华为USG2200系列防火墙配置案例

display cur
12:06:25 2012/06/06
#
sysname xagl_USG2200
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outboun
d
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local untrust1 direction inboun
d
firewall packet-filter default permit interzone local untrust1 direction outbou
nd
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outboun
d
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone trust untrust1 direction inboun
d
firewall packet-filter default permit interzone trust untrust1 direction outbou
nd
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
nat address-group 0 124.114.156.211 124.114.156.212
nat address-group 1 113.200.77.235 113.200.77.236
#
firewall ipv6 session link-state check
#
firewall session link-state check
#
firewall defend ip-sweep enable
firewall defend large-icmp enable
firewall defend syn-flood enable
firewall defend land enable
firewall defend ip-sweep max-rate 1000
firewall defend ip-sweep blacklist-timeout 30
firewall defend large-icmp max-length 3600
firewall defend syn-flood interface Ethernet3/0/0 alert-rate 1000 max-rate 5000
00
firewall defend syn-flood interface GigabitEthernet0/0/0 alert-rate 1000 max-ra
te 500000
#
web-manager enable
#
acl number 2001
rule 1 permit source 192.168.2.100 0
#
interface Cellular0/1/0
link-protocol ppp
#
interface Ethernet3/0/0
description tu liantong
ip address 113.200.77.234 255.255.255.248
#
interface GigabitEthernet0/0/0
description to dianxin
ip address 124.114.156.210 255.255.255.248
#
interface GigabitEthernet0/0/1
description to wangkang's WAN
ip address 192.168.1.3 255.255.255.0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
firewall zone name untrust1
set priority 6
add interface Ethernet3/0/0
#
aaa
local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!
local-user admin service-type web terminal
local-user admin level 3
authentication-scheme default
#
authoriza

tion-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1

#
ip route-static 0.0.0.0 0.0.0.0 124.114.156.209
ip route-static 0.0.0.0 0.0.0.0 113.200.77.233 preference 70

#
snmp-agent
snmp-agent local-engineid 000007DB7F00000100006E55
snmp-agent community read Usg2200 acl 2001
snmp-agent sys-info version all
#
banner enable
#
user-interface con 0
authentication-mode local user admin password simple mimashi1983#^^#
user-interface tty 2
authentication-mode none
modem both
user-interface vty 0 4
user privilege level 3
set authentication password cipher I$'4!VBZ8B;^2/\%98C4@A!!
#
slb
#
cwmp
#
right-manager server-group
#
nat-policy interzone trust untrust outbound
policy 1
action source-nat
policy source 192.168.10.0 0.0.0.255
address-group 0
#
nat-policy interzone trust untrust1 outbound
policy 2
action source-nat
policy source 192.168.100.0 0.0.0.255
policy source 192.168.200.0 0.0.0.255
policy source 192.168.1.0 0.0.0.255
policy source 192.168.2.0 0.0.0.255
policy source 192.168.3.0 0.0.0.255
address-group 1
#
return