华为 USG2130 银监联网配置实例

DIS CU

#

sysname USG2100

#

firewall packet-filter default permit interzone local trust direction inbound

firewall packet-filter default permit interzone local trust direction outbound

firewall packet-filter default permit interzone local untrust direction inbound

firewall packet-filter default permit interzone local untrust direction outbound

firewall packet-filter default permit interzone local dmz direction inbound

firewall packet-filter default permit interzone local dmz direction outbound

firewall packet-filter default permit interzone trust untrust direction inbound

firewall packet-filter default permit interzone trust untrust direction outbound

firewall packet-filter default permit interzone trust dmz direction inbound

firewall packet-filter default permit interzone trust dmz direction outbound

firewall packet-filter default permit interzone dmz untrust direction inbound

firewall packet-filter default permit interzone dmz untrust direction outbound

#

firewall ipv6 session link-state check

#

vlan batch 1 100 215

#

firewall session link-state check

#

#

runmode firewall

#

update schedule ips daily 2:26

update schedule av daily 2:26

security server domain sec.huawei.com

#

web-manager enable

#

l2fwdfast enable

#

acl number 3000 //银监开放端口

rule 0 permit tcp source 192.168.0.0 0.0.0.255 destination 9.16.250.30 0 destination-port eq 2012

rule 5 permit udp source 192.168.0.0 0.0.0.255 destination 9.16.250.30 0 destination-port eq 2012

rule 10 permit udp source 192.168.0.0 0.0.0.255 destination 9.16.250.30 0 destination-port eq 500

rule 15 permit udp source 192.168.0.0 0.0.0.255 destination 9.16.250.30 0 destination-port eq 2011

rule 20 permit udp source 192.168.0.0 0.0.0.255 destination 9.16.250.30 0 destination-port eq 4500

rule 25 deny ip

#

acl number 3002 //银监转发配置

rule 5 permit service-set nat destination address-set ren30

#

interface Vlanif1

ip address 192.168.0.1 255.255.255.0

dhcp select interface

#

interface Vlanif100

ip address 192.168.1.1 255.255.255.0 //本地网关

#

interface Cellular5/0/0

link-protocol ppp

#

interface Ethernet0/0/0

#

interface Ethernet0/0/0.1 //启用子接口并绑定VLAN

vlan-type dot1q 215

ip address 9.16.71.250 255.255.255.252

#

interface Ethernet1/0/0

portswitch

port link-type access

port access vlan 100

#

interface Ethernet1/0/1

portswitch

port link-type access

port access vlan 100

#

interface Ethernet1/0/2

portswitch

port link-type access

port access vlan 100

#

interface Ethernet1/0/3

portswitch

port link-type access

port access vlan 100

#

interface Ethernet1/0/4

portswitch

port link-type access

port access vlan 100

#

interface Ethernet1/0/5

portswitch

port link-type access

port access vlan 100

#

interface Ethernet1/0/6

portswitch

port link-type access

port access vlan 100

#

interface Ethernet1/0/7

portswitch

port link-type access

port access vlan 100

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface Ethernet1/0/0

add interface Ethernet1/0/1

add interface Ethernet1/0/2

add interface Ethernet1/0/3

add interface Ethernet1/0/4

add interface Ethernet1/0/5

add interface Ethernet1/0/6

add interface Ethernet1/0/7

add interface Vlanif1

add interface Vlanif100

#

firewall zone untrust

set priority 5

add interface Ethernet0/0/0

add interface Ethernet0/0/0.1

#

firewall zone dmz

set priority 50

#

aaa

local-user admin password cipher ******

local-user admin service-type web terminal

local-user admin level 3

authentication-scheme default

#

authorization-scheme default

#

accounting-scheme default

#

domain default

domain dot1x

#

#

nqa-jitter tag-version 1

#

ip route-static 0.0.0.0 0.0.0.0 9.16.71.249 //对端网关

#

banner enable

#

user-interface con 0

user-interface tty 2

authentication-mode none

modem both

user-interface vty 0 4

#

ip address-set cw type object

address 0 192.168.1.0 mask 24

#

ip address-set ren30 type object

address 0 9.16.250.30 mask 32

#

ip service-set nat type object

service 0 protocol tcp destination-port 2012

service 1 protocol udp destination-port 500

service 2 protocol udp destination-port 4500

service 3 protocol udp destination-port 2011

service 4 protocol udp destination-port 2012

#

slb

#

cwmp

#

right-manager server-group

#

policy interzone trust untrust inbound

policy 0

action permit

#

policy interzone trust untrust outbound

policy 0

action permit

#

nat-policy interzone trust untrust outbound //NAT转发

policy 1

action source-nat

policy service service-set nat

policy destination 9.16.250.30 0

easy-ip Ethernet0/0/0.1

#

return