华三防火墙应用二层和三层的配置实例

主要是为了实现数据区域的按大多数的环境用二层来做一些策略限制对数据区域的安全，出口防火墙nat。

用真机的虚拟网卡对两台fw管理：
为了不影响真机的真实上外网，需要加两条静态路由用于指定到达两个fw，拓扑上已说明。

核心交换机配置：

dis current-configuration

version 7.1.075, Alpha 7571

dhcp enable

lldp global enable

vlan 1

vlan 2

vlan 10
description to_data

vlan 30

vlan 99 to 100

interface NULL0

interface Vlan-interface1
ip address 192.168.99.1 255.255.255.0

interface Vlan-interface2
ip address 192.168.20.1 255.255.255.0

interface Vlan-interface10
ip address 192.168.10.1 255.255.255.0

interface Vlan-interface30
ip address 192.168.30.1 255.255.255.0

interface Vlan-interface99

interface Vlan-interface100
ip address 10.0.0.2 255.255.255.0

interface FortyGigE1/0/53
port link-mode bridge

interface FortyGigE1/0/54
port link-mode bridge

interface GigabitEthernet1/0/1
port link-mode bridge
combo enable copper

interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 100
combo enable copper

interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 2
combo enable copper

interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 2
combo enable copper

interface GigabitEthernet1/0/9
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 to 99
combo enable copper

interface M-GigabitEthernet0/0/0

i

line class console
user-role network-admin

line class tty
user-role network-operator

line class vty
user-role network-operator

line aux 0
user-role network-operator

line con 0
user-role network-admin

line vty 0 63
user-role network-operator

ip route-static 0.0.0.0 0 10.0.0.1

radius scheme system
user-name-format without-domain

domain system

domain default enable system

role name level-0
description Predefined level-0 role

user-group system

return

数据区防火墙：

先看web配置的情况：

以下是全部命令：

dis current-configuration

version 7.1.064, Alpha 7164

sysname H3C

context Admin id 1

telnet server enable

irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1

xbar load-single
password-recovery enable
lpu-type f-series

vlan 1

vlan 10

vlan 30

vlan 99
description manage

object-group ip address “vlan 20”
description vlan 20
0 network subnet 192.168.20.0 255.255.255.0

object-group ip address “vlan 99”
description vlan 99
0 network subnet 192.168.99.0 255.255.255.0

object-group ip address vlan10
0 network subnet 192.168.10.0 255.255.255.0

interface NULL0

interface Vlan-interface1
ip address 192.168.99.2 255.255.255.0

interface Vlan-interface99

interface GigabitEthernet1/0/0
port link-mode route
combo enable copper

interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.100.11 255.255.255.0

interface GigabitEthernet1/0/4
port link-mode route
combo enable copper

interface GigabitEthernet1/0/5
port link-mode route
combo enable copper

interface GigabitEthernet1/0/6
port link-mode route
combo enable copper

interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 30 99
combo enable copper

interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 30 99
combo enable copper

object-policy ip Local-Untrust
rule 0 pass logging counting

object-policy ip Trust-Untrust
rule 1 drop source-ip vlan10 destination-ip “vlan 20” logging counting
rule 0 pass logging counting

object-policy ip Untrust-Local
rule 0 pass source-ip “vlan 20” logging counting

object-policy ip Untrust-Trust
rule 0 pass source-ip “vlan 20” destination-ip vlan10 logging counting

object-policy ip manage
rule 0 pass

security-zone name Local

security-zone name Trust
import interface GigabitEthernet1/0/1
import interface Vlan-interface1
import interface GigabitEthernet1/0/2 vlan 1 10 30 99

security-zone name DMZ

security-zone name Untrust
import interface GigabitEthernet1/0/3 vlan 1 10 30 99

security-zone name Management

zone-pair security source Local destination Untrust
object-policy apply ip Local-Untrust

zone-pair security source Trust destination Local
object-policy apply ip manage

zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust

zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local

zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust

scheduler logfile size 16

line class aux
user-role network-operator

line class console
user-role network-admin

line class tty
user-role network-operator

line class vty
user-role network-operator

line aux 0
user-role network-admin

line con 0
authentication-mode scheme
user-role network-admin

line vty 0 4
authentication-mode scheme
user-role network-admin

line vty 5 63
user-role network-operator

ip route-static 0.0.0.0 0 192.168.99.1

domain system

aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system

role name level-0
description Predefined level-0 role

role name level-1
description Predefined level-1 role

role name level-2
description Predefined level-2 role

role name level-3
description Predefined level-3 role

role name level-4
description Predefined level-4 role

role name level-5
description Predefined level-5 role

role name level-6
description Predefined level-6 role

role name level-7
description Predefined level-7 role

role name level-8
description Predefined level-8 role

role name level-9
description Predefined level-9 role

role name level-10
description Predefined level-10 role

role name level-11
description Predefined level-11 role

role name level-12
description Predefined level-12 role

role name level-13
description Predefined level-13 role

role name level-14
description Predefined level-14 role

user-group system

local-user admin class manage
password hash $h$6$tRsadGZK2d2hmyfJ$9zcpTloIC4X/vBhOTT3rVVk3tfplAZ8Ogu7vRiblO5eUqkQ6MafIqaXdZ/+d7bSEPrDrox/vEs2ICdwzOtYypA==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator

