Scribd
Upload
229 views22 pages

Preview Lab Huawei USG600V Firewall eNSP NAT Policies

This document contains configuration files for several network devices including firewalls, switches and servers to implement a network topology. The configurations show VLAN, interface, routing and security policies configuration. Tests are also performed including ping and FTP tests between devices to validate connectivity and policies.

Uploaded by

Santiago Miguel Tapia Guajardo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
229 views22 pages

Preview Lab Huawei USG600V Firewall eNSP NAT Policies

This document contains configuration files for several network devices including firewalls, switches and servers to implement a network topology. The configurations show VLAN, interface, routing and security policies configuration. Tests are also performed including ping and FTP tests between devices to validate connectivity and policies.

Uploaded by

Santiago Miguel Tapia Guajardo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 22

Preview Lab Huawei USG600V firewall eNSP NAT Policies

Configuración de FW1
<FW1>dis cu
!Software Version V500R001C10
#
sysname FW1
#
#
vlan batch 10 20 50 99
#
#
ip service-set serverweb type object
service 0 protocol tcp destination-port 80
#
ip service-set serverftp type object
service 0 protocol tcp destination-port 21
#
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.252
#
interface Vlanif50
ip address 10.10.50.1 255.255.255.248
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface Eth-Trunk1
portswitch
port link-type trunk
port trunk allow-pass vlan 10 20 50 99
#
#
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 201.186.167.158 255.255.255.248
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface Vlanif10
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface Vlanif50
#
firewall interzone dmz untrust
detect ftp
#
#
ip route-static 0.0.0.0 0.0.0.0 201.186.167.157
ip route-static 10.10.100.0 255.255.255.0 10.10.10.1
ip route-static 10.10.110.0 255.255.255.0 10.10.10.1
ip route-static 201.186.167.158 255.255.255.255 NULL0
ip route-static 201.186.167.159 255.255.255.255 NULL0
#
#
nat server mapeo-web1 0 protocol tcp global 201.186.167.155 www inside 10.10.50
.2 www no-reverse
nat server mapeo-ftp1 1 protocol tcp global 201.186.167.155 3422 inside 10.10.5
0.2 ftp no-reverse
nat server mapeo-web2 2 protocol tcp global 201.186.167.156 www inside 10.10.50
.3 www no-reverse
nat server mapeo-ftp2 3 protocol tcp global 201.186.167.156 3422 inside 10.10.5
0.3 ftp no-reverse
#
#
nat address-group poolnat 0
mode pat
section 0 201.186.167.153 201.186.167.154
#
nat address-group natdmz 1
mode pat
section 0 10.10.50.6 10.10.50.6
#
#
security-policy
rule name vlan100serverweb1
source-zone trust
destination-zone dmz
source-address 10.10.100.0 24
destination-address 10.10.50.2 32
service serverweb
action permit
rule name vlan100serverftp1
source-zone trust
destination-zone dmz
source-address 10.10.100.0 24
destination-address 10.10.50.2 32
service serverftp
action permit
rule name SalidaInternet
source-zone trust
destination-zone untrust
source-address 10.10.100.0 24
source-address 10.10.110.0 24
action permit
rule name InternetDMZ
source-zone untrust
destination-zone dmz
destination-address 10.10.50.0 29
action permit
rule name vlan110serverweb2
source-zone trust
destination-zone dmz
source-address 10.10.110.0 24
destination-address 10.10.50.3 32
service serverweb
action permit
rule name vlan110serverftp2
source-zone trust
destination-zone dmz
source-address 10.10.110.0 24
destination-address 10.10.50.3 32
service serverftp
action permit
#
#
nat-policy
rule name NatLANInternet
source-zone trust
destination-zone untrust
source-address 10.10.100.0 24
source-address 10.10.110.0 24
action nat address-group poolnat
rule name NatLanDMZ
source-zone trust
egress-interface Vlanif50
source-address 10.10.100.0 24
source-address 10.10.110.0 24
action nat address-group natdmz
#
#
return
<FW1>

Configuración CORE

<CORE>dis cu
#
sysname CORE
#
vlan batch 10 20 50 99 to 100 110
#
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.252
#
interface Vlanif100
ip address 10.10.100.1 255.255.255.0
#
interface Vlanif110
ip address 10.10.110.1 255.255.255.0
#
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20 50 99
#
interface GigabitEthernet0/0/1
stp disable
#
interface GigabitEthernet0/0/2
eth-trunk 1
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 50
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 50
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 100 110
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 100 110
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.2
ip route-static 10.10.50.0 255.255.255.248 10.10.10.2
#
#
return
<CORE>

