USG50防火墙基本配置
[USG50]web-manager enable(开启Web管理页面)
[USG50]
[USG50]interface Ethernet 0/0/1(配置内网接口IP地址)
[USG50-Ethernet0/0/1]ip address 192.168.1.254 255.255.255.0
[USG50-Ethernet0/0/1]quit
[USG50]
[USG50]interface Ethernet 0/0/0(配置外网接口IP地址)
[USG50-Ethernet0/0/1]ipaddress x.x.x.x(公网IP) x.x.x.x(子网掩码)
[USG50-Ethernet0/0/1]quit
[USG50]
[USG50]dhcp enable(开启dhcp服务)
[USG50]dhcp server forbidden-ip 192.168.1.x(配置不允许自动分配的IP地址,包括服务器地址,可 使用一个地址范围:192.168.1.小 192.168.1.大)
[USG50]
[USG50]dhcp server ip-pool xxx(地址池名)(配置可自动分配的IP地址池)
[USG50-dhcp-host]network 192.168.1.0 mask 255.255.255.0/24
[USG50-dhcp-host]gateway-list 192.168.1.254
[USG50-dhcp-host]expired day 7 hour 12
[USG50-dhcp-host]quit
[USG50]
[USG50]interface Ethernet 0/0/1
[USG50-Ethernet0/0/1]dhcp select interface
[USG50-Ethernet0/0/1]dhcp server dns-list x.x.x.x x.x.x.x(公网DNS地址)
[USG50-Ethernet0/0/1]dhcp server expired day 7 hour 12
[USG50-Ethernet0/0/1]quit
[USG50]dhcp detect
[USG50]
[USG50] firewall zone trust (添加内网接口到trust区域)
[USG50-zone-trust] add interface Ethernet 0/0/1
[USG50-zone-trust] quit
[USG50] firewall zone dmz (添加内网接口到dmz区域)
[USG50-zone-dmz] add interface Ethernet 0/0/1
[USG50-zone-dmz] quit
[USG50] firewall zone untrust
[USG50-zone-untrust] add interface Ethernet 0/0/0 (添加外网接口到untrust区域)
[USG50-zone-untrust] quit
[USG50]firewall packet-filter default permit interzone trust local
[USG50]firewall packet-filter default permit interzone dmz local
[USG50]firewall packet-filter default permit untrust trust local
[USG50]
[USG50] ip address-set server (创建地址集,包括公网可以访问的内部服务器地址)
[USG50-address-set-server] description server
[USG50-address-set-server] address 192.168.1.x 0
[USG50-address-set-server] quit
[USG50]
[USG50] acl number 3000 (创建策略,允许外部特定用户或所有用户访问内部服务器)
[USG50-acl-adv-3000] rule permit tcp source any destination address-set server
[USG50-acl-adv-3000] quit
[USG50]
[USG50] firewall interzone untrust dmz
[USG50-interzone-dmz-untrust] packet-filter 3000 inbound
[USG50-interzone-dmz-untrust] quit
[USG50]
[USG50] ip address-set host (创建地址集,包括可以访问公网的内部服务器、主机地址)
[USG50-address-set-host] description host
[USG50-address-set-host] address 192.168.1.x 0 (全0表示主机,反向子网掩码表示区域)
[USG50-address-set-host] address 192.168.1.x 0
[USG50-address-set-host] quit
[USG50]
[USG50] acl number 3001 (创建策略,允许内部特定服务器、主机访问公网
)
[USG50-acl-adv-3001] rule permit ip source any address-set host
[USG50-acl-adv-3001] quit
[USG50]
[USG50] firewall interzone dmz untrust
[USG50-interzone-dmz-untrust] packet-filter 3001 outbound
[USG50-interzone-dmz-untrust] quit
[USG50]
[USG50] nat server protocol tcp global x.x.x.x(公网IP)80 inside 192.168.1.x(Web服务器IP地址) 80
[USG50] nat server protocol tcp global x.x.x.x(公网IP)3389 inside 192.168.1.x(Web服务器IP地址) 3389
[USG50] nat server protocol udp global x.x.x.x 8088 8088 inside 192.168.1.x 192.168.1.x 8088
[USG50] nat server protocol udp global x.x.x.x 8089 8089 inside 192.168.1.x 192.168.1.x 8089
[USG50]
[USG50] acl number 3010 (配置域NAT)
[USG50-acl-basic-3010] rule 0 permit source 192.168.1.0 0.0.0.255
[USG50-acl-basic-3010] quit
[USG50]
[USG50] nat address-group 1 x.x.x.x x.x.x.x (配置nat地址池)
[USG50]
[USG50] firewall zone trust
[USG50-zone-trust] nat 3010 address-group 1
[USG50-zone-trust] quit
[USG50]
[USG50] ip route-static 0.0.0.0 0.0.0.0 x.x.x.x(公网网关) (配置静态路由)
[USG50]
[USG50] quit