Thursday , November 7 2024

Huawei HCIA Datacom: Theory and LABs

I would like to remind you all that until the end of October you can buy my course, on the UDEMY platform, at a special price. It won’t be cheaper anymore 🙂

Please be invited to watch a trailer of this course.

If you want to buy this course just click on Huawei HCIA Datacom Course.

I look forward to seeing you on the inside!

Read More »

My First Course on Udemy

Huawei HCIA Datacom: Theory and practical LABs

It took some time but I finally managed to publish my first course on Udemy last week. This course covers Huawei technologies and prepares you to pass the Huawei H12-811 exam. I am confident that it helps you get the HCIA Datacom certificate. This course covers some theory but you can also find many labs that you need to compete. Buying this course you can start your adventure with Huawei devices and Huawei technologies. Whether you are new to computer networking or have CCNA level knowledge, this course is for you. So do not hesitate, invest in yourself, this course will be a good choice and perhaps the beginning of your path towards HCIE.

Read More »

Destination NAT on Huawei USG firewall

If you have an FTP server or any other server that you want to make available to internet users, just place the server in DMZ zone of your firewall e.g. Huawei USG and configure a destination NAT. You can then easly restrict IP addresses and protocols that can access your server. And this video is just about that 😉

USG firewall configuration script:

#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.0.100.1 255.255.255.252
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 5.0.0.2 255.255.255.252
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 5.0.0.1
#
firewall detect ftp
#
nat server 0 protocol tcp global 6.6.6.1 ftp inside 10.0.100.2 ftp unr-route
#
nat address-group PUBLIC_OUT 2
mode no-pat global
route enable
section 0 6.6.6.1 6.6.6.1
#
security-policy
rule name PUBLIC_OUT
source-zone dmz
destination-zone untrust
source-address 10.0.100.0 mask 255.255.255.252
action permit
rule name PUBLIC_IN
source-zone untrust
destination-zone dmz
source-address 1.1.1.1 mask 255.255.255.255
destination-address 10.0.100.0 mask 255.255.255.252
action permit
#
nat-policy
rule name PUBLIC_OUT
source-zone dmz
destination-zone untrust
source-address 10.0.100.0 mask 255.255.255.252
action source-nat address-group PUBLIC_OUT

Read More »

PAT or no-PAT – source NAT on Huawei USG6000

If you, for some reason, cannot use easy-ip NAT, you can use source NAT with NAT address pool. Depending on how many public IP addresses you have got, you can configure no-PAT option, when only IP address is translated or you can set PAT, in other words NAT with port translation to assure LAN users accessing Internet. Details in the video 😉

USG firewall configuration script:

#
dhcp enable
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.0.0.1 255.255.255.0
service-manage ping permit
dhcp select interface
dhcp server excluded-ip-address 10.0.0.100
dhcp server static-bind ip-address 10.0.0.200 mac-address 5489-98b4-6a79
dhcp server dns-list 10.0.0.100
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 5.0.0.2 255.255.255.252
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 5.0.0.1
#
nat address-group SOURCE-NAT 0
mode pat
route enable
section 0 6.6.6.0 6.6.6.0
OR
nat address-group SOURCE-NAT 0
mode no-pat global
route enable
section 0 6.6.6.0 6.6.6.1
#
security-policy
rule name ALLOW
source-zone local
destination-zone trust
destination-zone untrust
action permit
rule name NAT_EASY
source-zone trust
destination-zone untrust
source-address 10.0.0.0 mask 255.255.255.0
action permit
#
nat-policy
rule name SOURCE-NAT
source-zone trust
destination-zone untrust
source-address 10.0.0.0 mask 255.255.255.0
action source-nat address-group SOURCE-NAT

Read More »

Easy-IP source NAT on Huawei USG firewall

A short video describing EASY-IP source NAT on Huawei’s USG firewall to assure that our intranet users can acccess the Internet.

The easy-ip is the easiest way to translate private IP addresses on your local area network when you have only one public IP address or the public IP address is assigned dynamically.

USG firewall configuration script:

#
dhcp enable
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.0.0.1 255.255.255.0
service-manage ping permit
dhcp select interface
dhcp server excluded-ip-address 10.0.0.100
dhcp server static-bind ip-address 10.0.0.200 mac-address 5489-98b4-6a79
dhcp server dns-list 10.0.0.100
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 5.0.0.2 255.255.255.252
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 5.0.0.1
#
security-policy
rule name ALLOW
source-zone local
destination-zone trust
destination-zone untrust
action permit
rule name NAT_EASY
source-zone trust
destination-zone untrust
source-address 10.0.0.0 mask 255.255.255.0
action permit
#
nat-policy
rule name NAT_EASY
source-zone trust
destination-zone untrust
source-address 10.0.0.0 mask 255.255.255.0
action source-nat easy-ip
#

Read More »