一、实验拓普
华为防火墙USG6000V配置实验_第1张图片
二、配置过程
1.cloud1配置,使本同能通过web方式连接防火墙USG6000V
a.利用本机安装的virtualBox添加一张虚拟网卡,IP地址为192.168.0.254/24,如下图(在virtualbox界面中点击“管理菜单”->全局设定):
华为防火墙USG6000V配置实验_第2张图片
b.通以上方法可以在本地网络里看到一张虚拟网卡:
华为防火墙USG6000V配置实验_第3张图片
c.测试本机是否与USG6000V是否连通
华为防火墙USG6000V配置实验_第4张图片
注意如果不通,
一是请查看USG6000V的G0/0/0接口是否配置如下信息:

interface GigabitEthernet0/0/0
undo shutdown
ip binding *-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
service-manage https permit //是否允许
https service-manage ping permit** //是否允许PING

二是查看防火墙是否开启web服务
web-manager enable
d.确保通连通后打开浏览器测试
华为防火墙USG6000V配置实验_第5张图片 

    2.防火墙FW1接口配置
    `#

interface Vlanif1
ip address 192.168.11.254 255.255.255.0
service-manage ping permit
#
interface Vlanif3
ip address 192.168.3.254 255.255.255.0
service-manage ping permit
#
interface Vlanif4
ip address 192.168.4.254 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding ***-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.1 255.255.255.0
alias trust_内网
service-manage ping permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 202.1.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 172.16.1.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/3
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 3 to 4
#
interface GigabitEthernet1/0/4
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 3 to 4
#`

3.安全区配置
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface Vlanif1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
firewall zone name vlan3zone id 4
set priority 3
add interface Vlanif3
#
firewall zone name vlan4zone id 5
set priority 4
add interface Vlanif4
#
firewall zone name portszone id 6
set priority 8
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
#

4.安全策略配置
#
security-policy
rule name local_any
source-zone local
action permit
rule name lan_wan
source-zone trust
source-zone vlan3zone
destination-zone untrust
action permit
rule name trust_dmz
source-zone trust
destination-zone dmz
action permit
rule name untrust_dmz
source-zone untrust
destination-zone dmz
destination-address 172.16.1.2 32
service http
action permit
rule name trust_vlan4zone
source-zone trust
source-zone vlan4zone
destination-zone trust
destination-zone vlan4zone
action permit
rule name any_managevlan1
destination-zone trust
destination-address 192.168.11.0 24
action permit
#

5.NAT配置
#
nat-policy
rule name lan_to_isp
source-zone trust
source-zone vlan3zone
egress-interface GigabitEthernet1/0/1
source-address 192.168.1.0 24
source-address 192.168.3.0 24
action nat easy-ip
#
#
nat server mywebserver 0 protocol tcp global 202.1.1.1 www inside 172.16.1.2 www no-reverse
#