HUAWEI USG6000, USG6000E, USG9500, and NGFW Module Quick Configuration Guide (with New Web UI)
Quick Configuration Guide
HUAWEI USG6000, USG6000E, USG9500, and NGFW Module
(with New Web UI)
Issue: 04 (2021-05-07)
Contents
Logging In to the Web Configuration Page 005
Example 1: Accessing the Internet Using a Static IP Address 008
Example 2: Accessing the Internet Using PPPoE 015
Example 3: Accessing the Internet Through Multiple ISP Networks 023
Example 4: NAPT-for-intranet-users-to-access-the-internet 032
Example 5: NAT Server for Internet Users to Access Intranet Servers 038
Example 6: Both Intranet and Internet Users Accessing an Intranet Server 046
Example 7: Site-to-Site IPSec Tunnel 054
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) 065
Example 9.1: L2TP over IPSec Access from Clients (SecoClient) 081
Example 9.2: L2TP over IPSec Access from Clients ( Windows XP ) 093
Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) 104
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) 115
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) 126
Example 9.6: L2TP over IPSec Access from Clients (Android) 136
Example 9.7: L2TP over IPSec Access from Clients (iOS) 145
Example 10.1: SSL VPN Tunnel Access (Local Authentication) 154
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) 166
Example 11: Firewall Transparent Access for Load Balancing 181
Example 12: Active/Standby Firewalls Attached to Layer-3 Devices 192
Example 13: Load Balancing Firewalls Attached to Layer-3 Devices 208
Example 14: Active/Standby Backup in In-path Deployment 230
Contents
Example 15: Load Balancing in In-path Deployment 241
Example 16: Configuring Source Address-based PBR 255
Example 17: User-specific Bandwidth Management 264
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) 274
Note:
• This document is written based on USG6000E V600R007C00 and can be used as a reference for USG6000E V600R007C00,
USG6000/USG9500/NGFW Module V500R005C20, and later versions. The web UI may vary according to the version. You
can refer to the configuration procedure in this case but the actual web UI prevails.
• This document describes only the web UI configuration in typical firewall scenarios. For details about feature principles, CLI
configuration methods, and more configuration cases, log in to the Huawei enterprise technical support website and
download the corresponding product documentation. If you want to learn how to locate and rectify common firewall faults,
log in to the Huawei enterprise technical support website and download the maintenance guide of the corresponding
product.
Back to Contents
Logging In to the Web Configuration Page
Networking Diagram
192.168.0.* GE0/0/0
192.168.0.1/24
Network interface
User Firewall
Default Settings Support Browser Versions
Management Interface GE0/0/0 10.0 -11.0
IP Address 192.168.0.1/24 62.0 (or later versions)
The default username and password are available
in HUAWEI Security Products Default Usernames
User Name/Password and Passwords. If you have not obtained the access 64.0 (or later versions)
permission of the document, see Help on the
website to find out how to obtain it.
Note: For USG6000E V600R007C20 and later versions, there is no administrator by default. If you log in to the web interface for the first time,
you must register an administrator account and password. Administrators created in this mode have the system administrator role and
web service type, but cannot be the virtual system administrator "manager-user@@vsys-name".
Back to Contents
Logging In to the Web Configuration Page
Login Procedure (Internet Explorer for Example)
1
Set the IP address of the 2
administrator PC, within a range from
Open the browser on the administrator PC. In
192.168.0.2 to 192.168.0.254.
the address box, enter the default IP address of
the management interface
(https://192.168.0.1:8443).
3
The browser displays an insecure
certificate warning. Select Continue
to this website (not recommended).
On the login page, you can click Download CA certificate to download the certificate
issued by the device and import the certificate to the browser on the administrator PC.
Then, the insecure certificate warning will not be displayed upon the next login.
Back to Contents
Logging In to the Web Configuration Page
4 5
Enter the user name Log In to the Web
and password. Configuration Page.
Web UI functional areas
Buttons
Tabs
Operation
Navigation Area
Tree
CLI
Console
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Networking Diagram
Trust Untrust
PC
1.1.1.254
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet
Firewall Router
PC
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The static IP address that the enterprise obtains from the carrier is 1.1.1.1, with a 24-bit subnet mask. The enterprise accesses the Internet
through the firewall.
Item Data Description
DNS server 1.2.2.2/24 Obtained from the carrier
Gateway IP address 1.1.1.254/24 Obtained from the carrier
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step2 Configure the DHCP Service
1
3
2
4
Configure the DHCP
service for LAN
interface GE0/0/2 to
assign IP addresses to
PCs on the LAN.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step3 Configure Security Policy
1
2
3
4
Permit intranet IP addresses
to access the Internet.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step4 Configure Source NAT
1
2
3
4
Add a source NAT policy for
intranet users to access the
Internet using a public IP address.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Networking Diagram
Trust Untrust
10.3.0.0/24
Firewall
GE0/0/2
10.3.0.1/24 GE0/0/1
Intranet
PPPoE Client PPPoE Server
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The firewall, acting as a client, obtains an IP address by dialing up to the carrier's server through PPPoE for Internet access.
Item Data Description
GigabitEthernet 0/0/1 Security zone: Untrust Obtains an IP address and a DNS address from the PPPoE
server (deployed by the carrier) through dial-up.
Dial-up user name: user
Dial-up password: Password@
GigabitEthernet 0/0/2 IP address: 10.3.0.1/24 Uses DHCP to dynamically assign IP addresses to PCs on the
Security zone: Trust LAN.
DNS server 1.2.2.2/24 Obtains the address from the carrier.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step2 Configure the DHCP Service
1
3
2
4
Configure the DHCP
service for LAN
interface GE0/0/2 to
assign IP addresses to
PCs on the LAN.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step3 Configure Security Policy
1
2
3
4
Permit intranet IP addresses
to access the Internet.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step4 Configure Source NAT
1
2
3
4
Add a source NAT policy for
intranet users to access the
Internet using a public IP address.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step5 Configure Default Route
1
2
3
4
Configure a default route to ensure that
intranet users are routable to the Internet.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Networking diagram
Trust Untrust
Student
Education
network GE0/0/3 network
PC 10.3.0.1/24
FW
PC GE0/0/4
Teacher 10.3.1.1/24
network
Untrust1
A college deploys a firewall as a security gateway on the campus network. PCs on the student network can access the Internet on ly through
the education network, and PCs on the teacher network can access the Internet only through the ISP network.
