华为防火墙小企业简单应用命令行配置

实现：
1、内网访问外网
2、内网和外网访问dmz区ftp服务器
3、开启ftp的aspf功能
4、开启内网黑洞功能

防火墙配置：

interface GigabitEthernet1/0/0
undo shutdown
ip address 10.0.0.1 255.255.255.0
service-manage ping permit

interface GigabitEthernet1/0/1
undo shutdown
ip address 172.16.0.1 255.255.255.0
service-manage ping permit

interface GigabitEthernet1/0/2
undo shutdown
ip address 100.0.0.1 255.255.255.0

firewall zone local
set priority 100

firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0

firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2

firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1

firewall interzone trust dmz //内网开ftp的aspf功能
detect ftp

firewall interzone dmz untrust //外网访问ftp服务器的aspf功能
detect ftp

ip route-static 0.0.0.0 0.0.0.0 100.0.0.2
ip route-static 192.168.0.0 255.255.255.0 10.0.0.2

firewall detect ftp

nat server 0 protocol tcp global 100.0.0.1 ftp inside 172.16.0.10 ftp //ftp映射

security-policy
rule name trust-dmz //用于内网访问dmz区的ftp
source-zone trust
destination-zone dmz
source-address 192.168.0.0 mask 255.255.255.0
destination-address 172.16.0.10 mask 255.255.255.255
action permit

rule name to-internet //用于内网上网
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.255.0
action permit

rule name untrust-dmz //用于外网访问dmz服务器ftp
source-zone untrust
destination-zone dmz
destination-address 172.16.0.10 mask 255.255.255.255
action permit

nat-policy //用于内网上网
rule name nat
source-zone trust
destination-zone untrust
source-address 192.168.0.0 mask 255.255.255.0
action source-nat easy-ip