This section describes how to configure huawei firewall on the USG6000 using the WEB GUI

Network topology view

Log in to the firewall through the WEB UI

== Log in to the USG6000V through the Web: ==The tutorial

Login successful

Configure the firewall to enable Intranet users to access the Internet in PAT mode

Create a Nat Pool on the firewall for Intranet users to access the Internet in Nat modeConfiguring a Nat PolicyConfigure policies to enable the Trust zone to access the Untrust zoneConfigure a default route pointing to R1Configure a static route to the Nat Pool to point to an empty interface to prevent route blackholes

Configure a firewall to enable Internet users to access the FTP server in the ENTERPRISE DMZ (bidirectional NAT)

Configure the external static mapping for the serverConfigure a policy on the firewall to enable the Untrust zone to access the DMZConfigure a NAT pool to serve as an Intranet NAT address for Internet users to access Intranet serversConfigure a NAT policy. Note that this NAT policy is different from Intranet NAT extranet policy!!Finally, configure a static route to the external IP address of the server to prevent route blackholesThe WEB interface configuration is complete

Configure Intranet users and FTP-server

• PC1

• FTP-Server

Configuration code

• FW

Dis current-configuration Displays the running configuration of the firewallCopy the code

[USG6000V1]dis current-configuration 
2020-12-02 05:10:12.380! Software Version V500R005C10SPC300 # sysname FW l2tp domain suffix-separator @ # ipsec sha2 compatible enable # undo telnet server enable undo telnet ipv6 server enable # update schedule location-sdb weekly Sun04:29
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv11. tlsv12.
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv11. tlsv12.
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 feedback type threat-log enable
 feedback type pdns enable
#
 update schedule ips-sdb daily 01:03
 update schedule av-sdb daily 01:03
 update schedule sa-sdb daily 01:03
 update schedule cnc daily 01:03
 update schedule file-reputation daily 01:03
#
ip vpn-instance default
 ipv4-family
#
ip-link check enable
ip-link name Linktest vpn-instance default
 destination 0.0. 0. 0/0.0. 0. 0 interface GigabitEthernet0/0/0 mode icmp next-hop 1
1.1.2.
#
ip address-set FTP_Server type object
 address 0 10.12.100. mask 32
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin
  password cipher @%@%Zrwy:l}UIX`r(g+IY`OVqb^q${UL$9Sr[@{C_yFj6fV)b^tq@%@%
  service-type web terminal
  level 15

 manager-user api-admin
  password cipher @%@%RbIt"|>Pz2NW1b@+[5@*lAb@{Q@w,<X<\:FM\\"=aDmHAbCl@%@%
  level 15

 manager-user admin
  password cipher @%@%/#t."\i! CN:fcaLL.SLY9e%>]n*,Vrv~4DZU.{&N6r8:e%A9@%@% service-type web terminal level 15 role system-admin role device-admin role  device-admin(monitor) role audit-admin bind manager-user audit-admin role audit-admin bind manager-user admin role system-admin # l2tp-group default-lns # interface GigabitEthernet0/0/0 undo shutdown ip binding vpn-instance default ip Address 192.168.0.1 255.255.255.0 alias GE0/METH service-manage HTTP permit service-manage HTTPS permit service-manage ping permit service-manage ssh permit service-manage snmp permit service-manage telnet permit interface Virtual-if0 # interface NULL0 # firewall zone local set priority 100 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 # firewall zone untrust set priority 5 # firewall zone dmz set priority 50 # ip route-static 0.0.0.0 0.0.0.0 gigabitethernet1/0/2 1.1.1.2 track IP-link Linkt est Description IP route-static 1.1.1.100 255.255.255.255 NULL0 track ip-link Linktest IP route-static 1.1.1.105 255.255.255.255 NULL0 track ip-link Linktest # undo ssh server compatible-ssh1x enable ssh authentication-type default password ssh server cipher aes256_ctr aes128_ctr  ssh server hmac sha2_256 sha1 ssh client cipher aes256_ctr aes128_ctr ssh client hmac sha2_256 sha1 # firewall detect FTP # NAT server FTP zone Untrust Protocol TCP global 1.1.1.100 FTP Inside 10.1.2.1 f TP no-reverse unr-route # user-interface con 0 authentication-mode aaa user-interface vty 0 4 authentication-mode aaa protocol inbound ssh user-interface vty 16 20 # pki realm default # sa # location # nat address-group "Nat pool"0 mode pat section 0 1.1.1.105 1.1.1.106 # NAT address-group"DMZ pool"1 mode pat route enable section 0 10.1.2.100 10.1.2.100 # multi-linkif mode PROPORtion-of-weight # right-manager server-group # device-classification device-group pc device-group mobile-terminal device-group undefined-group # User-manage server-sync TSM # security-policy rule name FTP description Security policy source-zone untrust for Internet access to FTP destination-zone dmz service ftp action permit # auth-policy # traffic-policy # policy-based-route # nat-policy rule name Nat source-zone trust destination-zone untrust action source-nat address-group "Nat pool" rule name "DMZ NAT" source-zone untrust destination-zone dmz destination-address address-set FTP_Server service ftp action source-nat address-group "DMZ pool"
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return
Copy the code

• R1

Display R1 configurationCopy the code

interface GigabitEthernet0/0/0
 ip address 1.11.2. 255.255255.. 0 
#
interface GigabitEthernet0/0/1
 ip address 12.11.1. 255.255255.. 0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ospf 1 router-id 1.11.1. 
 area 0.0. 0. 0 
  network 12.11.1. 0.0. 0. 0 
#
Copy the code

• R2

Displaying the R2 configurationCopy the code

#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
 ip address 12.11.2. 255.255255.. 0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ospf 1 router-id 2.22.2. 
 area 0.0. 0. 0 
  network 12.11.2. 0.0. 0. 0 
#
Copy the code

Official Reference Documents

Official Reference documents: Examples of configuring NAT and NAT SERVER applications on the USG6000