Item policy_route_1 policy_route_2
Type Inbound Interface Inbound Interface
Inbound Interface GE0/0/3 GE0/0/4
Source Address 10.3.0.0/24 10.3.1.0/24
Action Forward Forward
Egress Type Single Single
Outbound Interface GE0/0/2 GE0/0/1
Next Hop 2.2.2.254 1.1.1.254
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step1 Configure security zones
1
2
3
4
Create security zone untrust1
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (1)
2 1
3
5
4 6
Set WAN interface parameters Set WAN interface parameters
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (2)
2 1
3
5
4 6
Set LAN interface parameters Set LAN interface parameters
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step3 Configure security policies
1
2
3
4 5
Allow PCs on the student Allow PCs on the teacher
network to access the Internet network to access the Internet
Back to Contents
Step4 Configure source NAT address
Example 3: Accessing the Internet Through Multiple ISP Networks
pools
1
3
2
4 5
Create NAT address pool addres_1 Create NAT address pool addres_2
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step5 Configure source NAT policies
1
2
3
Perform address translation Perform address translation
when PCs on the student when PCs on the teacher
network access the Internet. network access the Internet.
4 5
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step6 Configure PBR routes
1
PCs on the student network access the PCs on the teacher network
Internet through GigabitEthernet 0/0/2 access the Internet through
3 over the education network. GigabitEthernet 0/0/1.
2 4 5
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step7 Verify the configurations
PCs on the student network access the Internet through GigabitEthernet 0/0/2 over the education network.
PCs on the teacher network access the Internet through GigabitEthernet 0/0/1 over the ISP network.
Session table information when the PC 10.3.0.2 of a student and the PC 10.3.1.2 of a teacher access extranet host 10.30.1.1 respectively.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Networking diagram
PC_A
Source NAT policy
Intranet Internet
10.1.1.0/24 10.1.2.1/24 GE0/0/1 GE0/0/3 10.1.2.2/24 1.1.1.1/24
VLAN100 FW VLAN100
Aggregation trust untrust Egress gateway ISP
switch
PC_B
The firewall is deployed at the border of a network in transparent mode. Its uplink and downlink service interfaces work at Layer 2 mode.
A Source NAT policy is configured on the firewall to allow users in network segment 10.1.1.0/24 to access the Internet.
Item Data Description
Intranet segment that is
10.1.1.0/24 -
allowed to access the Internet
As private addresses far outnumber public addresses, one-
Public addresses mapped to to-one mapping cannot be implemented. To translate all
1.1.1.10 to 1.1.1.15
private addresses private addresses into public addresses, enable port
translation.
Routing loops are made between the aggregation switch
Black-hole routes on the Destination address: 1.1.1.10 to 1.1.1.15
and egress gateway to prevent Internet users from
aggregation switch Next hop: NULL 0
accessing the after-NAT public addresses.
Static routes on the egress Destination address: 1.1.1.10 to 1.1.1.15
Configure a static route with a 32-bit destination address.
gateway Next hop: 10.1.2.1
As the post-NAT public addresses do not correspond to
Destination address: 1.1.1.10 to 1.1.1.15 ports, routing protocols cannot discover such routes.
Static routes on the ISP router
Next hop address: 1.1.1.1 Therefore, you must configure static routes to the public
addresses on the ISP router.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step1 Configure the interfaces on FW
2 1
3
5
4 6
Set LAN interface parameters. Set WAN interface parameters.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step2 Configure security policies on FW
1
2
3
4
Allow intranet users to
access the Internet.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step3 Configure a NAT address pool on FW
1
3
2
4
Configure a NAT address
pool to provide public
addresses for intranet users.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step4 Configure NAT policies on FW
1
2
3
4
Configure a NAT policy for access
from the intranet to the Internet.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step5 Verify the configurations
1
Intranet hosts can access the Internet.
2
The Source NAT policy table shows that the Source NAT policy has been matched.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Networking diagram
FTP Server
10.2.0.8/24 ISP1
GE0/0/2
10.2.0.1/24 untrust1
10.2.0.0/24
FW
trust
ISP2
untrust2
A firewall is deployed at the network border as a security gateway. It accesses the Internet through two ISP networks.
In this example, NAT Server is configured on the firewall to provide different service addresses of intranet servers for users on the ISP networks.
Item Data Description
Public IP address: 1.1.1.10
Private IP address: 10.2.0.8 When Internet users send traffic to 1.1.1.10, the FW
NAT Server1 Public port: 21 can forward the traffic to the FTP server based on
Private port: 21 this mapping entry.
Zone: untrust1
Public IP address: 2.2.2.20
Private IP address: 10.2.0.8 When Internet users send traffic to 2.2.2.10, the FW
NAT Server2 Public port: 21 can forward the traffic to the FTP server based on
Private port: 21 this mapping entry.
zone: untrust2
Static routes on the ISP1 Destination address: 1.1.1.10 -
router Next hop address: 1.1.1.1
Static routes on the ISP2 Destination address: 2.2.2.10 -
router Next hop address: 2.2.2.2
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step1 Create security zone on FW
1
2
3
4
Create security zones untrust1 and untrust2.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (1)
2 1
3
5
4 6
Set parameters for the interface Set parameters for the interface
connecting to the ISP1 network. connecting to the ISP2 network.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (2)
2
1
3
4
Set LAN interface parameters.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step3 Configure security policies on
FW
1
2
3
4
Allow Internet users to
access intranet servers.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step4 Configure NAT Server on FW
1
2
3
4
Configure server mappings policy_ftp1 and policy_ftp2.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step5 Enable NAT ALG for FTP
1
3
2
4
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step6 Verify the configurations
1
Internet users can access intranet servers through different ISP networks.
2
Click Diagnose to view the server mapping status. If the current state is Connected, the intranet server is reachable.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Networking Diagram
PC Trust Untrust
10.3.0.31/24 10.3.0.0/24
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet 1.1.1.254/24
Firewall Router
FTP Server
10.3.0.30/24
Both intranet users and the FTP server for Internet users reside on subnet 10.3.0.0/24 in the Trust zone.
The enterprise uses a fixed IP address provided by the ISP to access the Internet.
Both intranet and Internet users use the public IP address 1.1.1.2 and port 2121 to access the FTP server, and intranet users use public IP
address 1.1.1.1 to access the Internet.
Item Data Description
GigabitEthernet 0/0/2 Security zone: Trust FTP server uses 10.3.0.1 as the default gateway address.
IP address: 10.3.0.1/24
GigabitEthernet 0/0/1 Security zone: Untrust 1.1.1.1/24 is a public address provided by the ISP.
IP address: 1.1.1.1/24
FTP server Public IP address : 1.1.1.2 -
Public port: 2121
DNS server 1.2.2.2/24 Obtained from the ISP.
