H3C防火墙接入互联网方式:第一种是固定IP地址上网,第二种是拨号上网配置
=============固定ip===================== 1、配置防火墙包过滤模式 <h3c>sys 进入系统视图 [h3c]firewall packet-filter enable [h3c]firewall packet-filter default permit 2、配置web用户和telnet用户登录 [h3c]local-user admin[h3c-luser-admin]password simple admin[h3c-luser-admin]service-type telnet [h3c-luser-admin]level 3 [h3c-luser-admin]quit
[h3c]user-interface vty 0 4 实现telnet
[h3c-ui-vty0-4]authentication-mode scheme
[h3c-ui-vty0-4]quit
3、配置ip地址,地址请以实际为准 [h3c]interface Ethernet0/0 ----------- 配置外网口地址 [h3c-Ethernet0/0]ip address 10.28.43.2 255.255.255.0 这个地址请以运用商给的为准 [h3c]interface Ethernet0/1 ------------配置内网口地址 [h3c-Ethernet0/0]ip address 192.168.1.1 255.255.255.0
4、配置安全域并把端口加入域 [h3c-zone]firewall zone trust 内网口加入trust [h3c-zone-trust]add interface Ethernet0/1
[h3c-zone-trust]quit [h3c-zone]firewall zone untrust 外网口加入untrust [h3c-zone-untrust]add interface Ethernet0/0
[h3c-zone-untrust]quit
5、配置nat在外网接口,如果不是配置在外网出口,不需要配置这一步 [h3c]acl number 2000 [h3c-acl-basic-2000]rule permit [h3c-acl-basic-2000]quit
[h3c]interface Ethernet0/0 [h3c-Ethernet0/0]nat outbound 2000
6、配置默认路由出外网
[h3c]ip route-static 0.0.0.0 0.0.0.0 10.28.43.1 这个地址请根据运营商提供的外网网关为准
7、DHCP 服务器配置(选配) [h3c]dhcp enable [h3c] dhcp server forbidden-ip 192.168.1.1 dhcp不分配192.168.1.1这个地址,有其他不分配的地址一样配置 [h3c]dhcp server ip-pool 1 创建地址池,分配192.168.1.0网段地址 [h3c-dhcp-1]network 192.168.1.0 mask 255.255.255.0 [h3c-dhcp-1]gateway-list 192.168.1.1 分配网关 [h3c-dhcp-1]dns-list 8.8.8.8 分配dns,这个地址请以运营商提供为准
======================拨号==================================
1、配置防火墙包过滤模式 <h3c>sys 进入系统视图 [h3c] firewall packet-filter enable [h3c] firewall packet-filter default permit
2、配置用于nat的acl [h3c]acl number 2000 [h3c-acl-basic-2000]rule permit [h3c-acl-basic-2000]quit
3、配置dialer拨号口 [H3C]dialer-rule 1 ip permit [H3C]interface dialer 1 [H3C-Dialer1]dialer user username 用户名[H3C-Dialer1]dialer-group 1 [H3C-Dialer1]dialer bundle 1 [H3C-Dialer1]ip address ppp-negotiate [H3C-Dialer1]ppp pap local-user username password simple pwd 密码 [H3C-Dialer1]ppp chap user username 用户名 [H3C-Dialer1]ppp chap password simple pwd 密码 [H3C-Dialer1]nat outbound 2000 [H3C-Dialer1]quit
4、把dialer绑定到外网物理端口 [H3C] interface Ethernet0/0 [H3C-Ethernet0/0]pppoe-client dial-bundle-number 1 [H3C-Ethernet0/0]nat outbound 2000 [H3C-Ethernet0/0]quit
5、配置web用户和telnet用户登录 [H3C]local-user admin [H3C-luser-admin]password simple admin[H3C-luser-admin]service-type telnet [H3C-luser-admin]level 3 [H3C-luser-admin]quit
[H3C]user-interface vty 0 4 实现telnet [H3C-ui-vty0-4]authentication-mode scheme [H3C-ui-vty0-4]quit
6、配置内网ip地址,地址请以实际为准
[H3C]interface Ethernet0/1 ------------配置内网口地址 [H3C-Ethernet0/0]ip address 192.168.1.1 255.255.255.0
7、配置安全域并把端口加入域 [H3C-zone]firewall zone trust 内网口加入trust [H3C-zone-trust]add interface Ethernet0/1 [H3C-zone-trust]quit [H3C-zone]firewall zone untrust 外网口加入untrust [H3C-zone-untrust]add interface Ethernet0/0 [H3C-zone-untrust]add interface Dialer 1 [H3C-zone-untrust]quit
8、配置默认路由出外网 [H3C]ip route-static 0.0.0.0 0.0.0.0 Dialer 1
9、DHCP 服务器配置(选配) [H3C]dhcp enable [H3C] dhcp server forbidden-ip 192.168.1.1 dhcp不分配192.168.1.1这个地址,有其他不分配的地址一样配置 [H3C]dhcp server ip-pool 1 创建地址池,分配192.168.1.0网段地址 [H3C-dhcp-1]network 192.168.1.0 mask 255.255.255.0 [H3C-dhcp-1]gateway-list 192.168.1.1 分配网关 [H3C-dhcp-1]dns-list 8.8.8.8 分配dns,这个地址请以运营商提供为准