H3C Technologies H3C SecPath F1030 User Manual
Page 4
For further configuration tasks, see the firewall configuration guides and command references.
Network requirements
As shown in the figure, the private network address and public IP address for
the hosts of the LAN are 10.110.10.0/24 and 202.38.1.1/24,
respectively. The LAN users can access the Web server and Internet. The
users from the external networks can access the Web server in the LAN
through the port number 80.
Configuration procedures
The firewall features vary depending on the software version.
# Assign an IP address to each interface as shown in the figure. (Details not
shown.)
# Add GigabitEthernet 1/0/3 to security zone DMZ.
[Firewall] security-zone name dmz
[Firewall-security-zone-dmz] import interface gigabitethernet 1/0/3
[Firewall-security-zone-dmz] quit
# Add GigabitEthernet 1/0/2 and GigabitEthernet 1/0/4 to security zones
Untrust and Trust, respectively. (Details not shown.)
# Create an IP address object group named internal_user with the network
address 10.110.10.0/24.
[Firewall] object-group ip address internal_user
[Firewall-obj-grp-ip-internal_user] network subnet 10.110.10.0 24
[Firewall-obj-grp-ip-internal_user] quit
# Create an IP address object group named webserver with the host address
10.110.10.1.
[Firewall] object-group ip address webserver
[Firewall-obj-grp-ip-webserver] network host address 10.110.10.1
[Firewall-obj-grp-ip-webserver] quit
# Create a service object, specifying its name as web and protocol as HTTP.
[Firewall] object-group service web
[Firewall-obj-grp-service-web] service tcp destination eq 80
[Firewall-obj-grp-service-web] quit
# Configure an object policy so that any hosts can access the Web server.
Configuration example
[Firewall] object-policy ip access-server
[Firewall-object-policy-ip-access-server] rule pass source-ip any destination-ip
webserver service web
[Firewall-object-policy-ip-access-server] quit
# Configure an object policy to allow any packets from the LAN to pass
through.
[Firewall] object-policy ip access-internet
[Firewall-object-policy-ip-access-internet] rule pass source-ip internal_user
# Create a zone pair with source zone Trust and destination zone DMZ.
Apply the object policy so that LAN users can access the Web server.
[Firewall] zone-pair security source trust destination dmz
[Firewall zone-pair-security-trust-dmz] object-policy apply ip access-server
[Firewall-zone-pair-security-trust-dmz] quit
# Create a zone pair with source zone Untrust and destination zone DMZ.
Apply the object policy so that external network users can access the Web
server.
[Firewall] zone-pair security source untrust destination dmz
[Firewall-zone-pair-security-untrust-dmz] object-policy apply ip access-server
[Firewall-zone-pair-security-untrust-dmz] quit
# Create a zone pair with source zone Trust and destination zone Untrust.
Apply the object policy so that LAN users can access the external networks.
[Firewall] zone-pair security source trust destination untrust
[Firewall-zone-pair-security-Trust-Untrust] object-policy apply ip access-
internet
[Firewall-zone-pair-security-Trust-Untrust] quit
# Allow external users to access the internal Web server at 10.110.10.1 on
the LAN through http://202.38.1.1 80.
[Firewall] interface gigabitethernet 1/0/2
[Firewall-GigabitEthernet1/0/2] nat server protocol tcp global 202.38.1.1
80 inside 10.110.10.1 http
[Firewall-GigabitEthernet1/0/2] quit
# Configure ACL 2000, and create a rule to permit packets only from
segment 10.110.0.0 0.0.0.255 to pass through.
[Firewall] acl number 2000
[Firewall-acl-basic-2000] rule permit source 10.110.0.0 0.0.0.255
[Firewall-acl-basic-2000] rule deny source any
# Configure an outbound dynamic PAT rule on interface GigabitEthernet
1/0/12 to use the IP address of GigabitEthernet 1/0/2 as the NAT
address.
[Firewall-acl-basic-2000] interface gigabitethernet 1/0/2
[Firewall-GigabitEthernet1/0/2] nat outbound 2000
[Firewall-GigabitEthernet1/0/2] quit
[Firewall] save
at the CLI
This command also specifies the next startup
configuration file.
Available in any view.
Step
Command
Remarks
Enter system view.
system-view
Configure a name for the firewall.
sysname sysname
Enable the Telnet server function.
telnet server enable
Enter interface view.
interface interface-type interface-number
Assign an IP address to the interface.
ip address ip-address { mask-length | mask } [ sub ]
security-zone name zone-name
Save the running configuration.
Display the running configuration.
save [ safely ]
display current-configuration
Available in user view.
By default, the firewall name is H3C.
By default, the Telnet server function is disabled.
N/A
By default, the IP address of GE1/0/0 is
192.168.0.1.
When the first command for creating a security
zone, creating a security policy, or entering the
view of a default security zone is executed, the
system automatically creates four default security
zones: Local, Trust, DMZ, and Untrust.
Available in any view.
Configure a security zone and
enter its view.
Create a zone pair and enter zone
pair view.
zone-pair security source { source-zone-name | any }
destination { destination-zone-name | any }
Available in system view. By default, no zone pair
exists.
Specify the default action for
packets exchanged between
interfaces in the same security zone
.
Set the default action to permit:
security-zone intra-zone default permit
Set the default action to deny:
undo security-zone intra-zone default permit
Available in system view. By default, the default
action for packets exchanged between interfaces in
the same security zone and between interfaces from
a security zone and a non-security zone is deny.
By default, a security zone does not have any
interfaces.
To add multiple interfaces, perform this step multiple
times
.
Add an interface to the security zone.
Add a Layer 3 interface:
import interface layer3-interface-type layer3-interface-
number
Add a Layer 2 interface:
import interface layer2-interface-type layer2-interface-
number vlan vlan-list
DMZ
Untrust
Trust
Firewall
GE1/0/4
GE1/0/3
10.110.10.10/24
GE1/0/2
202.38.1.1/24
Internet
Web server
10.110.10.1/24
When the first command for creating a security zone, creating a security policy, or
entering the view of a default security zone is executed, the system automatically
creates four default security zones: Local, Trust, DMZ, and Untrust, which cannot be
deleted. By default, a security zone does not have any interface.
!
!