Gateway IP address 1.1.1.254/24 Obtained from the ISP.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step2 Configure Security Policy
1
2
3
4 5
Permit intranet users to Permit Internet users to
access the Internet. access the intranet FTP server.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step3 Create NAT Address Pool
1
3
2
4
Configure a public IP
address 1.1.1.1 in a
NAT address pool.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step4 Configure Source NAT
1
2
3
Add a source NAT policy for Add a source NAT policy for
intranet users to access the intranet users to access the public
Internet using a public IP address. IP address of the FTP server.
4 5
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step5 Configure Server Mapping
1
2
3
4
Map the private IP address of
the FTP server to public IP
address 1.1.1.2.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step6 Configure NAT ALG
1
3
2
4 By default, the NAT ALG
is enabled for FTP.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step7 Verify the Configurations
1. The PC on the LAN can access the Internet.
2. Internet users can access public IP address 1.1.1.2 and port 2121 of the FTP server. Intranet users can access public IP address 1.1.1.2 and
port 2121 of the FTP server.
3. Choose Policy > NAT Policy > NAT Policy on the firewall to view the number of packets that match the configured source NAT policy.
4. Choose Monitor > Session Table on the firewall to view NAT information. check for the entries in which the destination address is
1.1.1.2. To view the port translation information, click of the corresponding entry.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Networking diagram
IPSec tunnel
Network A Network B
Firewall_A Firewall_B
10.1.1.1/24 1.1.3.1/24 1.1.5.1/24 10.1.2.1/24
GE0/0/3 GE0/0/1 GE0/0/1 GE0/0/3
Trust Untrust Untrust Trust
Firewall_A and Firewall_B are egress gateways of Network A and Network B respectively, using fixed IP addresses to access the Internet.
Firewall_A and Firewall_B are reachable to each other.
Firewall_A and Firewall_B establish site-to-site IPSec tunnels in IKE negotiation mode so that the devices on both Network A and Network B
can proactively initiate connections to the peer network.
Item Firewall_A Firewall_B
Scenario Site-to-Site Site-to-Site
Peer IP Address 1.1.5.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123
Local ID IP Address IP Address
Peer ID IP Address IP Address
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step1 Configure the interfaces on Firewall_A
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step2 Configure security policies on Firewall_A
1
2
3
4
Permit private IP
addresses on Network A
to connect to the private
IP addresses on Network B.
5
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.
6
Permit Firewall_A to
connect to the public IP
address of Firewall_B.
7
Permit Firewall_B to use its
public IP address to connect
to Firewall_A.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step3 Configure routes on Firewall_A
1
2
3
4
Configure a route to private IP addresses
on Network B. In the example, the next-
hop IP address from Firewall_A to the
Internet is 1.1.3.2.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step4 Configure IPSec on Firewall_A
In the example, all IPSec proposal parameters use
1 the default values. If you have specific requirements
on these parameters, change them, but ensure that
3
they are consistent with those on Firewall_B.
4
2 Select a scenario
and complete
basic settings.
7
The Pre-Shared Key Configure an
is Admin@123. IKE/IPSec proposal.
5
6
Add a data flow to be encrypted.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step5 Configure the interfaces on Firewall_B
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step6 Configure security policies on Firewall_B
1
2
3
4
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.
5
Permit private IP addresses
on Network A to connect to
the private IP addresses on
Network B.
6
Permit Firewall_B to connect
to the public IP address of
Firewall_A.
7
Permit Firewall_A to use its
public IP address to connect
to Firewall_B.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step7 Configure routes on Firewall_B
1
2
3
4
Configure a route to private IP
addresses on Network A. In the
example, the next-hop IP address from
Firewall_B to the Internet is 1.1.5.2.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step8 Configure IPSec on Firewall_B
In the example, all IPSec proposal parameters use
the default values. If you have specific requirements
1
on these parameters, change them, but ensure that
3 they are consistent with those on Firewall_A.
4
2 Select a scenario
and complete
basic settings.
The Pre-Shared Key 7
is Admin@123. Configure an
IKE/IPSec proposal.
5
6
Add a data flow to be encrypted.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (1)
After the configuration is complete, view the IPSec policy list and IPSec tunnel monitoring information. You can view the established IPSec
tunnel. Use a host on Network A to access a host or server on Network B. The access succeeds. Use a host on Network B to access a host or
server on Network A. The access also succeeds.
IPSec policy list and IPSec tunnel monitoring information on Firewall_A.
After the configuration is complete, if no IPSec tunnel is
established, click Diagnose to check for the cause and solution.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (2)
IPSec policy list and IPSec tunnel monitoring information on Firewall_B.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Networking diagram
GE0/0/3
IPSec Tunnel 1 10.1.2.1/24 Firewall_A is the egress gateway of the headquarters.
Trust
Firewall_B and Firewall_C are egress gateways of
GE0/0/1
GE0/0/3 GE0/0/1 Untrust branches 1 and 2, respectively. Firewall_A uses a
10.1.1.1/24 1.1.3.1/24
Branch 1
Trust Untrust fixed IP address to access the Internet. Firewall_B
FW_B
and Firewall_C use dynamically obtained IP
PC2
Headquarters GE0/0/3 10.1.2.2/24 addresses to access the Internet.
10.1.3.1/24
Trust
FW_A
PC1 IPSec tunnels are established between Firewall_A
10.1.1.2/24 GE0/0/1 Branch 2
Untrust and Firewall_B and between Firewall_A and
FW_C Firewall_C, so that PCs in branches 1 and 2 can
PC3
IPSec Tunnel 2 10.1.3.2/24 initiate connections to the headquarters (the
headquarters is not allowed to initiate connections
to branches).
Item Firewall_A (Headquarters) Firewall_B (Branch 1) Firewall_C (Branch 2)
Scenario Site-to-Multisite Site-to-Site Site-to-Site
Peer IP Address - 1.1.3.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123 Admin@123
Local ID IP Address IP Address IP Address
Peer ID any IP Address IP Address
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step1 Configure the interfaces on Firewall_A
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step2 Configure security policies on Firewall_A
1
2
3
4
Allow the private IP address of
the headquarters to access the
private IP addresses of
branches 1 and 2.
5
Allow the private IP addresses
of branches 1 and 2 to access
the private IP address of the
headquarters.
6
Allow the public IP addresses
of branches 1 and 2 to
access Firewall_A.
7
Allow Firewall_A to access
the public IP address of
branches 1 and 2.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step3 Configure routes on Firewall_A
1
2
3
4 5
Configure a route to private IP addresses of the Configure a route to private IP addresses of the
branch 1. In the example, the next-hop IP branch 2. In the example, the next-hop IP address
address from Firewall_A to the Internet is 1.1.3.2. from Firewall_A to the Internet is 1.1.3.2.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step4 Configure IPSec on Firewall_A
1
3
2
6
Configure an Add the data flow (from
IPSec policy. the headquarters to
4 branch 1) to be encrypted.