ip http enable
ip https enable

inspect logging parameter-profile ips_logging_default_parameter

inspect logging parameter-profile url_logging_default_parameter

return

出口防火墙配置：

先看web配置：

以下是全部的命令行：
dis cu
dis current-configuration

version 7.1.064, Alpha 7164

sysname H3C

context Admin id 1

telnet server enable

irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1

nat address-group 1
address 1.1.1.2 1.1.1.2

nat log enable acl 2001
nat log flow-active 120
nat log flow-begin
nat log flow-end
nat alg h323
nat alg ils
nat alg mgcp
nat alg nbt
nat alg rsh
nat alg sccp
nat alg sip
nat alg sqlnet
nat alg tftp
nat alg xdmcp

xbar load-single
password-recovery enable
lpu-type f-series

vlan 1

object-group ip address 4
0 network subnet 192.168.20.0 255.255.255.0

object-group ip address dmz-ip
description dmz-ip
0 network host address 172.16.0.2

object-group ip address isp-add
0 network subnet 0.0.0.0 0.0.0.0

object-group ip address jyw
0 network subnet 10.0.0.0 255.255.255.0

interface NULL0

interface GigabitEthernet1/0/0
port link-mode route
combo enable copper

interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.100.1 255.255.255.0

interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.0.0.1 255.255.255.0

interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 1.1.1.2 255.255.255.0
nat outbound 2001 address-group 1
nat server protocol icmp global 1.1.1.2 inside 172.16.0.2

interface GigabitEthernet1/0/4
port link-mode route
combo enable copper
ip address 172.16.0.1 255.255.255.0
nat hairpin enable

object-policy ip Local-Trust
rule 0 pass

object-policy ip Trust-DMZ
rule 0 pass source-ip 4 logging counting

object-policy ip Trust-Untrust
rule 0 pass source-ip 4 logging counting

object-policy ip Untrust-DMZ
rule 0 pass destination-ip dmz-ip logging counting

object-policy ip manage
rule 0 pass source-ip 4 logging counting

security-zone name Local

security-zone name Trust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/2

security-zone name DMZ
import interface GigabitEthernet1/0/4

security-zone name Untrust
import interface GigabitEthernet1/0/3

security-zone name Management

zone-pair security source Local destination Trust
object-policy apply ip Local-Trust

zone-pair security source Trust destination DMZ
object-policy apply ip Trust-DMZ

zone-pair security source Trust destination Local
object-policy apply ip manage

zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust

zone-pair security source Untrust destination DMZ
object-policy apply ip Untrust-DMZ

scheduler logfile size 16

line class aux
user-role network-operator

line class console
user-role network-admin

line class tty
user-role network-operator

line class vty
user-role network-operator

line aux 0
user-role network-admin

line con 0
authentication-mode scheme
user-role network-admin

line vty 0 4
authentication-mode scheme
user-role network-admin

line vty 5 63
user-role network-operator

ip route-static 0.0.0.0 0 1.1.1.1
ip route-static 192.168.20.0 24 10.0.0.2 description to-pc

acl basic 2000
rule 0 permit source 192.168.20.0 0.0.0.255 logging counting

acl basic 2001
rule 0 permit source 192.168.20.0 0.0.0.255

domain system

aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system

role name level-0
description Predefined level-0 role

role name level-1
description Predefined level-1 role

role name level-2
description Predefined level-2 role

role name level-3
description Predefined level-3 role

role name level-4
description Predefined level-4 role

role name level-5
description Predefined level-5 role

role name level-6
description Predefined level-6 role

role name level-7
description Predefined level-7 role

role name level-8
description Predefined level-8 role

role name level-9
description Predefined level-9 role

role name level-10
description Predefined level-10 role

role name level-11
description Predefined level-11 role

role name level-12
description Predefined level-12 role

role name level-13
description Predefined level-13 role

role name level-14
description Predefined level-14 role

user-group system

local-user admin class manage
password hash $h$6$SM1EKyfAmPK8yywg$J7p6VViBFehLqEFuEeYKbGj+ieM+YJlb9xctxRKr+PkAtNve6XXkSHdecq4iuKq9T2Qu3kZe5KVy7KrXS5SbSg==
service-type telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator

ip http enable
ip https enable