跳转到主要内容

USG防火墙V3平台与V5平台配置命令比较

故障描述
  无
故障分析
  无
处理过程
一、包过滤方面 1、允许192.168.0.2访问222.100.1.1。 V3平台配置命令,基于1条ACL规则: [USG]acl 3001 [USG-acl-adv-3001]rule permit ip source 192.168.0.2 0 destination 222.100.1.1 0 [USG]firewall interzone trust untrust [USG-interzone-trust-untrust]packet-filter 3001 outbound V5平台配置命令,基于1条策略: [USG]policy interzone trust untrust outbound [USG-policy-interzone-trust-untrust-outbound]policy 10 [USG-policy-interzone-trust-untrust-outbound-10]policy source 192.168.0.2 0 [USG-policy-interzone-trust-untrust-outbound-10]action permit [USG-policy-interzone-trust-untrust-outbound-10]policy destination 222.100.1.1 0 [USG-policy-interzone-trust-untrust-outbound-10]quit [USG-policy-interzone-trust-untrust-outbound]policy 10 enable #可选,默认启用 2、允许内网访问互联网的www服务、ftp服务、udp 7000端口,其余全部禁止。 V3平台配置命令,基于4条ACL规则: [USG]acl 3002 [USG-acl-adv-3002]rule permit tcp source 192.168.0.0 0.0.0.255 destination-port eq www [USG-acl-adv-3002]rule permit tcp source 192.168.0.0 0.0.0.255 destination-port eq 21 [USG-acl-adv-3002]rule permit udp source 192.168.0.0 0.0.0.255 destination-port eq 7000 [USG-acl-adv-3002]rule deny ip [USG]firewall interzone trust untrust [USG-interzone-trust-untrust]packet-filter 3002 outbound V5平台配置命令,基于服务集和2条策略: [USG]ip service-set test1 type object #预定义的服务中不包含UDP7000服务,在此创建一个服务。 [USG-object-service-set-test1]service protocol udp destination-port 7000 [USG]policy interzone trust untrust outbound [USG-policy-interzone-trust-untrust-outbound]policy 11 [USG-policy-interzone-trust-untrust-outbound-11]policy service service-set http ftp test1 [USG-policy-interzone-trust-untrust-outbound-11]policy source 192.168.0.0 0.0.0.255 [USG-policy-interzone-trust-untrust-outbound-11]policy destination any [USG-policy-interzone-trust-untrust-outbound-11]action permit [USG-policy-interzone-trust-untrust-outbound-11]quit [USG-policy-interzone-trust-untrust-outbound]policy 12 [USG-policy-interzone-trust-untrust-outbound]action deny 二、网络地址转换(NAT)方面 1、域间NAT 要求对192.168.0.2不做NAT,对其余主机均做NAT。 V3平台配置命令,基于2条ACL规则、地址组(接口): [USG]ACL 2020 [USG-acl-basic-2020]rule deny source 192.168.0.2 0 [USG-acl-basic-2020]rule permit source 192.168.0.0 0.0.0.255 [USG]nat address-group 10 222.100.1.2 222.100.1.2 [USG]firewall interzone trust untrust [USG-interzone-trust-untrust]nat outbound 2020 address-group 10 或 [USG-interzone-trust-untrust]nat outbound 2020 interface GigabitEthernet0/0/0 V5平台配置命令,基于2条策略: [USG]nat address-group 10 222.100.1.2 222.100.1.2 [USG]nat-policy interzone trust untrust outbound [USG-nat-policy-interzone-trust-untrust-outbound]policy 1 [USG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.0.2 0 [USG-nat-policy-interzone-trust-untrust-outbound-1]action no-nat [USG-nat-policy-interzone-trust-untrust-outbound]policy 3 [USG-nat-policy-interzone-trust-untrust-outbound-3]policy source 192.168.0.0 0.0.0.255 [USG-nat-policy-interzone-trust-untrust-outbound-3]address-group 10 2、基于目的NAT,仅对到100.0.0.0 /24的情况做地址转换 [USG]ACL 3020 [USG-acl-basic-3020]rule permit ip source 192.168.0.0 0.0.0.255 destination 100.0.0.0 0.255.255.255 [USG]nat address-group 10 222.100.1.2 222.100.1.2 [USG]firewall interzone trust untrust [USG-interzone-trust-untrust]nat outbound 3020 address-group 10 或[USG-interzone-trust-untrust]nat outbound 3020 interface GigabitEthernet0/0/0 V5平台配置命令,基于1条策略: [USG]nat address-group 1 9.9.9.9 9.9.9.9 [USG]nat-policy zone trust [USG-nat-policy-zone-trust-1]policy source 192.168.0.0 0.0.0.255 [USG-nat-policy-zone-trust-1]policy destination 100.0.0.0 0.255.255.255 [USG-nat-policy-zone-trust-1]address-group 1 [USG-nat-policy-zone-trust-1]action source-nat 3、域内NAT V3平台配置命令,基于含1条规则ACL、地址组: [USG]nat address-group 1 9.9.9.9 9.9.9.9 [USG]ACL 2020 [USG-acl-basic-2020]rule permit source 192.168.0.0 0.0.0.255 [USG]firewall zone trust [USG-zone-trust]nat 2020 address-group 1 V5平台配置命令,基于1条策略: [USG]nat address-group 1 9.9.9.9 9.9.9.9 [USG]nat-policy zone trust [USG-nat-policy-zone-trust-1]policy source 192.168.0.0 0.0.0.255 [USG-nat-policy-zone-trust-1]address-group 1 [USG-nat-policy-zone-trust-1]action source-nat
建议/总结
  USG2000/5100系列V100R003为V3平台。V100R005为V5平台,USG5300 V100R002为V3平台,V100R003为V5平台