7
5 Add the data flow (from
the headquarters to
branch 2) to be encrypted.
If the static routes to branches are not configured based on step 3, select Reverse Route
Injection in the Data Flow to Be Encrypted area, so that the private routes from the
headquarters to branches are automatically generated.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step5 Configure the interfaces on Firewall_B
2 1
3
5
4
Configure the interface connecting
to the Internet. In this example, 6
the connection type is DHCP. Set LAN interface parameters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step6 Configure security policies on Firewall_B
1
2
3
4
Allow the private IP address
of branch 1 to access the
private IP address of the
headquarters.
5
Allow private IP address
of the headquarters to
access the private IP
address of branch 1.
6
Allow the public IP address
of the headquarters to
access Firewall_B.
7
Allow Firewall_B to access
the public IP address of the
headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step7 Configure routes on Firewall_B
1
2
3
4
Configure a route to the private
address of the headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step8 Configure IPSec on Firewall_B
This example uses the default
values of proposal parameters. You
1
can change the values as required.
3
2 Select a scenario and
complete basic settings.
4
7
Configure an
IKE/IPSec proposal.
5
6
Add the data flow
(from branch 1 to
the headquarters)
to be encrypted.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step9 Configure the interfaces on Firewall_C
2 1
3
5
4
Configure the interface connecting
to the Internet. In this example, 6
the connection type is DHCP. Set LAN interface parameters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step10 Configure security policies on Firewall_C
1
2
3
4
Allow the private IP address
of branch 2 to access the
private IP address of the
headquarters.
5
Allow private IP address
of the headquarters to
access the private IP
address of branch 2.
6
Allow the public IP address
of the headquarters to
access Firewall_C.
7
Allow Firewall_C to access
the public IP address of the
headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step11 Configure routes on Firewall_C
1
2
3
4
Configure a route to the private
address of the headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step12 Configure IPSec on Firewall_C
This example uses the default
values of proposal parameters. You
1
can change the values as required.
3
Select a scenario
2 and complete
basic settings.
4
7
Configure an
IKE/IPSec proposal.
5
6
Add the data flow
(from branch 2 to
the headquarters)
to be encrypted.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (1)
After the configuration is complete, query the IPSec policy list and IPSec monitoring list. The established IPSec tunnels are displayed. Use a
PC in a branch to access a PC or server at the headquarters. The access succeeds.
If the IPSec tunnels are not
Query the IPSec policy list and IPSec monitoring list on Firewall_A.
successfully established, click
Diagnose to query the cause
and solution.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (2)
Query the IPSec policy list and IPSec monitoring list on Firewall_B.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (3)
Query the IPSec policy list and IPSec monitoring list on Firewall_C.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Networking diagram
Untrust L2TP over IPSec VPN Tunnel Trust
Headquarters
GE0/0/1 GE0/0/2
Mobile User 1.1.1.1/24 Firewall 10.1.1.1/24
SecoClient (LNS)
(LAC)
Server
10.1.2.1/24
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly
to the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data
for identity authentication, and then IPSec is used to encrypt the data.
Item Data
Group name: default
User name: user0001
L2TP settings Password: Password@123
Address pool: pool 172.16.1.1 to 172.16.1.100
LNS Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings Local ID: IP address
Peer ID: any peer ID
User authentication name: user0001
L2TP settings Password: Password@123
LAC Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.1/24
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step1 Configure interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step2 Configure security policies
1
2
3
4
Permit LAC clients to
communicate with
the firewall.
5
Permits the firewall
to communicate with
LAC clients.
6
Permit LAC clients to
access the servers in
the headquarters.
7
Permit servers at the
headquarters to access
the Internet.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step3 Configure routes
1
2
3
4
Configure a route to Internet. In the
example, the next-hop IP address from
Firewall to the Internet is 1.1.1.2.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step4 Configure L2TP users
1
2 3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.
4
In the example, the user name is user0001,
and the password is Password@123.
5
Add a L2TP user.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step5 Add an IP pool
1
3
2
4
Add an IP address pool named
pool, the pool range is 172.16.1.1
to 172.16.1.100.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step6 Configure L2TP over IPSec
1 Set Scenario and Peer
Type, then complete the
3 basic configuration.
4
2
In the example,
the pre-shared key
is Admin@123. 6
Add and set the following
parameters to configure
a data flow rule.
5
Add IP pool.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step7 Configure L2TP group
1
3
Enable L2TP.
2
4
In the example, the tunnel
password is Hello@123.
5
Create a L2TP group.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (1)
Set L2TP connection parameters.
The SecoClient is VPN remote access client software 3
provided by Huawei. It provides secure and convenient
access services for mobile office users to remotely access
resources in an enterprise network. Currently, you can
search and download the SecoClient on Huawei enterprise
support website http://support.huawei.com/enterprise.
Open the SecoClient.
1
4
2 Enable the tunnel authentication, the
Create a new connection. authentication password is Hello@123.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (2)
Select Pre-shared Key, the pre-shared Complete the IKE Basic
key is Admin@123. Configuration.
3
1
Select Enable IPSec Protocol.
2
Complete the IPSec Configuration.
HUAWEI USG6000, USG6000E, USG9500, and NGFW Module
(with New Web UI)
Issue: 04 (2021-05-07)
Contents
Logging In to the Web Configuration Page 005
Example 1: Accessing the Internet Using a Static IP Address 008
Example 2: Accessing the Internet Using PPPoE 015
Example 3: Accessing the Internet Through Multiple ISP Networks 023
Example 4: NAPT-for-intranet-users-to-access-the-internet 032
Example 5: NAT Server for Internet Users to Access Intranet Servers 038
Example 6: Both Intranet and Internet Users Accessing an Intranet Server 046
Example 7: Site-to-Site IPSec Tunnel 054
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) 065
Example 9.1: L2TP over IPSec Access from Clients (SecoClient) 081
Example 9.2: L2TP over IPSec Access from Clients ( Windows XP ) 093
Contents
Example 9.3: L2TP over IPSec Access from Clients (Windows 7) 104
Example 9.4: L2TP over IPSec Access from Clients (Windows 10) 115
Example 9.5: L2TP over IPSec Access from Clients (Mac OS X) 126
Example 9.6: L2TP over IPSec Access from Clients (Android) 136
Example 9.7: L2TP over IPSec Access from Clients (iOS) 145
Example 10.1: SSL VPN Tunnel Access (Local Authentication) 154
Example 10.2: SSL VPN Tunnel Access (Certificate challenge) 166
Example 11: Firewall Transparent Access for Load Balancing 181
Example 12: Active/Standby Firewalls Attached to Layer-3 Devices 192
Example 13: Load Balancing Firewalls Attached to Layer-3 Devices 208
Example 14: Active/Standby Backup in In-path Deployment 230
Contents
Example 15: Load Balancing in In-path Deployment 241
Example 16: Configuring Source Address-based PBR 255
Example 17: User-specific Bandwidth Management 264
Example 18: Application Control (Limiting P2P Traffic and Disabling QQ) 274
Note:
• This document is written based on USG6000E V600R007C00 and can be used as a reference for USG6000E V600R007C00,
USG6000/USG9500/NGFW Module V500R005C20, and later versions. The web UI may vary according to the version. You
can refer to the configuration procedure in this case but the actual web UI prevails.
