Security - Labnario

Inter-VLAN communication on USG firewall

3 Oct, 2015 Security 0

It’s time to check a firewall available in eNSP simulator. Today a simple task, just configuring inter-VLAN communication on Huawei USG5500.

Let’s look at the following topology:

Configuration roadmap:

Configure L2 communication on the switch.
As the switch is L2, configure subinterfaces on the firewall and enable L3 communication between different VLANs.
Set IP addresses and gateways for all PCs.
Create 2 security zones and configure interzone packet-filterfing to control traffic between VLANs.
Security requirements for the network:

PC1 in VLAN100 and PC2 in VLAN200 can communicate each other.
PC3 in VLAN300 can access PC1 and PC2. PC1 and PC2 cannot access PC3.

NAT server on Huawei USG5500

22 Apr, 2015 Security 1

The last article dealt with outbound NAT. Let’s focus today on NAT server. NAT server enables private network servers to provide services for external networks with public IP addresses. In this lab, our enterprise provides FTP services for external users.

We can use the topology from the last post:

In our case AR router works as FTP server:

outbound NAT on Huawei USG5500

15 Apr, 2015 Security 0

What does it mean outbound NAT?

Outbound NAT translates the source IP addresses of packets sent from a high-priority security zone to a low-priority one.

I allowed myself to post a flowchart of configuring intranet users to access extranet through NAT (from Huawei documentation):

It easily lets us to choose a suitable way of configuring outbound NAT. In this lab I will try to do a review of these methods.

https—>webUI—>Huawei Secospace USG6300

1 Apr, 2015 Security 0

As a graphical user interface is useless in case of routers and switches, it looks useful when configuring a firewall. Of course it is my point of view. I do not go into what is better for you. I like using CLI but, sometimes, it is worth to simplify your daily routine. The first step is to configure HTTPS access to webUI of USG6300. This is what we will focus today.

Well known topology from the last post:

Topology_USG_access

Configure IP address of firewall’s interface and add it to trust zone:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]ip address 172.16.1.1 24

[USG6300]firewall zone trust
[USG6300-zone-trust]add interface GigabitEthernet 0/0/7

VTY access to Secospace USG6300

31 Mar, 2015 Security 0

A new box for fun 🙂

Thanks to my colleagues I have opportunity to test Huawei Secospace USG6300.

A rental period is not long, so let’s start from the beginning.

Telnet and SSH

Topology_USG_access

Configure IP address of firewall’s interface and assign it to trust zone:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]ip address 172.16.1.1 24

[USG6300]firewall zone trust
[USG6300-zone-trust]add interface GigabitEthernet 0/0/7