usg6000简单配置

需求

内部网络 可以上网 

外部网络可以访问指定的服务器 

一、开启web登录

[FW1-GigabitEthernet0/0/0]service-manage enable

ip address 192.168.137.20 255.255.255.0

alias GE0/METH

service-manage https permit

service-manage ping permit

二、配置思路

1、配置接口信息

2、配置安全特策略

3、配置NAT策略

4、配置路由信息

三、防火墙配置

<FW1>dis cu

2022-09-18 06:26:07.710  

!Software Version V500R005C10SPC300

#

sysname FW1

#

l2tp domain suffix-separator @

#

ipsec sha2 compatible enable

#

undo telnet server enable

undo telnet ipv6 server enable

#

update schedule location-sdb weekly Sun 01:35

#

firewall defend action discard

#

banner enable

#

user-manage web-authentication security port 8887

undo privacy-statement english

undo privacy-statement chinese

page-setting

user-manage security version tlsv1.1 tlsv1.2

password-policy

level high

user-manage single-sign-on ad

user-manage single-sign-on tsm

user-manage single-sign-on radius

user-manage auto-sync online-user

#

web-manager security version tlsv1.1 tlsv1.2

web-manager enable

web-manager security enable

web-manager timeout 1440

#

firewall dataplane to manageplane application-apperceive default-action drop

#

undo ips log merge enable

#

decoding uri-cache disable

#

feedback administrator email %^%#hi('Loc!5Fq&joOe[5W9hbr|PgYINU>>A/NNsPg-X[Js22

62WP-S$U8<5OW3%^%#

#

update schedule ips-sdb daily 22:10

update schedule av-sdb daily 22:10

update schedule sa-sdb daily 22:10

update schedule cnc daily 22:10

update schedule file-reputation daily 22:10

#

ip vpn-instance default

ipv4-family

#

time-range worktime

 period-range 08:00:00 to 18:00:00 working-day

#

ike proposal default

encryption-algorithm aes-256 aes-192 aes-128

dh group14

authentication-algorithm sha2-512 sha2-384 sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

#

aaa

authentication-scheme default

authentication-scheme admin_local

authentication-scheme admin_radius_local

authentication-scheme admin_hwtacacs_local

authentication-scheme admin_ad_local

authentication-scheme admin_ldap_local

authentication-scheme admin_radius

authentication-scheme admin_hwtacacs

authentication-scheme admin_ad

authorization-scheme default

accounting-scheme default

domain default

 service-type internetaccess ssl-vpn l2tp ike

 internet-access mode password

 reference user current-domain

manager-user audit-admin

 password cipher @%@%BV]fQ0bxD,PQW8Hs/iw~Qf'nGT5WB%Vtj3FIKZMiKq<&f'qQ@%@%

 service-type web terminal

 level 15

manager-user api-admin

 password cipher @%@%}V5G37E*^Y~N2E@7{VHWvEc3^A)1~OJo_3Z:/81aqor0Ec6v@%@%

 level 15

manager-user admin

 password cipher @%@%MZzeQMN67M`G.3GM{WT3RdLZtx0R+BLneW]}jYQdn.O$dL]R@%@%

 service-type web terminal

 level 15

role system-admin

role device-admin

role device-admin(monitor)

role audit-admin

bind manager-user audit-admin role audit-admin

bind manager-user admin role system-admin

#

l2tp-group default-lns

#

interface GigabitEthernet0/0/0

undo shutdown

ip binding vpn-instance default

ip address 192.168.137.20 255.255.255.0

alias GE0/METH

service-manage https permit

service-manage ping permit

#

interface GigabitEthernet1/0/0

undo shutdown

ip address 100.1.1.1 255.255.255.248

service-manage ping permit

#

interface GigabitEthernet1/0/1

undo shutdown

ip address 192.168.20.254 255.255.255.0

service-manage ping permit

#

interface GigabitEthernet1/0/2

undo shutdown

#

interface GigabitEthernet1/0/3

undo shutdown

#

interface GigabitEthernet1/0/4

undo shutdown

#

interface GigabitEthernet1/0/5

undo shutdown

#

interface GigabitEthernet1/0/6

undo shutdown

#

interface Virtual-if0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

#

firewall zone dmz

set priority 50

#

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 100.1.1.2

#

undo ssh server compatible-ssh1x enable

ssh authentication-type default password

ssh server cipher aes256_ctr aes128_ctr

ssh server hmac sha2_256 sha1

ssh client cipher aes256_ctr aes128_ctr

ssh client hmac sha2_256 sha1

#

firewall detect ftp

#

nat server webft服务器 zone untrust global 100.1.1.6 inside 192.168.20.100 no-reve

rse unr-route

#

user-interface con 0

authentication-mode aaa

idle-timeout 0 0

user-interface vty 0 4

authentication-mode aaa

protocol inbound ssh

user-interface vty 16 20

#

pki realm default

#

sa

#

location

#

nat address-group ISP-dianxin 0

mode pat

section 0 100.1.1.3 100.1.1.5

#

multi-linkif

mode proportion-of-weight

#

right-manager server-group

#

device-classification

device-group pc

device-group mobile-terminal

device-group undefined-group

#

user-manage server-sync tsm

#

security-policy

rule name n2

 description 内部网络访问外网

 source-zone trust

 destination-zone untrust

 action permit

rule name n3-3

 description 外网访问内部服务器

 source-zone untrust

 destination-zone trust

 destination-address 192.168.20.0 mask 255.255.255.0

 action permit

#

auth-policy

#

traffic-policy

#

policy-based-route

#

nat-policy

rule name lan-wlan

 description 内部网络访问外网

 source-zone trust

 destination-zone untrust

 action source-nat address-group ISP-dianxin

#

quota-policy

#

pcp-policy

#

dns-transparent-policy

#

rightm-policy

#

return

<FW1>