• This document describes only the web UI configuration in typical firewall scenarios. For details about feature principles, CLI
configuration methods, and more configuration cases, log in to the Huawei enterprise technical support website and
download the corresponding product documentation. If you want to learn how to locate and rectify common firewall faults,
log in to the Huawei enterprise technical support website and download the maintenance guide of the corresponding
product.
Back to Contents
Logging In to the Web Configuration Page
Networking Diagram
192.168.0.* GE0/0/0
192.168.0.1/24
Network interface
User Firewall
Default Settings Support Browser Versions
Management Interface GE0/0/0 10.0 -11.0
IP Address 192.168.0.1/24 62.0 (or later versions)
The default username and password are available
in HUAWEI Security Products Default Usernames
User Name/Password and Passwords. If you have not obtained the access 64.0 (or later versions)
permission of the document, see Help on the
website to find out how to obtain it.
Note: For USG6000E V600R007C20 and later versions, there is no administrator by default. If you log in to the web interface for the first time,
you must register an administrator account and password. Administrators created in this mode have the system administrator role and
web service type, but cannot be the virtual system administrator "manager-user@@vsys-name".
Back to Contents
Logging In to the Web Configuration Page
Login Procedure (Internet Explorer for Example)
1
Set the IP address of the 2
administrator PC, within a range from
Open the browser on the administrator PC. In
192.168.0.2 to 192.168.0.254.
the address box, enter the default IP address of
the management interface
(https://192.168.0.1:8443).
3
The browser displays an insecure
certificate warning. Select Continue
to this website (not recommended).
On the login page, you can click Download CA certificate to download the certificate
issued by the device and import the certificate to the browser on the administrator PC.
Then, the insecure certificate warning will not be displayed upon the next login.
Back to Contents
Logging In to the Web Configuration Page
4 5
Enter the user name Log In to the Web
and password. Configuration Page.
Web UI functional areas
Buttons
Tabs
Operation
Navigation Area
Tree
CLI
Console
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Networking Diagram
Trust Untrust
PC
1.1.1.254
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet
Firewall Router
PC
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The static IP address that the enterprise obtains from the carrier is 1.1.1.1, with a 24-bit subnet mask. The enterprise accesses the Internet
through the firewall.
Item Data Description
DNS server 1.2.2.2/24 Obtained from the carrier
Gateway IP address 1.1.1.254/24 Obtained from the carrier
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step2 Configure the DHCP Service
1
3
2
4
Configure the DHCP
service for LAN
interface GE0/0/2 to
assign IP addresses to
PCs on the LAN.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step3 Configure Security Policy
1
2
3
4
Permit intranet IP addresses
to access the Internet.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step4 Configure Source NAT
1
2
3
4
Add a source NAT policy for
intranet users to access the
Internet using a public IP address.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Back to Contents
Example 1: Accessing the Internet Using a Static IP Address Step5 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Networking Diagram
Trust Untrust
10.3.0.0/24
Firewall
GE0/0/2
10.3.0.1/24 GE0/0/1
Intranet
PPPoE Client PPPoE Server
All PCs on the LAN are deployed on subnet 10.3.0.0/24. They dynamically obtain IP addresses through DHCP.
The firewall, acting as a client, obtains an IP address by dialing up to the carrier's server through PPPoE for Internet access.
Item Data Description
GigabitEthernet 0/0/1 Security zone: Untrust Obtains an IP address and a DNS address from the PPPoE
server (deployed by the carrier) through dial-up.
Dial-up user name: user
Dial-up password: Password@
GigabitEthernet 0/0/2 IP address: 10.3.0.1/24 Uses DHCP to dynamically assign IP addresses to PCs on the
Security zone: Trust LAN.
DNS server 1.2.2.2/24 Obtains the address from the carrier.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step2 Configure the DHCP Service
1
3
2
4
Configure the DHCP
service for LAN
interface GE0/0/2 to
assign IP addresses to
PCs on the LAN.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step3 Configure Security Policy
1
2
3
4
Permit intranet IP addresses
to access the Internet.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step4 Configure Source NAT
1
2
3
4
Add a source NAT policy for
intranet users to access the
Internet using a public IP address.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step5 Configure Default Route
1
2
3
4
Configure a default route to ensure that
intranet users are routable to the Internet.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (1)
1
Both the physical and IPv4 states of interface GigabitEthernet 0/0/1 are Up.
Back to Contents
Example 2: Accessing the Internet Using PPPoE Step6 Verify the Configurations (2)
2
Run the ipconfig /all command on the PC, the correct IP addresses of the PC and DNS server are obtained.
3
The PC on the LAN can use domain names to access the Internet.
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Networking diagram
Trust Untrust
Student
Education
network GE0/0/3 network
PC 10.3.0.1/24
FW
PC GE0/0/4
Teacher 10.3.1.1/24
network
Untrust1
A college deploys a firewall as a security gateway on the campus network. PCs on the student network can access the Internet on ly through
the education network, and PCs on the teacher network can access the Internet only through the ISP network.
Item policy_route_1 policy_route_2
Type Inbound Interface Inbound Interface
Inbound Interface GE0/0/3 GE0/0/4
Source Address 10.3.0.0/24 10.3.1.0/24
Action Forward Forward
Egress Type Single Single
Outbound Interface GE0/0/2 GE0/0/1
Next Hop 2.2.2.254 1.1.1.254
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step1 Configure security zones
1
2
3
4
Create security zone untrust1
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (1)
2 1
3
5
4 6
Set WAN interface parameters Set WAN interface parameters
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step2 Configure the interfaces (2)
2 1
3
5
4 6
Set LAN interface parameters Set LAN interface parameters
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step3 Configure security policies
1
2
3
4 5
Allow PCs on the student Allow PCs on the teacher
network to access the Internet network to access the Internet
Back to Contents
Step4 Configure source NAT address
Example 3: Accessing the Internet Through Multiple ISP Networks
pools
1
3
2
4 5
Create NAT address pool addres_1 Create NAT address pool addres_2
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step5 Configure source NAT policies
1
2
3
Perform address translation Perform address translation
when PCs on the student when PCs on the teacher
network access the Internet. network access the Internet.
