September 20, 2023

Huawei firewall routing mode deployment, easy configuration exchange

Please click "Subscribe", don't miss and share different intellectual knowledge with you every day!

The following topology is a firewall deployment method. According to network plan, first configure IP addresses of routers, firewalls, main switches, terminals, and servers.

Huawei firewall routing mode deployment, easy configuration exchange 1 R1 router configuration

[Huawei]R1 system name

[R1]GigabitEthernet interface 0/0/0

[R1-GigabitEthernet0/0/0]IP address 10.1.1.11 24

[R1]GigabitEthernet interface 0/0/1

[R1-GigabitEthernet0/0/0]IP address 100.1.1.1 24

[R1-GigabitEthernet0/0/0]q

The reverse route is not configured on ISP's router and is translated using NAT on firewall.

2 Configure firewall interface address

[fw1]FW1 system name

[FW1]GigabitEthernet interface 0/0/1

[FW1-GigabitEthernet0/0/1]IP address 192.168.1.254 24

[FW1]GigabitEthernet interface 0/0/2

[FW1-GigabitEthernet0/0/2]IP address 192.168.80.254 24

[FW1]GigabitEthernet interface 0/0/3

[FW1-GigabitEthernet0/0/3]ip address 10.1.1.10 24

[FW1-GigabitEthernet0/0/3]q

Check configuration results

[FW1]display a brief description of IP interface

Huawei firewall routing mode deployment, easy configuration exchange

At present, fire protection cannot communicate with equipment in each area, then proceed to next setting.

3 Add an interface to firewall's security domain

[FW1]Firewall zone trust

[FW1-zone-trust]add interface GigabitEthernet 0/0/1

[FW1-trust zone]q

[FW1]dmz firewall zone

[FW1-zone-dmz]add interface GigabitEthernet 0/0/2

[FW1-zone-dmz]q

[FW1]Firewall untrusted zone

[FW1-zone-untrust]add interface GigabitEthernet 0/0/3

[FW1-distrust-zone]q

Note: The realm must have a unique security level, and an appropriate interface must be added to realm, which can be a physical interface or a logical interface (Vlanif, Tunnel).

Currently, there are three domains installed, but there is no relationship between domains because domains are rejected by default. But from firewall to intranet, DMZ and equipment in UnTrunst zone, it is also available.

By default, firewall communicates between device in trust zone and intranet gateway, but device in perimeter network and firewall deny access.

Display this to view the default packet filtering rules

Huawei firewall routing mode deployment, easy configuration exchange 4Test firewall on each device in domain.

From firewall to hardware in every area, it can communicate;

[FW1]ping 192.168.1.10

[FW1]ping 192.168.80.10

[FW1]ping 10.1.1.11

Everyone can communicate with each other;

Huawei firewall routing mode deployment, easy configuration exchange 5 Configure firewall's cross-zone packet filtering policy (1) Configure intranet users to access web server in perimeter network.

Configure DMZ server policy for intranet access

[FW1]dmz cross-zone trust policy for outbound traffic

[FW1-policy-interzone-trust-dmz-outbound]policy 5

[FW1-policy-interzone-trust-dmz-outbound-5] policy source 192.168.1.10 0//allow only one address;

[FW1-policy-interzone-trust-dmz-outbound-5]policy destination 192.168.80.10 0//allow access to only one server;

[FW1-policy-interzone--trust-dmz-outbound-5]policy service-set http//Configure to allow browser access

[FW1-policy-interzone--trust-dmz-outbound-5]policy service-set icmp//Configuration indicates that ping command is allowed;

[FW1-policy-interzone-trust-dmz-outbound-5]permission to act

Check connection

Huawei firewall routing mode deployment, easy configuration exchange

If there are multiple VLANs on internal network, how do I configure them?

(2) Intranet switch SW1 is configured to vlan10 and vlan20, and port is assigned to corresponding VLAN.

[Huawei]SW1 system name

[SW1]vlan package 10 20

[SW1]GigabitEthernet 0/0/1 interface

[SW1-GigabitEthernet0/0/1]Link access port

[SW1-GigabitEthernet0/0/1]default port vlan 10

[SW1-GigabitEthernet0/0/1]q

[SW1]GigabitEthernet interface 0/0/2

[SW1-GigabitEthernet0/0/2]port channel access

[SW1-GigabitEthernet0/0/2]default port vlan 20

[SW1-GigabitEthernet0/0/2]q

[SW1]GigabitEthernet interface 0/0/24

[SW1-GigabitEthernet0/0/24]trunk port

[SW1-GigabitEthernet0/0/24]port trunk Allow-Pass vlan 10 20

[SW1-GigabitEthernet0/0/24]q

(3) Configure firewall and subinterfaces to allow mutual access between VLANs.

[FW1]GigabitEthernet interface 0/0/1

[FW1-GigabitEthernet0/0/1]Revoke IP address 192.168.1.254 24

[FW1]GigabitEthernet interface 0/0/1.10

[FW1-GigabitEthernet0/0/1.10]vlan type dot1q 10

[FW1-GigabitEthernet0/0/1.10]ip address 192.168.1.254 24

[FW1-GigabitEthernet0/0/1.10]q

[FW1]GigabitEthernet interface 0/0/1.20

[FW1-GigabitEthernet0/0/1.20]vlan type dot1q 20

[FW1-GigabitEthernet0/0/1.20]ip address 192.168.2.254 24

[FW1-GigabitEthernet0/0/1.20]

(4) To configure subinterfaces on firewall to implement VLAN interworking, subinterfaces must be added to zone:

[FW1]Firewall zone trust

[FW1-zone-trust]add interface GigabitEthernet 0/0/1.10

[FW1-zone-trust]add interface GigabitEthernet 0/0/1.20

(5) Test Huawei firewall routing mode deployment, easy configuration exchange

Allow 192.168.2.10 access to DMZ server

[FW1]dmz cross-zone trust policy for outbound traffic

[FW1-policy-interzone-trust-dmz-outbound]policy 5

[FW1-policy-interzone-trust-dmz-outbound-5]policy source 192.168.2.10 0

[FW1-policy-interzone-trust-dmz-outbound-5]q

[FW1-policy-interzone-trust-dmz-outbound]q

Check

Huawei firewall routing mode deployment, easy configuration exchange

I invite you to pay attention to my Toutiao account, exchange private messages and learn more about networking!

Related

Latest Published