Method used to configure the RSTP mapping on the USG6300

12

The RSTP mapping is configured as follows:
Configure the server mapping, enable the ASPF function of the RSTP, and enable the security policy.

Other related questions:
Method used to configure the L2TP VPN on the USG6300
The L2TP is configured on the LAC side and the LNS side. The L2TP configuration on the LAC side is as follows: 1. Enable the L2TP. 2. Create the VT interface and access the VT interface view. interface virtual-template virtual-template-number 3. Configure the PPP authentication mode. ppp authentication-mode chap [ pap ] [ eap ], ppp authentication-mode pap [ eap ] or ppp authentication-mode eap 3. Bind the interface with the VT interface. interface interface-type interface-number pppoe-server bind virtual-template virtual-template-number 4. Add the VT interface to the security zone. The VT interface can be added to any security zone. When configuring the inter-zone relationship, to ensure that dial-up users can access the network normally, configure the packet filter for the security zone where the physical interface of the NGFW that receives and sends L2TP tunnel packets resides and the Local security zone. 5. Create the L2TP group, and access the L2TP group view. l2tp-group group-name 6. Specify the trigger conditions for originating calls when the local end serves as the L2TP LAC. Access based on domain names: start l2tp { lns-domain domain-name | ip ip-address &<1-5> } domain domain-name [ vpn-instance vpn-instance-name ]. Set the trigger condition to domain names. Access based on full names: start l2tp { lns-domain domain-name | ip ip-address &<1-5> } fullusername user-name [ vpn-instance vpn-instance-name ] The L2TP configuration on the LNS side is as follows: 1. Enable the L2TP. l2tp enable 2. Create the VT interface and access the VT interface view. interface virtual-template virtual-template-number 3. Configure the local IP address. ip address ip-address { mask | mask-length } [ sub ] 4. Configure the PPP authentication mode. ppp authentication-mode { chap | eap | pap } * 5. Configure the address allocated to the peer end or a service plan for allocating an address for the peer end. remote { address ip-address | service-scheme service-scheme } 6. Create the L2TP group, and access the L2TP group view. l2tp-group group-name 7. Configure the name for the peer end and the used virtual interface template. allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ] [ vpn-instance vpn-instance-name ] 8. Configure the name of the local end of the tunnel. tunnel name tunnel-name

Method used to configure the default L2TP on the USG6000
You can configure the default L2TP on the USG6000 as follows: Enable the L2TP. Note: When the L2TP is disabled, you can still make the related configuration. However, the configuration does not take effect. Choose Network > L2TP > L2TP. In Configure L2TP, select Enable and click Apply. If the system displays information indicating a successful operation, the L2TP is normally enabled. Click New in L2TP Group List or select the default group. Note: By default, an L2TP group in LNS type exists. The default group can be modified instead of being deleted. Groups created by clicking New are not default groups. After selecting the default LNS group, if you do not specify Peer Tunnel Name, the group serves as the default LNS group. During tunnel negotiation, the LNS searches for Peer Tunnel Name of each non-default group based on the configured sequence, and matches Peer Tunnel Name with Local Tunnel Name on the LAC end. If Peer Tunnel Name of a certain L2TP group matches Local Tunnel Name on the LAC end, the L2TP group is used for negotiation and tunnel establishment. If Peer Tunnel Name of no L2TP group matches Local Tunnel Name, the default group is used for negotiation. If Peer Tunnel Name is specified for the default group, the default group becomes a non-default group. Then, the LNS has no default group. If Peer Tunnel Name of no L2TP group matches Local Tunnel Name, the LNS discards the negotiation packet and the tunnel fails to be established.

Query of operation logs on the USG6000 series
By checking operation logs, you can view records for operations such as login, logout, and device configuration, learn the device management history, and improve device security. Context Only the USG6000 supports operation logs, and such logs can be displayed only when a hard disk is installed. Note: For the USG6650/6660/6670/6680, the operation log page is displayed no matter whether hard disks are installed. The firewall is deployed between the Internet and the network to be protected. When the IP address or login mode is configured for an administrator to log in to the firewall or the administrator performs any operation after login, operation logs are generated. Procedure 1. Choose Monitor > Log > Operation Log to view operation logs. 2. Choose Customize and select/deselect conditions for threat log display. 3. (Optional) Click Export to export operation logs in CSV format to the management PC.

How to configure all-port mapping on the AR

Procedure

# Configure the NAT server on a public network interface to map all TCP ports with public IP address 1.1.1.1 to all ports with private IP address 192.168.0.1.

<Huawei> system-view
[Huawei] interface gigabitethernet 1/0/0
[Huawei-GigabitEthernet1/0/0] nat server protocol tcp global 1.1.1.1 inside 192.168.0.1

More information

If an enterprise has two or more allocatable public IP addresses and an internal server needs to provide services for public network users, all-port mapping can be configured for one public IP address. If you do not specify the range of port numbers open to public network users in the nat server command, all ports of the internal server are mapped to the same public IP address. That is, the server provides all types of services to public network users using all ports with the public IP address. If the IP address of a public network interface is used to provide services to public network users, configuring all-port mapping on this interface will cause failures of public network users to access the web interface or other services on the AR router, because all port numbers associated with the IP address are mapped to the internal server. Therefore, if only one public IP address is available, you are advised to configure mapping of specific port numbers. All-port mapping allows multiple ports to be mapped at one time, but this configuration lowers the network security because all ports are open to the public network.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top