4 5
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step6 Configure PBR routes
1
PCs on the student network access the PCs on the teacher network
Internet through GigabitEthernet 0/0/2 access the Internet through
3 over the education network. GigabitEthernet 0/0/1.
2 4 5
Back to Contents
Example 3: Accessing the Internet Through Multiple ISP Networks Step7 Verify the configurations
PCs on the student network access the Internet through GigabitEthernet 0/0/2 over the education network.
PCs on the teacher network access the Internet through GigabitEthernet 0/0/1 over the ISP network.
Session table information when the PC 10.3.0.2 of a student and the PC 10.3.1.2 of a teacher access extranet host 10.30.1.1 respectively.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Networking diagram
PC_A
Source NAT policy
Intranet Internet
10.1.1.0/24 10.1.2.1/24 GE0/0/1 GE0/0/3 10.1.2.2/24 1.1.1.1/24
VLAN100 FW VLAN100
Aggregation trust untrust Egress gateway ISP
switch
PC_B
The firewall is deployed at the border of a network in transparent mode. Its uplink and downlink service interfaces work at Layer 2 mode.
A Source NAT policy is configured on the firewall to allow users in network segment 10.1.1.0/24 to access the Internet.
Item Data Description
Intranet segment that is
10.1.1.0/24 -
allowed to access the Internet
As private addresses far outnumber public addresses, one-
Public addresses mapped to to-one mapping cannot be implemented. To translate all
1.1.1.10 to 1.1.1.15
private addresses private addresses into public addresses, enable port
translation.
Routing loops are made between the aggregation switch
Black-hole routes on the Destination address: 1.1.1.10 to 1.1.1.15
and egress gateway to prevent Internet users from
aggregation switch Next hop: NULL 0
accessing the after-NAT public addresses.
Static routes on the egress Destination address: 1.1.1.10 to 1.1.1.15
Configure a static route with a 32-bit destination address.
gateway Next hop: 10.1.2.1
As the post-NAT public addresses do not correspond to
Destination address: 1.1.1.10 to 1.1.1.15 ports, routing protocols cannot discover such routes.
Static routes on the ISP router
Next hop address: 1.1.1.1 Therefore, you must configure static routes to the public
addresses on the ISP router.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step1 Configure the interfaces on FW
2 1
3
5
4 6
Set LAN interface parameters. Set WAN interface parameters.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step2 Configure security policies on FW
1
2
3
4
Allow intranet users to
access the Internet.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step3 Configure a NAT address pool on FW
1
3
2
4
Configure a NAT address
pool to provide public
addresses for intranet users.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step4 Configure NAT policies on FW
1
2
3
4
Configure a NAT policy for access
from the intranet to the Internet.
Back to Contents
Example 4: NAPT for Intranet Users to Access the Internet Step5 Verify the configurations
1
Intranet hosts can access the Internet.
2
The Source NAT policy table shows that the Source NAT policy has been matched.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Networking diagram
FTP Server
10.2.0.8/24 ISP1
GE0/0/2
10.2.0.1/24 untrust1
10.2.0.0/24
FW
trust
ISP2
untrust2
A firewall is deployed at the network border as a security gateway. It accesses the Internet through two ISP networks.
In this example, NAT Server is configured on the firewall to provide different service addresses of intranet servers for users on the ISP networks.
Item Data Description
Public IP address: 1.1.1.10
Private IP address: 10.2.0.8 When Internet users send traffic to 1.1.1.10, the FW
NAT Server1 Public port: 21 can forward the traffic to the FTP server based on
Private port: 21 this mapping entry.
Zone: untrust1
Public IP address: 2.2.2.20
Private IP address: 10.2.0.8 When Internet users send traffic to 2.2.2.10, the FW
NAT Server2 Public port: 21 can forward the traffic to the FTP server based on
Private port: 21 this mapping entry.
zone: untrust2
Static routes on the ISP1 Destination address: 1.1.1.10 -
router Next hop address: 1.1.1.1
Static routes on the ISP2 Destination address: 2.2.2.10 -
router Next hop address: 2.2.2.2
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step1 Create security zone on FW
1
2
3
4
Create security zones untrust1 and untrust2.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (1)
2 1
3
5
4 6
Set parameters for the interface Set parameters for the interface
connecting to the ISP1 network. connecting to the ISP2 network.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step2 Configure the interfaces on
FW (2)
2
1
3
4
Set LAN interface parameters.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step3 Configure security policies on
FW
1
2
3
4
Allow Internet users to
access intranet servers.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step4 Configure NAT Server on FW
1
2
3
4
Configure server mappings policy_ftp1 and policy_ftp2.
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step5 Enable NAT ALG for FTP
1
3
2
4
Back to Contents
Example 5: NAT Server for Internet Users to Access Intranet Servers Step6 Verify the configurations
1
Internet users can access intranet servers through different ISP networks.
2
Click Diagnose to view the server mapping status. If the current state is Connected, the intranet server is reachable.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Networking Diagram
PC Trust Untrust
10.3.0.31/24 10.3.0.0/24
GE0/0/2 GE0/0/1
10.3.0.1/24 1.1.1.1/24
Intranet 1.1.1.254/24
Firewall Router
FTP Server
10.3.0.30/24
Both intranet users and the FTP server for Internet users reside on subnet 10.3.0.0/24 in the Trust zone.
The enterprise uses a fixed IP address provided by the ISP to access the Internet.
Both intranet and Internet users use the public IP address 1.1.1.2 and port 2121 to access the FTP server, and intranet users use public IP
address 1.1.1.1 to access the Internet.
Item Data Description
GigabitEthernet 0/0/2 Security zone: Trust FTP server uses 10.3.0.1 as the default gateway address.
IP address: 10.3.0.1/24
GigabitEthernet 0/0/1 Security zone: Untrust 1.1.1.1/24 is a public address provided by the ISP.
IP address: 1.1.1.1/24
FTP server Public IP address : 1.1.1.2 -
Public port: 2121
DNS server 1.2.2.2/24 Obtained from the ISP.
