H3C SecPath F100-C-AC2防火墙配置实例

近期从仓库里翻出来一个老的华三防火墙，没事折腾折腾配置个备用网络练习练习。把配置完成的数据备份下，方便以后查阅。

一、配置防火墙缺省允许报文通过。

<H3C>system-view  //进入系统视图

[H3C]firewall packet-filter enable

[H3C]firewall packet-filter default permit

二、信任区域配置

[H3C]firewall zone trust

[H3C-zone-trust]add interface Ethernet 0/0

[H3C-zone-trust]quit

[H3C]firewall zone untrust

[H3C-zone-untrust]add interface Ethernet 0/4

[H3C-zone-untrust]quit

三、接口配置

[H3C]interface Ethernet0/4

[H3C-Ethernet0/4]ip address 10.0.0.1 255.255.255.0

[H3C-Ethernet0/4]duplex full

[H3C-Ethernet0/4]speed 100

[H3C-Ethernet0/4]quit

[H3C]interface Ethernet0/0

[H3C-Ethernet0/0]ip address 172.20.0.1 255.255.0.0

[H3C-Ethernet0/0]duplex full

[H3C-Ethernet0/0]speed 100

[H3C-Ethernet0/0]quit

四、允许网页配置

[H3C]undo ip http shutdown
HttpTask is alive.

五、配置用户登陆

[H3C]local-user admin
New local user added.

[H3C-luser-admin]password cipher admin

[H3C-luser-admin]service-type telnet

[H3C-luser-admin]quit

六、配置telnet远程登录

[H3C]user-interface vty 0 4

[H3C-ui-vty0-4]authentication-mode scheme

[H3C-ui-vty0-4]user privilege level 3

[H3C-ui-vty0-4]quit

七、开启防范功能

[H3C]firewall defend all

[H3C]save
The configuration will be written to the device.
Are you sure?[Y/N]Y

Now saving current configuration to the device.
Saving configuration flash:/config.cfg. Please wait…

八、配置开启dhcp

[H3C]dhcp enable
DHCP task has already been started!

[H3C]dhcp server ip-pool 0

[H3C-dhcp-pool-0]network 172.20.0.2 mask 255.255.0.0

[H3C-dhcp-pool-0]gateway-list 172.20.0.1

[H3C-dhcp-pool-0]dns-list 172.20.0.1 10.0.0.254

[H3C-dhcp-pool-0]quit

九、配置nat

[H3C]nat static 172.20.0.2 10.0.0.2

[H3C]nat address-group 0 10.0.0.3 10.0.0.100

[H3C]acl number 2000

[H3C-acl-basic-2000]rule permit source 172.20.0.0 0.0.255.255

[H3C-acl-basic-2000]quit

[H3C]inter Ethernet0/4

[H3C-Ethernet0/4]nat outbound static //一对一

[H3C-Ethernet0/4]nat outbound 2000// 多对一 外网ip即wan接口地址 easy nat

[H3C-Ethernet0/4]nat outbound 2000 address-group 0 //多对多 nopat

[H3C-Ethernet0/4]nat server protocal tcp global 10.0.0.111 www inside 172.20.0.2 www

十、配置静态路由

[H3C]ip route-static 172.20.0.1 0 10.0.0.254