H3C F1050基于packetfiltering包过滤的防火墙策略及动态NAT的配置

 

交换机

interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route--------------------端口模式转换成三层路由接口
combo enable fiber
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode bridge---------------默认二层接口,华为默认为hybrid混合接口,必须转为access接口,才能加入到vlan
port access vlan 10
combo enable fiber
#
ip route-static 0.0.0.0 0 192.168.1.1---上指F1060的网关接口
#
防火墙

nat address-group 1----------用于nat转换的公网地址池3---6
address 211.1.1.3 211.1.1.6
#
interface GigabitEthernet1/0/1---默认就有的有配置的管理接口
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/2---出公网接口
port link-mode route
combo enable copper
ip address 211.1.1.2 255.255.255.0---不参与NAT,下行用公网池中的IP进行NAT
nat outbound 2000 address-group 1---不是easy nat, 意为匹配acl2000的数据包 用公网池中的3-6进行nat

#
interface GigabitEthernet1/0/10---内网接口
port link-mode route
combo enable copper
ip address 192.168.1.1 255.255.255.0
#
security-zone name Local---关于防火墙安全区的操作
#
security-zone name Trust
import interface GigabitEthernet1/0/10
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
security-zone name Management
#
zone-pair security source Trust destination Local---安全策略实例(应用/生效/有效了)
packet-filter 2000
#
zone-pair security source Trust destination Untrust
packet-filter 2000
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 4
authentication-mode scheme---用户名密码的aaa模式
user-role network-admin
#
line vty 5 63
user-role network-operator
#
ip route-static 192.168.0.0 16 192.168.1.2---下指内网的静态路由

缺一个缺省上指公网的默认路由为啥还通呢?
#
acl number 2000---匹配数据报文的acl
rule 0 permit
rule 5 permit source 192.168.0.0 0.0.255.255
#
local-user admin class manage---用于console和telnet的账号密码
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type telnet terminal http
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ip http enable---可以http/https登录管理配置
ip https enable
#
return
<fw>

路由器模拟外网interface GigabitEthernet0/0

 

interface g0/0---只配这样一个接口的IP模拟一下互联网

　　port link-mode route
　　combo enable copper
　　ip address 211.1.1.1 255.255.255.0