Gateway IP address 1.1.1.254/24 Obtained from the ISP.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step1 Configure Interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step2 Configure Security Policy
1
2
3
4 5
Permit intranet users to Permit Internet users to
access the Internet. access the intranet FTP server.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step3 Create NAT Address Pool
1
3
2
4
Configure a public IP
address 1.1.1.1 in a
NAT address pool.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step4 Configure Source NAT
1
2
3
Add a source NAT policy for Add a source NAT policy for
intranet users to access the intranet users to access the public
Internet using a public IP address. IP address of the FTP server.
4 5
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step5 Configure Server Mapping
1
2
3
4
Map the private IP address of
the FTP server to public IP
address 1.1.1.2.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step6 Configure NAT ALG
1
3
2
4 By default, the NAT ALG
is enabled for FTP.
Back to Contents
Example 6: Both Intranet and Internet Users Accessing an Intranet Server Step7 Verify the Configurations
1. The PC on the LAN can access the Internet.
2. Internet users can access public IP address 1.1.1.2 and port 2121 of the FTP server. Intranet users can access public IP address 1.1.1.2 and
port 2121 of the FTP server.
3. Choose Policy > NAT Policy > NAT Policy on the firewall to view the number of packets that match the configured source NAT policy.
4. Choose Monitor > Session Table on the firewall to view NAT information. check for the entries in which the destination address is
1.1.1.2. To view the port translation information, click of the corresponding entry.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Networking diagram
IPSec tunnel
Network A Network B
Firewall_A Firewall_B
10.1.1.1/24 1.1.3.1/24 1.1.5.1/24 10.1.2.1/24
GE0/0/3 GE0/0/1 GE0/0/1 GE0/0/3
Trust Untrust Untrust Trust
Firewall_A and Firewall_B are egress gateways of Network A and Network B respectively, using fixed IP addresses to access the Internet.
Firewall_A and Firewall_B are reachable to each other.
Firewall_A and Firewall_B establish site-to-site IPSec tunnels in IKE negotiation mode so that the devices on both Network A and Network B
can proactively initiate connections to the peer network.
Item Firewall_A Firewall_B
Scenario Site-to-Site Site-to-Site
Peer IP Address 1.1.5.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123
Local ID IP Address IP Address
Peer ID IP Address IP Address
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step1 Configure the interfaces on Firewall_A
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step2 Configure security policies on Firewall_A
1
2
3
4
Permit private IP
addresses on Network A
to connect to the private
IP addresses on Network B.
5
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.
6
Permit Firewall_A to
connect to the public IP
address of Firewall_B.
7
Permit Firewall_B to use its
public IP address to connect
to Firewall_A.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step3 Configure routes on Firewall_A
1
2
3
4
Configure a route to private IP addresses
on Network B. In the example, the next-
hop IP address from Firewall_A to the
Internet is 1.1.3.2.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step4 Configure IPSec on Firewall_A
In the example, all IPSec proposal parameters use
1 the default values. If you have specific requirements
on these parameters, change them, but ensure that
3
they are consistent with those on Firewall_B.
4
2 Select a scenario
and complete
basic settings.
7
The Pre-Shared Key Configure an
is Admin@123. IKE/IPSec proposal.
5
6
Add a data flow to be encrypted.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step5 Configure the interfaces on Firewall_B
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step6 Configure security policies on Firewall_B
1
2
3
4
Permit private IP addresses
on Network B to connect to
the private IP addresses on
Network A.
5
Permit private IP addresses
on Network A to connect to
the private IP addresses on
Network B.
6
Permit Firewall_B to connect
to the public IP address of
Firewall_A.
7
Permit Firewall_A to use its
public IP address to connect
to Firewall_B.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step7 Configure routes on Firewall_B
1
2
3
4
Configure a route to private IP
addresses on Network A. In the
example, the next-hop IP address from
Firewall_B to the Internet is 1.1.5.2.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step8 Configure IPSec on Firewall_B
In the example, all IPSec proposal parameters use
the default values. If you have specific requirements
1
on these parameters, change them, but ensure that
3 they are consistent with those on Firewall_A.
4
2 Select a scenario
and complete
basic settings.
The Pre-Shared Key 7
is Admin@123. Configure an
IKE/IPSec proposal.
5
6
Add a data flow to be encrypted.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (1)
After the configuration is complete, view the IPSec policy list and IPSec tunnel monitoring information. You can view the established IPSec
tunnel. Use a host on Network A to access a host or server on Network B. The access succeeds. Use a host on Network B to access a host or
server on Network A. The access also succeeds.
IPSec policy list and IPSec tunnel monitoring information on Firewall_A.
After the configuration is complete, if no IPSec tunnel is
established, click Diagnose to check for the cause and solution.
Back to Contents
Example 7: Site-to-Site IPSec Tunnel Step9 Verify the configurations (2)
IPSec policy list and IPSec tunnel monitoring information on Firewall_B.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Networking diagram
GE0/0/3
IPSec Tunnel 1 10.1.2.1/24 Firewall_A is the egress gateway of the headquarters.
Trust
Firewall_B and Firewall_C are egress gateways of
GE0/0/1
GE0/0/3 GE0/0/1 Untrust branches 1 and 2, respectively. Firewall_A uses a
10.1.1.1/24 1.1.3.1/24
Branch 1
Trust Untrust fixed IP address to access the Internet. Firewall_B
FW_B
and Firewall_C use dynamically obtained IP
PC2
Headquarters GE0/0/3 10.1.2.2/24 addresses to access the Internet.
10.1.3.1/24
Trust
FW_A
PC1 IPSec tunnels are established between Firewall_A
10.1.1.2/24 GE0/0/1 Branch 2
Untrust and Firewall_B and between Firewall_A and
FW_C Firewall_C, so that PCs in branches 1 and 2 can
PC3
IPSec Tunnel 2 10.1.3.2/24 initiate connections to the headquarters (the
headquarters is not allowed to initiate connections
to branches).
Item Firewall_A (Headquarters) Firewall_B (Branch 1) Firewall_C (Branch 2)
Scenario Site-to-Multisite Site-to-Site Site-to-Site
Peer IP Address - 1.1.3.1 1.1.3.1
Authentication Type Pre-Shared Key Pre-Shared Key Pre-Shared Key
Pre-Shared Key Admin@123 Admin@123 Admin@123
Local ID IP Address IP Address IP Address
Peer ID any IP Address IP Address
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step1 Configure the interfaces on Firewall_A
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step2 Configure security policies on Firewall_A
1
2
3
4
Allow the private IP address of
the headquarters to access the
private IP addresses of
branches 1 and 2.
5
Allow the private IP addresses
of branches 1 and 2 to access
the private IP address of the
headquarters.
