华为 USG5500 防火墙配置示例
一、基本配置
<Huawei> system-view
[Huawei] sysname USG5500-FW
[USG5500-FW] interface GigabitEthernet 0/0/1
[USG5500-FW-GigabitEthernet0/0/1] description WAN
[USG5500-FW-GigabitEthernet0/0/1] ip address 202.96.209.2 255.255.255.252
[USG5500-FW-GigabitEthernet0/0/1] undo shutdown
[USG5500-FW-GigabitEthernet0/0/1] quit
[USG5500-FW] interface GigabitEthernet 0/0/2
[USG5500-FW-GigabitEthernet0/0/2] description LAN
[USG5500-FW-GigabitEthernet0/0/2] ip address 192.168.1.1 255.255.255.0
[USG5500-FW-GigabitEthernet0/0/2] undo shutdown
[USG5500-FW-GigabitEthernet0/0/2] quit
二、安全区域配置
<!-- 将接口加入安全区域 -->
[USG5500-FW] firewall zone trust
[USG5500-FW-zone-trust] add interface GigabitEthernet 0/0/2
[USG5500-FW-zone-trust] quit
[USG5500-FW] firewall zone untrust
[USG5500-FW-zone-untrust] add interface GigabitEthernet 0/0/1
[USG5500-FW-zone-untrust] quit
[USG5500-FW] firewall zone dmz
[USG5500-FW-zone-dmz] add interface GigabitEthernet 0/0/3
[USG5500-FW-zone-dmz] quit
三、安全策略配置
<!-- 允许内网访问外网 -->
[USG5500-FW] security-policy
[USG5500-FW-policy-security] rule name trust_to_untrust
[USG5500-FW-policy-security-rule-trust_to_untrust] source-zone trust
[USG5500-FW-policy-security-rule-trust_to_untrust] destination-zone untrust
[USG5500-FW-policy-security-rule-trust_to_untrust] source-address 192.168.1.0 255.255.255.0
[USG5500-FW-policy-security-rule-trust_to_untrust] action permit
[USG5500-FW-policy-security-rule-trust_to_untrust] quit
<!-- 允许外网访问DMZ服务器(HTTP/HTTPS) -->
[USG5500-FW-policy-security] rule name untrust_to_dmz
[USG5500-FW-policy-security-rule-untrust_to_dmz] source-zone untrust
[USG5500-FW-policy-security-rule-untrust_to_dmz] destination-zone dmz
[USG5500-FW-policy-security-rule-untrust_to_dmz] destination-address 192.168.10.10 255.255.255.255
[USG5500-FW-policy-security-rule-untrust_to_dmz] service http
[USG5500-FW-policy-security-rule-untrust_to_dmz] service https
[USG5500-FW-policy-security-rule-untrust_to_dmz] action permit
[USG5500-FW-policy-security-rule-untrust_to_dmz] quit
<!-- 拒绝所有其他流量 -->
[USG5500-FW-policy-security] rule name deny_all
[USG5500-FW-policy-security-rule-deny_all] source-zone any
[USG5500-FW-policy-security-rule-deny_all] destination-zone any
[USG5500-FW-policy-security-rule-deny_all] action deny
[USG5500-FW-policy-security-rule-deny_all] quit
[USG5500-FW-policy-security] quit
四、NAT配置
<!-- 源NAT (内网访问外网) -->
[USG5500-FW] nat-policy
[USG5500-FW-policy-nat] rule name trust_to_untrust_nat
[USG5500-FW-policy-nat-rule-trust_to_untrust_nat] source-zone trust
[USG5500-FW-policy-nat-rule-trust_to_untrust_nat] destination-zone untrust
[USG5500-FW-policy-nat-rule-trust_to_untrust_nat] source-address 192.168.1.0 255.255.255.0
[USG5500-FW-policy-nat-rule-trust_to_untrust_nat] action source-nat easy-ip
[USG5500-FW-policy-nat-rule-trust_to_untrust_nat] quit
[USG5500-FW-policy-nat] quit
<!-- 目的NAT (发布内部服务器) -->
