H3C防火墙配置实例

2、配置要求 
1）防火墙的E0/2接口为TRUST区域，ip地址是：192.168.254.1/29； 
2）防火墙的E1/2接口为UNTRUST区域，ip地址是：202.111.0.1/27； 
3）内网服务器对外网做一对一的地址映射，192.168.254.2、192.168.254.3分别映射为202.111.0.2、202.111.0.3； 
4）内网服务器访问外网不做限制，外网访问内网只放通公网地址211.101.5.49访问192.168.254.2的1433端口和192.168.254.3的80端口。 

3、防火墙的配置脚本如下 
<H3CF100A>dis cur 
# 
sysname H3CF100A 
# 
super password level 3 cipher 6aQ>Q57-$.I)0;4:\(I41!!! 
# 
firewall packet-filter enable 
firewall packet-filter default permit 
# 
insulate 
# 
nat static inside ip 192.168.254.2 global ip 202.111.0.2 
nat static inside ip 192.168.254.3 global ip 202.111.0.3 
# 
firewall statistic system enable 
# 
radius scheme system 
server-type extended 
# 
domain system 
# 
local-user net1980 
password cipher ###### 
service-type telnet 
level 2 
# 
aspf-policy 1 
detect h323 
detect sqlnet 
detect rtsp 
detect http 
detect smtp 
detect ftp 
detect tcp 
detect udp 
# 
object address 192.168.254.2/32 192.168.254.2 255.255.255.255 
object address 192.168.254.3/32 192.168.254.3 255.255.255.255 
# 
acl number 3001 
description out-inside 
rule 1 permit tcp source 211.101.5.49 0 destination 192.168.254.2 0 destination-port eq 1433 
rule 2 permit tcp source 211.101.5.49 0 destination 192.168.254.3 0 destination-port eq www 
rule 1000 deny ip 
acl number 3002 
description inside-to-outside 
rule 1 permit ip source 192.168.254.2 0 
rule 2 permit ip source 192.168.254.3 0 
rule 1000 deny ip 
# 
interface Aux0 
async mode flow 
# 
interface Ethernet0/0 
shutdown 
# 
interface Ethernet0/1 
shutdown 
# 
interface Ethernet0/2 
speed 100 
duplex full 
description to server 
ip address 192.168.254.1 255.255.255.248 
firewall packet-filter 3002 inbound 
firewall aspf 1 outbound 
# 
interface Ethernet0/3 
shutdown 
# 
interface Ethernet1/0 
shutdown 
# 
interface Ethernet1/1 
shutdown 
# 
interface Ethernet1/2 
speed 100 
duplex full 
description to internet 
ip address 202.111.0.1 255.255.255.224 
firewall packet-filter 3001 inbound 
firewall aspf 1 outbound 
nat outbound static 
# 
interface NULL0 
# 
firewall zone local 
set priority 100 
# 
firewall zone trust 
add interface Ethernet0/2 
set priority 85 
# 
firewall zone untrust 
add interface Ethernet1/2 
set priority 5 
# 
firewall zone DMZ 
add interface Ethernet0/3 
set priority 50 
# 
firewall interzone local trust 
# 
firewall interzone local untrust 
# 
firewall interzone local DMZ 
# 
firewall interzone trust untrust 
# 
firewall interzone trust DMZ 
# 
firewall interzone DMZ untrust 
# 
ip route-static 0.0.0.0 0.0.0.0 202.111.0.30 preference 60 
# 
user-interface con 0 
user-interface aux 0 
user-interface vty 0 4 
authentication-mode scheme 
#