本文仅供学习交流,所涉及的知识技术产权归属华为技术有限公司所有!!!
本文仅供学习交流,所涉及的知识技术产权归属华为技术有限公司所有!!!
本文仅供学习交流,所涉及的知识技术产权归属华为技术有限公司所有!!!
127.0.0.0~127.255.255.255可测试本机的网卡是否连通
0.0.0.0最小网址,任意地址
ipconfid查看本地 IPv4 地址
出去时私网转公网,回来时公网转私网
AR1
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R1
[R1]INT GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
AR2
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R2
[R2]interface GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip address 192.168.1.2 24
AR3
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R3
[R3]interface GigabitEthernet 0/0/0
[R3-GigabitEthernet0/0/0]ip address 192.168.1.254 24
[R3-GigabitEthernet0/0/0]q
[R3]display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 2
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 2
The number of interface that is DOWN in Protocol is 2Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 192.168.1.254/24 up up
GigabitEthernet0/0/1 unassigned down down
GigabitEthernet0/0/2 unassigned down down
NULL0 unassigned up up(s)
<USG6000V1>sys
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sysname FW1
[FW1]interface GigabitEthernet 1/0/0
[FW1-GigabitEthernet1/0/0]ip address 192.168.1.254 24
[FW1-GigabitEthernet1/0/0]q
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 1.1.1.1 24
AR4
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R4
[R4]int GigabitEthernet 0/0/0
[R4-GigabitEthernet0/0/0]ip address 1.1.1.2 24
[R4-GigabitEthernet0/0/0]q
[R4]interface LoopBack 0
[R4-LoopBack0]ip address 4.4.4.4 32
[R4-LoopBack0]q
[R4]display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 2Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 1.1.1.2/24 up up
GigabitEthernet0/0/1 unassigned down down
GigabitEthernet0/0/2 unassigned down down
LoopBack0 4.4.4.4/32 up up(s)
NULL0 unassigned up up(s)
配ip地址
[FW1]user-interface console 0
[FW1-ui-console0]idle-timeout 0 0
Warning: Idle time-out is configured as 0, so session will never be disconnected
because of timeout.
[FW1-ui-console0]q
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]service-manage ping permit
[FW1-GigabitEthernet1/0/0]q
[FW1]int g1/0/1
[FW1-GigabitEthernet1/0/1]service-manage ping permit
加安全区域
[FW1-GigabitEthernet1/0/1]q
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/0
[FW1-zone-trust]q
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/1
[FW1-zone-untrust]q
<R1>ping 192.168.1.254
PING 192.168.1.254: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=255 time=160 ms
Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=255 time=60 ms
Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=255 time=40 ms
Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=255 time=40 ms--- 192.168.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/70/160 ms
<R4>ping 1.1.1.1
PING 1.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=255 time=30 ms
Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=255 time=10 ms
Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=255 time=10 ms--- 1.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/14/30 ms
[FW1]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 4 Routes : 4Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.0/24 Direct 0 0 D 1.1.1.1 GigabitEthernet
1/0/1
1.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
1/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[FW1]ip route-static 4.4.4.4 32 1.1.1.2配置静态路由
[FW1]display ip routing-table 4.4.4.4
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface4.4.4.4/32 Static 60 0 RD 1.1.1.2 GigabitEthernet
1/0/1
<R4>sys
Enter system view, return user view with Ctrl+Z.
[R4]ip route-static 201.1.1.0 29 1.1.1.1回由
[FW1]nat address-group test
[FW1-address-group-test]mode no-pat global
[FW1-address-group-test]section 201.1.1.1 201.1.1.6
[FW1-address-group-test]dis th
#
nat address-group test 0
mode no-pat global
section 0 201.1.1.1 201.1.1.6
#
return
[FW1-address-group-test]q
[FW1-policy-nat]rule name test
[FW1-policy-nat-rule-test]source-zone trust
[FW1-policy-nat-rule-test]destination-zone untrust
[FW1-policy-nat-rule-test]source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-nat-rule-test]dis th
#
rule name test
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
(not configure the action)
#
return
[FW1-policy-nat-rule-test]destination-address 4.4.4.4 mask 255.255.255.255
[FW1-policy-nat-rule-test]dis th
#
rule name test
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
destination-address 4.4.4.4 32
(not configure the action)
#
return
[FW1-policy-nat-rule-test]action nat address-group test
安全策略
[FW1-policy-nat-rule-test]q
[FW1-policy-nat]q
[FW1]security-policy
[FW1-policy-security]rule name test
[FW1-policy-security-rule-test]source-zone trust
[FW1-policy-security-rule-test]destination-zone untrust
[FW1-policy-security-rule-test]source-address 192.168.1.0 mask 255.255.255.0
[FW1-policy-security-rule-test]destination-address 4.4.4.4 mask 255.255.255.255
[FW1-policy-security-rule-test]service icmp
[FW1-policy-security-rule-test]action permit
[FW1-policy-security-rule-test]dis th
#
rule name test
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
destination-address 4.4.4.4 32
service icmp
action permit
#
return
<R1>ping 4.4.4.4
PING 4.4.4.4: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- 4.4.4.4 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[R1]ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
[R1]ping 4.4.4.4
PING 4.4.4.4: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- 4.4.4.4 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
......无语了,不知哪一步错了,[R1]ping 4.4.4.4不通
