Performing basic configurations at the cli, Configuration example – H3C Technologies H3C SecPath F5020 User Manual
Page 4
Performing basic configurations at the CLI
This command also specifies the next startup configuration file.
Available in any view.
1. Enter system view.
system-view
2. Set a name for the firewall.
sysname sysname
3. Enable the Telnet server function.
telnet server enable
4. Enter interface view.
interface interface-type interface-number
5. Assign an IP address to the interface.
ip address ip-address { mask-length | mask } { sub }
6. Configure outbound dynamic NAT.
Create a NAT address group and enter its view:
nat address-group group-number
NO-PAT:
nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ]
[ no-pat ] ] [ reversible ]
PAT:
nat outbound [ acl-number ] [ address-group group-number ] [ vpn-instance vpn-instance-name ]
[ port-preserved ]
7. Create a security zone and enter its view
security-zone name zone-name
Method 1:
import interface interface-type interface-number [ vlan vlan-list ]
Method 2:
import { interface interface-type interface-number | vlan vlan-list }
9. Save the running configuration.
10. Display the running configuration.
save [ safely ]
display current-configuration
Available in user view.
By default, the firewall name is H3C.
By default, the Telnet server function is disabled.
N/A
By default, the IP address of GigabitEthernet 1/0/1 is
192.168.0.1/24. No IP addresses are assigned to other interfaces.
Available in system view.
By default, no NAT address group exists.
By default, no outbound dynamic NAT rule is configured.
When the first command for creating a security zone, creating a
security policy, or entering the view of a default security zone is
executed, the system automatically creates four default security
zones: Local, Trust, DMZ, and Untrust
By default, no interface or VLAN exists in a security zone.
Available in any view.
Add a group member to the NAT address group:
address start-address end-address
By default, no group member exists.
For further configuration tasks, see the firewall configuration guides and command references.
8. Add the interface to the security zone.
Network requirements
The firewall features vary depending on the software version.
# Assign an IP address to each interface as shown in the figure. (Details not shown.)
# Add GigabitEthernet 1/0/11 to security zone DMZ.
[Firewall] security-zone name dmz
[Firewall-security-zone-dmz] import interface gigabitethernet 1/0/11
[Firewall-security-zone-dmz] quit
# Add GigabitEthernet 1/0/12 and GigabitEthernet 1/0/13 to security zones Untrust and Trust,
respectively. (Details not shown.)
# Create an IP address object group named internal_user with the network address 10.110.10.0/24.
[Firewall] object-group ip address internal_user
[Firewall-obj-grp-ip-internal_user] network subnet 10.110.10.0 24
[Firewall-obj-grp-ip-internal_user] quit
# Create an IP address object group named webserver with the host address 10.110.10.1.
[Firewall] object-group ip address webserver
[Firewall-obj-grp-ip-webserver] network host address 10.110.10.1
[Firewall-obj-grp-ip-webserver] quit
# Create a service object, specifying its name as web and protocol as HTTP.
[Firewall] object-group service web
Configuration example
[Firewall-obj-grp-service-web] service tcp destination eq 80
[Firewall-obj-grp-service-web] quit
# Configure an object policy so that any hosts can access the Web server.
[Firewall] object-policy ip access-server
[Firewall-object-policy-ip-access-server] rule pass source-ip any destination-ip webserver service web
[Firewall-object-policy-ip-access-server] quit
# Configure an object policy to allow any packets from the LAN to pass through.
[Firewall] object-policy ip access-internet
[Firewall-object-policy-ip-access-internet] rule pass source-ip internal_user
[Firewall-object-policy-ip-access-internet] quit
# Create an interzone instance with source zone Trust and destination zone DMZ. Apply the object
policy so that LAN users can access the Web server.
[Firewall] zone-pair security source trust destination dmz
[Firewall-zone-pair-security-Trust-DMZ] object-policy apply ip access-server
[Firewall-zone-pair-security-Trust-DMZ] quit
# Create an interzone instance with source zone Untrust and destination zone DMZ. Apply the object
policy so that external network users can access the Web server.
[Firewall] zone-pair security source untrust destination dmz
[Firewall-zone-pair-security-Untrust-DMZ] object-policy apply ip access-server
[Firewall-zone-pair-security-Untrust-DMZ] quit
# Create an interzone instance with source zone Trust and destination zone Untrust. Apply the object
policy so that LAN users can access the external networks.
[Firewall] zone-pair security source trust destination untrust
[Firewall-zone-pair-security-Trust-Untrust] object-policy apply ip access-internet
[Firewall-zone-pair-security-Trust-Untrust] quit
# Allow external users to access the internal Web server at 10.110.10.1 on the LAN through http://
202.38.1.1 80.
[Firewall] interface gigabitethernet 1/0/12
[Firewall-GigabitEthernet1/0/12] nat server protocol tcp global 202.38.1.1 80 inside 10.110.10.1
http
[Firewall-GigabitEthernet1/0/12] quit
# Configure ACL 2000, and create a rule to permit packets only from segment 10.110.0.0 0.0.0.255
to pass through.
[Firewall] acl number 2000
[Firewall-acl-basic-2000] rule permit source 10.110.0.0 0.0.0.255
[Firewall-acl-basic-2000] rule deny source any
# Configure an outbound dynamic PAT rule on interface GigabitEthernet 1/0/12 to use the IP address
of GigabitEthernet 1/0/12 as the NAT address.
[Firewall-acl-basic-2000] interface gigabitethernet 1/0/12
[Firewall-GigabitEthernet1/0/12] nat outbound 2000
[Firewall-GigabitEthernet1/0/12] quit
[Firewall] save
DMZ
Untrust
Trust
Firewall
GE1/0/13
GE1/0/11
10.110.10.10/24
GE1/0/12
202.38.1.1/24
Internet
Web server
10.110.10.1/24
When you first create a security zone or an object policy, the system automatically creates the four
default security zones: Local, Trust, DMZ, and Untrust, which cannot be deleted. By default, a
security zone does not have any interface.
Configuration procedures
As shown in the figure, the private network address and public IP address for the hosts of the LAN are
10.110.10.0/24 and 202.38.1.1/24, respectively. The LAN users can access the Web server and
Internet. The users from the external networks can access the Web server in the LAN through the port
number 80.