Saturday , November 23 2024
Home / Tag Archives: Huawei firewall

Tag Archives: Huawei firewall

Destination NAT on Huawei USG firewall

If you have an FTP server or any other server that you want to make available to internet users, just place the server in DMZ zone of your firewall e.g. Huawei USG and configure a destination NAT. You can then easly restrict IP addresses and protocols that can access your server. And this video is just about that 😉

USG firewall configuration script:

#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.0.100.1 255.255.255.252
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 5.0.0.2 255.255.255.252
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 5.0.0.1
#
firewall detect ftp
#
nat server 0 protocol tcp global 6.6.6.1 ftp inside 10.0.100.2 ftp unr-route
#
nat address-group PUBLIC_OUT 2
mode no-pat global
route enable
section 0 6.6.6.1 6.6.6.1
#
security-policy
rule name PUBLIC_OUT
source-zone dmz
destination-zone untrust
source-address 10.0.100.0 mask 255.255.255.252
action permit
rule name PUBLIC_IN
source-zone untrust
destination-zone dmz
source-address 1.1.1.1 mask 255.255.255.255
destination-address 10.0.100.0 mask 255.255.255.252
action permit
#
nat-policy
rule name PUBLIC_OUT
source-zone dmz
destination-zone untrust
source-address 10.0.100.0 mask 255.255.255.252
action source-nat address-group PUBLIC_OUT

Read More »

Easy-IP source NAT on Huawei USG firewall

A short video describing EASY-IP source NAT on Huawei’s USG firewall to assure that our intranet users can acccess the Internet.

The easy-ip is the easiest way to translate private IP addresses on your local area network when you have only one public IP address or the public IP address is assigned dynamically.

USG firewall configuration script:

#
dhcp enable
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.0.0.1 255.255.255.0
service-manage ping permit
dhcp select interface
dhcp server excluded-ip-address 10.0.0.100
dhcp server static-bind ip-address 10.0.0.200 mac-address 5489-98b4-6a79
dhcp server dns-list 10.0.0.100
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 5.0.0.2 255.255.255.252
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0.0.0.0 5.0.0.1
#
security-policy
rule name ALLOW
source-zone local
destination-zone trust
destination-zone untrust
action permit
rule name NAT_EASY
source-zone trust
destination-zone untrust
source-address 10.0.0.0 mask 255.255.255.0
action permit
#
nat-policy
rule name NAT_EASY
source-zone trust
destination-zone untrust
source-address 10.0.0.0 mask 255.255.255.0
action source-nat easy-ip
#

Read More »

DHCP IPv4 server on Huawei USG6000 firewall

You know how to configure DHCP on Huawei router but have problem to do so on Huawei firewall? Take a few minutes and see how to do that.

DHCP IPv4 server that uses interface’s address pool to allocate IPv4 addresses to DHCP clients. The simplest way to implement DHCP on USG6000.

USG firewall configuration script:

#
dhcp enable
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.0.0.1 255.255.255.0
service-manage ping permit
dhcp select interface
dhcp server excluded-ip-address 10.0.0.100
dhcp server static-bind ip-address 10.0.0.200 mac-address 5489-98b4-6a79
dhcp server dns-list 10.0.0.100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
security-policy
rule name ALLOW
action permit
#

Read More »

Inter-VLAN communication on USG firewall

It’s time to check a firewall available in eNSP simulator. Today a simple task, just configuring inter-VLAN communication on Huawei USG5500.

Let’s look at the following topology:

 

Configuration roadmap:

  1. Configure L2 communication on the switch.
  2. As the switch is L2, configure subinterfaces on the firewall and enable L3 communication between different VLANs.
  3. Set IP addresses and gateways for all PCs.
  4. Create 2 security zones and configure interzone packet-filterfing to control traffic between VLANs.
  5. Security requirements for the network:
  • PC1 in VLAN100 and PC2 in VLAN200 can communicate each other.
  • PC3 in VLAN300 can access PC1 and PC2. PC1 and PC2 cannot access PC3.

Read More »

NAT server on Huawei USG5500

The last article dealt with outbound NAT. Let’s focus today on NAT server. NAT server enables private network servers to provide services for external networks with public IP addresses. In this lab, our enterprise provides FTP services for external users.

We can use the topology from the last post:

In our case AR router works as FTP server:

Read More »