[USG5500-FW] nat-policy
[USG5500-FW-policy-nat] rule name publish_web
[USG5500-FW-policy-nat-rule-publish_web] source-zone untrust
[USG5500-FW-policy-nat-rule-publish_web] destination-zone dmz
[USG5500-FW-policy-nat-rule-publish_web] destination-address 202.96.209.2 255.255.255.255
[USG5500-FW-policy-nat-rule-publish_web] action destination-nat static portnat inbound-interface GigabitEthernet 0/0/1 protocol tcp http
[USG5500-FW-policy-nat-rule-publish_web] quit
[USG5500-FW-policy-nat] quit
五、VPN配置 (IPSec)
<!-- 配置ACL匹配感兴趣流 -->
[USG5500-FW] acl 3000
[USG5500-FW-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[USG5500-FW-acl-adv-3000] quit
<!-- 配置IKE Proposal -->
[USG5500-FW] ike proposal 1
[USG5500-FW-ike-proposal-1] authentication-algorithm sha2-256
[USG5500-FW-ike-proposal-1] encryption-algorithm aes-256
[USG5500-FW-ike-proposal-1] dh group14
[USG5500-FW-ike-proposal-1] quit
<!-- 配置IKE Peer -->
[USG5500-FW] ike peer to_branch
[USG5500-FW-ike-peer-to_branch] ike-proposal 1
[USG5500-FW-ike-peer-to_branch] remote-address 202.96.209.10
[USG5500-FW-ike-peer-to_branch] pre-shared-key Huawei@123
[USG5500-FW-ike-peer-to_branch] quit
<!-- 配置IPSec Proposal -->
[USG5500-FW] ipsec proposal tran1
[USG5500-FW-ipsec-proposal-tran1] encapsulation-mode tunnel
[USG5500-FW-ipsec-proposal-tran1] esp authentication-algorithm sha2-256
[USG5500-FW-ipsec-proposal-tran1] esp encryption-algorithm aes-256
[USG5500-FW-ipsec-proposal-tran1] quit
<!-- 配置IPSec Policy -->
[USG5500-FW] ipsec policy P1 1 isakmp
[USG5500-FW-ipsec-policy-P1-1] security acl 3000
[USG5500-FW-ipsec-policy-P1-1] ike-peer to_branch
[USG5500-FW-ipsec-policy-P1-1] proposal tran1
[USG5500-FW-ipsec-policy-P1-1] quit
<!-- 应用IPSec Policy -->
[USG5500-FW] interface GigabitEthernet 0/0/1
[USG5500-FW-GigabitEthernet0/0/1] ipsec policy P1
[USG5500-FW-GigabitEthernet0/0/1] quit
六、保存配置
[USG5500-FW] return
<Huawei> save
The configuration will be exported to the device.cfg for the current session?
Are you sure to continue?[Y/N]Y
配置要点总结
- 安全区域:按信任级别划分区域,默认为禁止互访
- 安全策略:最小权限原则,先permit后deny
- NAT:源NAT解决上网问题,目的NAT发布内部服务
- IPSec VPN:建议使用IKEv2,算法选用AES-256+SHA2-256
- 日志审计:开启安全策略日志,便于事后分析
七、配置命令详解
1. 安全区域命令解释
| 命令 |
解释 |
firewall zone trust |
进入信任区域配置视图 |
add interface GigabitEthernet 0/0/2 |
将接口加入信任区域 |
firewall zone untrust |
进入非信任区域(外网)配置视图 |
firewall zone dmz |
进入DMZ区域配置视图 |
2. 安全策略命令解释
| 命令 |
解释 |
security-policy |
进入安全策略配置视图 |
rule name trust_to_untrust |
创建名为trust_to_untrust的策略规则 |
source-zone trust |
指定源区域为信任区域 |
destination-zone untrust |
指定目的区域为非信任区域 |
action permit |
允许符合条件的流量通过 |
3. VPN配置命令解释
| 命令 |
解释 |
ike proposal 1 |
创建IKE提议1 |
authentication-algorithm sha2-256 |
设置认证算法为SHA2-256 |
ike peer to_branch |
创建IKE对等体 |
pre-shared-key Huawei@123 |
配置预共享密钥 |
4. 配置要点总结
配置顺序建议:
- 配置接口IP地址
- 划分安全区域并加入接口
- 配置安全策略(先permit必要流量,最后deny all)
- 配置NAT(源NAT和目的NAT)
- 如需VPN,配置IPSec
- 保存配置