防火墙GRE配置+域间策略+NAT策略(EASY-IP)实例操作
防火墙GRE配置+域间策略+NAT策略(EASY-IP)实例操作配置ISP模拟公网<Huawei>system-viewsysname ispinterface gigabitethernet 0/0/0ip address100.1.1.1 24 quitinterface gigabitethernet 0/0/1ip address200.1.1.1 24 quitinterface loopback 0ip address 200.200.200.20032quit FW1Username:adminPassword:Admin@123The password needs to be changed. Changenow? : yPlease enter old password: Admin@123Please enter new password: Admin1234Please confirm new password:Admin1234 配置DHCP为PC1分配地址DHCP配置保留地址200-254;即自动分配.2~.199;下面配置nat转换时把地址范围配置为.200~.254;得到的结果是自动获取到的地址无法被nat转换,无法连接公网,需要手工配置200~254的地址才能连接公网。dhcp enableip pool pc1gateway-list 192.168.10.1network 192.168.10.0 mask24excluded-ip-address192.168.10.200 192.168.10.254lease day 2 hour 0 minute0dns-list 114.114.114.1148.8.8.8quit配置接口地址并把接口加入安全域内interface gigabitethernet 1/0/6ip address192.168.10.1 24dhcp selectglobalquitinterface gigabitethernet 1/0/0ip address100.1.1.2 24quitinterface tunnel 1//创建遂道接口1ip address 172.16.10.1 24quitfirewall zone trust//进入trust安全域add interfacegigabitethernet 1/0/6//接口加入域quitfirewall zone untrustadd interfacegigabitethernet 1/0/0quitfirewall zone dmzadd interface tunnel 1quit 配置GRE隧道interface tunnel 1//进入遂道接口1tunnel-protocol gre//配置遂道接口封装协议为GREsource 100.1.1.2//源地址(公网)destination 200.1.1.2//对端目标地址(公网)gre key 123456//配置关键字验证gre checksum//配置检验和验证keepalive//配置保活机制 配置到对端的路由(OSPF)ospf 1 //创建OSPF 进程1area 0//配置骨干区域authentication-modemd5 1 cipher admin1234//配置身份认证模式为MD5 配置密文密码network172.16.10.0 0.0.0.255//通告参与网络network192.168.10.0 0.0.0.255quitquit 配置默认路由ip route-static 0.0.0.0 0.0.0.0100.1.1.1//默认路由下跳为运营商提供的网关地址配置nat(easy-ip)nat-policy rule name zurkjsource-zonetrustdestination-zoneuntrustsource-addressrange 192.168.10.200 192.168.10.254actionsource-nat easy-ipquitquit 配置域间策略rule name td-dtsource-zonetrust dmzdestination-zonedmz trustactionpermitquitrule name lu-ulsource-zonelocal untrustdestination-zoneuntrust localservice greactionpermitquitrule name t-usource-zonetrustdestination-zoneuntrustaction permitquitquit FW2为镜像配置,与FW1完全一样。 非常好!顶了。
页:
[1]