6
Allow the public IP addresses
of branches 1 and 2 to
access Firewall_A.
7
Allow Firewall_A to access
the public IP address of
branches 1 and 2.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step3 Configure routes on Firewall_A
1
2
3
4 5
Configure a route to private IP addresses of the Configure a route to private IP addresses of the
branch 1. In the example, the next-hop IP branch 2. In the example, the next-hop IP address
address from Firewall_A to the Internet is 1.1.3.2. from Firewall_A to the Internet is 1.1.3.2.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step4 Configure IPSec on Firewall_A
1
3
2
6
Configure an Add the data flow (from
IPSec policy. the headquarters to
4 branch 1) to be encrypted.
7
5 Add the data flow (from
the headquarters to
branch 2) to be encrypted.
If the static routes to branches are not configured based on step 3, select Reverse Route
Injection in the Data Flow to Be Encrypted area, so that the private routes from the
headquarters to branches are automatically generated.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step5 Configure the interfaces on Firewall_B
2 1
3
5
4
Configure the interface connecting
to the Internet. In this example, 6
the connection type is DHCP. Set LAN interface parameters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step6 Configure security policies on Firewall_B
1
2
3
4
Allow the private IP address
of branch 1 to access the
private IP address of the
headquarters.
5
Allow private IP address
of the headquarters to
access the private IP
address of branch 1.
6
Allow the public IP address
of the headquarters to
access Firewall_B.
7
Allow Firewall_B to access
the public IP address of the
headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step7 Configure routes on Firewall_B
1
2
3
4
Configure a route to the private
address of the headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step8 Configure IPSec on Firewall_B
This example uses the default
values of proposal parameters. You
1
can change the values as required.
3
2 Select a scenario and
complete basic settings.
4
7
Configure an
IKE/IPSec proposal.
5
6
Add the data flow
(from branch 1 to
the headquarters)
to be encrypted.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step9 Configure the interfaces on Firewall_C
2 1
3
5
4
Configure the interface connecting
to the Internet. In this example, 6
the connection type is DHCP. Set LAN interface parameters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step10 Configure security policies on Firewall_C
1
2
3
4
Allow the private IP address
of branch 2 to access the
private IP address of the
headquarters.
5
Allow private IP address
of the headquarters to
access the private IP
address of branch 2.
6
Allow the public IP address
of the headquarters to
access Firewall_C.
7
Allow Firewall_C to access
the public IP address of the
headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step11 Configure routes on Firewall_C
1
2
3
4
Configure a route to the private
address of the headquarters.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step12 Configure IPSec on Firewall_C
This example uses the default
values of proposal parameters. You
1
can change the values as required.
3
Select a scenario
2 and complete
basic settings.
4
7
Configure an
IKE/IPSec proposal.
5
6
Add the data flow
(from branch 2 to
the headquarters)
to be encrypted.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (1)
After the configuration is complete, query the IPSec policy list and IPSec monitoring list. The established IPSec tunnels are displayed. Use a
PC in a branch to access a PC or server at the headquarters. The access succeeds.
If the IPSec tunnels are not
Query the IPSec policy list and IPSec monitoring list on Firewall_A.
successfully established, click
Diagnose to query the cause
and solution.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (2)
Query the IPSec policy list and IPSec monitoring list on Firewall_B.
Back to Contents
Example 8: Site-to-Multisite IPSec Tunnel (Policy Template) Step 13 Verify the configuration (3)
Query the IPSec policy list and IPSec monitoring list on Firewall_C.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Networking diagram
Untrust L2TP over IPSec VPN Tunnel Trust
Headquarters
GE0/0/1 GE0/0/2
Mobile User 1.1.1.1/24 Firewall 10.1.1.1/24
SecoClient (LNS)
(LAC)
Server
10.1.2.1/24
The LAC client connects to the LNS at the headquarters over the Internet. The LAC client is required to initiate a connection request directly
to the LNS, and the communication data with the LNS is transmitted through a tunnel. Firstly, L2TP is used to encapsulate the Layer-2 data
for identity authentication, and then IPSec is used to encrypt the data.
Item Data
Group name: default
User name: user0001
L2TP settings Password: Password@123
Address pool: pool 172.16.1.1 to 172.16.1.100
LNS Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings Local ID: IP address
Peer ID: any peer ID
User authentication name: user0001
L2TP settings Password: Password@123
LAC Tunnel Password Authentication: Hello@123
Pre-shared key: Admin@123
IPSec settings
Peer address: 1.1.1.1/24
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step1 Configure interfaces
2 1
3
5
4 6
Set WAN interface parameters. Set LAN interface parameters.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step2 Configure security policies
1
2
3
4
Permit LAC clients to
communicate with
the firewall.
5
Permits the firewall
to communicate with
LAC clients.
6
Permit LAC clients to
access the servers in
the headquarters.
7
Permit servers at the
headquarters to access
the Internet.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step3 Configure routes
1
2
3
4
Configure a route to Internet. In the
example, the next-hop IP address from
Firewall to the Internet is 1.1.1.2.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step4 Configure L2TP users
1
2 3
Select L2TP/L2TP over IPSec for
Scenario and Local for User Location.
4
In the example, the user name is user0001,
and the password is Password@123.
5
Add a L2TP user.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step5 Add an IP pool
1
3
2
4
Add an IP address pool named
pool, the pool range is 172.16.1.1
to 172.16.1.100.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step6 Configure L2TP over IPSec
1 Set Scenario and Peer
Type, then complete the
3 basic configuration.
4
2
In the example,
the pre-shared key
is Admin@123. 6
Add and set the following
parameters to configure
a data flow rule.
5
Add IP pool.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step7 Configure L2TP group
1
3
Enable L2TP.
2
4
In the example, the tunnel
password is Hello@123.
5
Create a L2TP group.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (1)
Set L2TP connection parameters.
The SecoClient is VPN remote access client software 3
provided by Huawei. It provides secure and convenient
access services for mobile office users to remotely access
resources in an enterprise network. Currently, you can
search and download the SecoClient on Huawei enterprise
support website http://support.huawei.com/enterprise.
Open the SecoClient.
1
4
2 Enable the tunnel authentication, the
Create a new connection. authentication password is Hello@123.
Back to Contents
Example 9.1: L2TP over IPSec Access from Clients ( SecoClient ) Step8 Configure SecoClient (2)
Select Pre-shared Key, the pre-shared Complete the IKE Basic
key is Admin@123. Configuration.
3
1
Select Enable IPSec Protocol.
2
Complete the IPSec Configuration.
Note: The preview effect may be slightly different from the source document. You can download the document and view it on your PC.