13 eudemon basic function and configuration

T

HUAWEI TECHNOLOGIES CO., LTD. All rights reserved

www.huawei.com

Eudemon Basic Function

and Configuration

T HUAWEI TECHNOLOGIES CO., LTD.. All rights reserved

This course will introduce work mode of

firewall, security area concept, ACL,

NAT such basic function and

configuration.


Upon completion of this course, you will be able to:

Master the concept of security area

Master work mode of firewall

Master the function and configuration of ACL

Master the function and configuration of NAT


Chapter 1 Work Mode

Chapter 2 Security Zone

Chapter 3 ACL

Chapter 4 NAT


Route Mode

Server

PC PC

202.10.0.0/24

Trust Zone

Server

Eudemon

PC

10.110.1.0/24

202.10.0.1 10.110.1.254

Untrust Zone

Internal network External network


Transparent Mode

Server

PC PC Trust

Server

Eudemon

PC

Untrust

202.10.0.0/24 Internal network External network


Composite Mode

Eudemon（active）

202.10.0.0/24

Eudemon（standby）

VRRP

202.10.0.0/24

Trust

Server

PC

Server

PC PC

Untrust



Configure Work Mode

[Eudemon]firewall mode composite

[Eudemon]quit

<Eudemon>reboot

[Eudemon]display firewall mode

firewall mode composite


Chapter 1 Work Mode


Chapter 3 ACL

Chapter 4 NAT


Security Zone of Firewall

Local Zone

100 Trust Zone

85

DMZ Zone

50 UnTrust Zone

5

Interface 2

Interface 3

Interface 4 Interface 1

Zone defined by user


Among Security Zones of Firewall---InterZone

Server

Server

Untrust

DMZ

Eth1/0/1

E1/0/2

inbound

outbound

inbound

outbound

Internal network

E1/0/0

Eudemon

Local

External network

inbound

outbound

Trust


Configure Security Zone

[Eudemon] firewall zone name userzone

[Eudemon-zone-userzone] set priority 60

[Eudemon-zone-userzone] add interface Ethernet 0/0/1

[Eudemon]display zone username

username

priority is 60

interface of the zone is (1):

Ethernet0/0/1


Configure InterZone policy

[Eudemon]acl 3000

[Eudemon-acl-adv-3000] rule permit ip

[Eudemon]firewall interzone trust untrust

[Eudemon-interzone-trust-untrust]packet-filter 3000 inbound

Server

PC PC Trust Zone

Server

Eudemon

PC

Untrust Zone



Chapter 1 Work Mode


Chapter 3 ACL

Chapter 4 NAT


ACL Application

Packet filtering

Determine to discard or forward packet according to ACL rule

NAT

Determine to implement NAT to which packet According to ACL

IPSec

Determine to protect which packet according to ACL

Qos

Classify flow according to ACL

Routing policy

Filter routes according to ACL

What is ACL?

Permit

Deny


ACL Classification

Basic ACL （range: 2000～2999）

Use source address to define data flow

Advanced ACL （range: 3000～3999）

Use source address,destination address,source port

number,destination port number ,up-level protocol number and so

on combination to define data flow

Firewall ACL （range:5000～5499）

Use source address,destination address, destination port number to

define data flow


ACL Classification

Firewall ACL Advanced ACL Basic ACL

Match priorly the route with Acl-number

Match priorly the route with small Rule-id

acl [ number ] acl-number

rule [ rule-id ] { permit | deny } [ source { sour-address sour-

wildcard | any } ] [ time-range time-name ]

rule [ rule-id ] { permit | deny } protocol [ source { sour-

address sour-wildcard | any } ] [ destination { dest-address

dest-mask | any } ] [ source-port operator port1 [ port2 ] ]

[ destination-port operator port1 [ port2 ] ] [ icmp-type

{ icmp-type icmp-code | icmp-message } ] [ precedence

precedence ] [ tos tos ] [ time-range time-name ]


ACL Application Example

Special PC in external network

202.39.2.3 Special PC in internal network

129.38.1.4

129.38.1.1

202.38.160.1

WAN

Eudemon

FTP Server

129.38.1.2

Telnet Server

129.38.1.3

www Server

129.38.1.5

E1/0/0

E0/0/0


ACL Application Example－Configuration

[Eudemon] acl number 3101

[Eudemon-acl-adv-3101] rule permit ip source 129.38.1.4 0




[Eudemon-acl-adv-3101] rule deny ip

[Eudemon-acl-adv-3101] quit

[Eudemon] acl number 3102

[Eudemon-acl-adv-3102] rule permit tcp source 202.39.2.3 0 destination 129.38.1.1 0



[Eudemon-Interzone-trust-untrust] packet-filter 3101 outbound

[Eudemon-Interzone-trust-untrust] packet-filter 3102 inbound


Chapter 1 Work Mode


Chapter 3 ACL

Chapter 4 NAT


NAT (Network Address Translation)

NAT is used to translate IP address in IP data packet header

into another IP address.

