
      HRP_M[FW_A-interzone-dmz-isp2_1] detect sip
      HRP_M[FW_A-interzone-dmz-isp2_1] detect h323
      HRP_M[FW_A-interzone-dmz-isp2_1] detect rtsp
      HRP_M[FW_A-interzone-dmz-isp2_1] detect qq
      HRP_M[FW_A-interzone-dmz-isp2_1] quit
      HRP_M[FW_A] firewall interzone dmz isp2_2
      HRP_M[FW_A-interzone-dmz-isp2_2] detect ftp
      HRP_M[FW_A-interzone-dmz-isp2_2] detect sip
      HRP_M[FW_A-interzone-dmz-isp2_2] detect h323
      HRP_M[FW_A-interzone-dmz-isp2_2] detect rtsp
      HRP_M[FW_A-interzone-dmz-isp2_2] detect qq
      HRP_M[FW_A-interzone-dmz-isp2_2] quit
      

Translation
Download
Updated: 2019-01-26

Document ID: EDOC1100062972

Views: 18287

Downloads: 765

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next