Configuración de ACC1
ACC1>dis cu
#
sysname ACC1
#
vlan batch 99 to 100 110
#
#
interface Ethernet0/0/1
port link-type access
port default vlan 100
#
interface Ethernet0/0/2
port link-type access
port default vlan 100
#
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 99 to 100 110
#
#
return
<ACC1>

Configuración de ACC2

<ACC2>dis cu
#
sysname ACC2
#
vlan batch 99 to 100 110
#
#
interface Ethernet0/0/1
port link-type access
port default vlan 110
#
interface Ethernet0/0/2
port link-type access
port default vlan 110
#
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 99 to 100 110
#
#
return
<ACC2>

Configuración de ISP

<ISP>dis cu
#
sysname ISP
#
vlan batch 20 30
#
#
interface Vlanif20
ip address 201.186.167.157 255.255.255.248
#
interface Vlanif30
ip address 199.250.113.45 255.255.255.252
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 201.186.167.158
#
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
stp disable
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 30
stp disable
#

#
return
<ISP>

Configuración server 1
Configuración server2
Configuración PC-1

PC>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe97:7526


IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 10.10.100.2
Subnet mask.......................: 255.255.255.0
Gateway...........................: 10.10.100.1
Physical address..................: 54-89-98-97-75-26
DNS server........................:

PC>
Configuración Client1
Configuración Client2
Configuración de PC2
Configuración de client3
Ping desde PC1 a client1

PC>ping 10.10.100.3

Ping 10.10.100.3: 32 data bytes, Press Ctrl_C to break


From 10.10.100.3: bytes=32 seq=1 ttl=255 time=31 ms
From 10.10.100.3: bytes=32 seq=2 ttl=255 time=16 ms
From 10.10.100.3: bytes=32 seq=3 ttl=255 time=16 ms
From 10.10.100.3: bytes=32 seq=4 ttl=255 time=32 ms
From 10.10.100.3: bytes=32 seq=5 ttl=255 time=31 ms

--- 10.10.100.3 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 16/25/32 ms

PC>

Ping desde PC2 a Client2

C>ping 10.10.110.2

Ping 10.10.110.2: 32 data bytes, Press Ctrl_C to break


From 10.10.110.2: bytes=32 seq=1 ttl=255 time=47 ms
From 10.10.110.2: bytes=32 seq=2 ttl=255 time=31 ms
From 10.10.110.2: bytes=32 seq=3 ttl=255 time=47 ms
From 10.10.110.2: bytes=32 seq=4 ttl=255 time=47 ms
From 10.10.110.2: bytes=32 seq=5 ttl=255 time=31 ms
--- 10.10.110.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/40/47 ms

PC>

Ping desde server1 a server2

Ping desde Client3 a 1.1.1.1


Conexión desde client3 a server1
Captura giga 1/0/2 de FW1

Captura en giga 0/0/4 de CORE

Captura en giga 0/0/2 de CORE, solo tráfico desde CORE a FW1 en Eth-trunk
Captura en giga 0/0/3 de CORE, solo tráfico desde FW1 a CORE en Eth-trunk

Captura en giga 0/0/2 de ISP

CONEXIÓN DESDE CLIENT1 A SERVER1


Captura en giga 0/0/4 de CORE, se ve las IP entregada por FW1 y el server1

Captura en giga 0/0/1 de ACC1, se ve las IP del Clien1 y server1

CONEXIÓN DESDE CLIENT1 A SERVER2 (debe ser negado)

Captura en la giga 0/0/6 de CORE

Captura en giga 0/0/2 de CORE (no contesta el server2) la otra giga esta sin trafico
Prueba desde PC1 a Internet ip 1.1.1.1
Captura en giga g1/0/0 de FW1, se ve solo trafico desde PC1 a internet

Captura en giga 1/0/1 de FW1, se ve solo trafico desde Internet a PC1

Captura en giga 1/0/2 de FW1, uso ip publica

Conexión desde client2 a server2 ok.


Captura en giga 0/0/7 CORE

Captura en giga 0/0/3 CORE, hay uso de la ip 10.10.50.6 hacia el FW1, LA OTRA GIGA
NO TIENE TRAFICO
Client2 a server2 ftp

You might also like