NAT can solve the following problems:

IP address shortage

− Save public IP address

Security element

− Shield private network

Enterprise combination

− Easy to combine networks


Private Address and Public Address

Internet

192.168.0.1

192.168.0.2

192.168.0.1

LAN1

LAN2

LAN3

Private address range:

10.0.0.0-10.255.255.255

172.16.0.0-172.31.255.255

192.168.0.0-192.168.255.255


Eudemon NAT

PC C

202.130.10.3

Server B

202.120.10.2

PC B

192.168.1.2

PC A

192.168.1.3

Eudemon

E0/0/0

202.169.10.1

E0/0/0

192.168.1.1

Trust Untrust

Data packet 1

Source 192.168.1.3

destination 202.120.10.2

Internet

Data packet 1

source 202.169.10.1

Destination 202.120.10.2

Data packet 2

source 202.120.10.2


Data packet 2

Source 202.120.10.2

destination192.168.1.3


Eudemon NAPT

PC C

202.130.10.3

Server B

202.120.10.2

PC B

192.168.1.2

PC A

192.168.1.3

Eudemon

E0/0/0

202.169.10.1

E0/0/0

192.168.1.1

Trust Untrust

Data packet 2

source 192.168.1.3

Source port 2468

Internet

Data packet2

source 202.169.10.1

Source port 2468

Data packet3

source 192.168.1.1

Source port 11111

Data packet3

source 202.169.10.1

Source port 11111

Data packet4

source 192.168.1.2

Source port 11111

Data packet4

source 202.169.10.1

Source port 22222

Data packet 1

source 192.168.1.3

Source port 1357

Data packet 1

source 202.169.10.1

Source port 1357


Eudemon Internal Server NAT

Mail Server Web Server FTP Server

DMZ

Internet

202.168.0.1/26

192.168.1.1/24

192.168.1.100/24 192.168.1.101/24 192.168.1.102/24

E1/0/0

E0/0/1

Untrust Data packet 1

source 202.168.0,2

Destination 202.168.0.11

Data packet 1

source 202.168.0,2


Data packet 2

source 202.168.0.11


Data packet 2

source 192.168.0.101


202.168.0.11-192.168.1.101

ALG function


Eudemon NAT Implementation

ACL Private

address Public

address

Eudemon


Internal Server NAT Network

Internal network

192.168.0.0/24

202.168.0.10-192.168.1.100

202.168.0.11:80-192.168.1.101:8080

202.168.0.12:1021-192.168.1.102:ftp

E0/0/0

192.168.0.1/24

Trust

Mail Server Web Server FTP Server

DMZ

Internet

202.168.0.1/24

192.168.1.1/24

192.168.1.100/24 192.168.1.101/24 192.168.1.102/24

E1/0/0

E0/0/1

Untrust


Egress Network NAT Typical Configuration

[Eudemon] acl 2000

[Eudemon-acl-basic-2000]rule permit

[Eudemon-acl-basic-2000]quit

[Eudemon] nat address-group 1 202.168.0.10 202.168.0.20

[Eudemon] acl 3000

[Eudemon-acl-adv-3000] rule permit ip source-address

192.168.0.0 0.0.0.255

[Eudemon] firewall interzone trust untrust

[Eudemon-interzone-trust-untrust] packet-filter 2000

outbound

[Eudemon-interzone-trust-untrust] nat outbound 3000

address-group 1

Configure address pool

Enable NAT function, bind address pool and ACL


NAT Server Typical Configuration

[Eudemon] nat server global 202.168.0.10 inside 192.168.1.100

[Eudemon] nat server protocol tcp global 202.168.0.11 80 inside

192.168.1.101 8080

[Eudemon] nat server protocol tcp global 202.168.0.12 1021 inside

192.168.1.102 ftp

[Eudemon] acl 3000

[Eudemon] rule permit ip destination-address 192.168.1.0

0.0.0.255

[Eudemon] firewall interzone DMZ untrust

[Eudemon-interzone-DMZ-untrust] packet-filter 3000 inbound

[Eudemon-interzone-DMZ-untrust] detect ftp

Configure mapping information between global

address and internal server address


NAT Configuration Verification

[Eudemon] display nat all

NAT address-group information:

1: from 202.168.0.10 to 202.168.0.20, reference 1 times

Total 1 address-groups

NAT outbound information:

interzone-trust-untrust: acl(2000) --- NAT address-group( 1)

Total 1 nat outbounds

Server in private network information:

zone GlobalAddr GlobalPort InsideAddr InsidePort Pro VPN

---- 202.168.0.10 ---- 192.168.1.100 ---- --- public

---- 202.168.0.11 8080 192.168.1.101 8080 6(tcp) public

---- 202.168.0.12 1021 192.168.1.102 21(ftp) 6(tcp) public

Total 3 NAT servers

If address pool is imported, it

can not be deleted directly.


Summary

Which work mode does Eudemon include?

What is the default security Zone of Eudemon?

What is the difference between basic ACL and

advanced ACL?

Which kind of NAT does Eudemon support?

T

Thank you

www.huawei.com

13 eudemon basic function and configuration

Documents

port operator port1

eudemon e0 0 0 e0 0 0

destination port number

private address

filter 3000 inbound

nat address

huawei technologies

rights reserved