H3C Technologies H3C SecPath F5000-S Firewall User Manual

Step Command

Remarks

(1) Enter system view.

syst em-view

Available in user view.

(2) Set the device name. sysname sysname

By default, the device name is H3C.

(3) Enable the Telnet

server.

t elnet server enable

By default, the Telnet server is disabled.

(4) Enter Ethernet

interface view.

int erface

interface-type

interface-number

N/A

(5) Assign an IP address ip address ip-address { mask-length |

mask } [

]

By default, GigabitEthernet 0/0 has an
IP address 192.168.0.1/24.

to the interface.

sub

(6) Configure dynamic

NAT.

Configure an address pool:

nat address-group

group-number

start-address end-address [ level level ]

Available in system view.

Configure No-PAT by associating an
ACL with an IP address pool on the
outbound interface for translating only
IP addresses:

nat outbound

[ acl-number ]

[ address-group group-number
[ vpn-instance vpn-instance-name ]
[ no-pat ] ] [ track vrrp virtual-router-id ]

Available in interface view.

(7) Configure a security

zone on the default
virtual device (VD).

Enter security zone view:

zone name

zone-name [ id zone-id ]

Available in system view.
By default, the default VD has five
security zones: Management (ID = 0),
Local (ID = 1), Trust (ID = 2), DMZ (ID =
3), and Untrust (ID = 4).

Add an interface to the security zone:

import int erface

interface-type

interface-number [ vlan vlan-list ]

Available in security zone view.
By default, only GigabitEthernet 0/0 is
added to the security zone

M anagement

.

(8) Save the running

configuration to the
configuration file.

save

[

safely

]

Available in any view.
You can specify the file as the
configuration file for the next startup.

(9) Display the running

configuration.

display current -configuration

Available in any view.

操作

命令

说明

进入系统视图

system-view

该命令在用户视图下执行

配置防火墙名称

sysname sysname

该命令在系统视图下执行

可根据据需要修改设备名称
况下

H3C

开启防火墙的Telnet
服务，

telnet server enable

该命令在系统视图下执行

缺省情况下

进入以太网接口视图

interface interface-type
interface-number

该命令在系统视图下执行

配置接口的IP地址

ip address ip-address { mask-length |
mask } [ sub ]

该命令在接口视图下执行

缺省情况下

GigabitEthernet 0/0接

口的IP地址为192.168.0.1/24，
接口未配置IP地址

配置NAT动态转换

nat address-group group-number
start-address end-address [ level
level ]

该命令在系统视图下执行

定义一个地址池

nat outbound [ acl-number ]
[ address-group group-number
[ vpn-instance vpn-instance-name ]
[ no-pat ] ] [ track vrrp
virtual-router-id ]

该命令在接口视图下执行

在出接口配置访问控制列表和地址池
关联

NO-PAT

配置缺省虚拟设备

的安全域

进入安全域视图

zone name zone-name [ id zone-id ]

该命令在系统视图下执行

缺省情况下

VD中存在5个缺省安

全域 Management（

0）、Local

（

1）、Trust（

2）、DMZ

（

3）

Untrust（

4）

将接口加入到安全域

import interface interface-type
interface-number [ vlan vlan-list ]

该命令在安全域视图下执行

缺省情况下

GigabitEthernet 0/0接

口已加入Management安全域
接口未加入到安全域

保存当前配置

save [ safely ]

该命令可在任意视图下执行

可以同时设置下次启动的配置文件

显示当前配置

display current-configuration

该命令可在任意视图下执行