|
防火墙GRE配置+域间策略+NAT策略(EASY-IP)实例操作
配置ISP模拟公网 <Huawei>system-view [Huawei]sysname isp [isp]interface gigabitethernet 0/0/0 [isp-GigabitEthernet0/0/0]ip address100.1.1.1 24 [isp-GigabitEthernet0/0/0]quit [isp]interface gigabitethernet 0/0/1 [isp-GigabitEthernet0/0/1]ip address200.1.1.1 24 [isp-GigabitEthernet0/0/1]quit [isp]interface loopback 0 [isp-LoopBack0]ip address 200.200.200.20032 [isp-LoopBack0]quit FW1 Username:admin Password:Admin@123 The password needs to be changed. Changenow? [Y/N]: y Please enter old password: Admin@123 Please enter new password: Admin1234 Please confirm new password:Admin1234 配置DHCP为PC1分配地址 DHCP配置保留地址200-254;即自动分配.2~.199;下面配置nat转换时把地址范围配置为.200~.254;得到的结果是自动获取到的地址无法被nat转换,无法连接公网,需要手工配置200~254的地址才能连接公网。 [fw1]dhcp enable [fw1]ip pool pc1 [fw1-ip-pool-pc1]gateway-list 192.168.10.1 [fw1-ip-pool-pc1]network 192.168.10.0 mask24 [fw1-ip-pool-pc1]excluded-ip-address192.168.10.200 192.168.10.254 [fw1-ip-pool-pc1]lease day 2 hour 0 minute0 [fw1-ip-pool-pc1]dns-list 114.114.114.1148.8.8.8 [fw1-ip-pool-pc1]quit 配置接口地址并把接口加入安全域内 [fw1]interface gigabitethernet 1/0/6 [fw1-GigabitEthernet1/0/6]ip address192.168.10.1 24 [fw1-GigabitEthernet1/0/6]dhcp selectglobal [fw1-GigabitEthernet1/0/6]quit [fw1]interface gigabitethernet 1/0/0 [fw1-GigabitEthernet1/0/0]ip address100.1.1.2 24 [fw1-GigabitEthernet1/0/0]quit [fw1]interface tunnel 1 //创建遂道接口1 [fw1-Tunnel1]ip address 172.16.10.1 24 [fw1-Tunnel1]quit [fw1]firewall zone trust //进入trust安全域 [fw1-zone-trust]add interfacegigabitethernet 1/0/6 //接口加入域 [fw1-zone-trust]quit [fw1]firewall zone untrust [fw1-zone-untrust]add interfacegigabitethernet 1/0/0 [fw1-zone-untrust]quit [fw1]firewall zone dmz [fw1-zone-dmz]add interface tunnel 1 [fw1-zone-dmz]quit 配置GRE隧道 [fw1]interface tunnel 1 //进入遂道接口1 [fw1-Tunnel1]tunnel-protocol gre //配置遂道接口封装协议为GRE [fw1-Tunnel1]source 100.1.1.2 //源地址(公网) [fw1-Tunnel1]destination 200.1.1.2 //对端目标地址(公网) [fw1-Tunnel1]gre key 123456 //配置关键字验证 [fw1-Tunnel1]gre checksum //配置检验和验证 [fw1-Tunnel1]keepalive //配置保活机制 配置到对端的路由(OSPF) [fw1]ospf 1 //创建OSPF 进程1 [fw1-ospf-1]area 0 //配置骨干区域 [fw1-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234 //配置身份认证模式为MD5 配置密文密码 [fw1-ospf-1-area-0.0.0.0]network172.16.10.0 0.0.0.255 //通告参与网络 [fw1-ospf-1-area-0.0.0.0]network192.168.10.0 0.0.0.255 [fw1-ospf-1-area-0.0.0.0]quit [fw1-ospf-1]quit 配置默认路由 [fw1]ip route-static 0.0.0.0 0.0.0.0100.1.1.1 //默认路由下跳为运营商提供的网关地址 配置nat(easy-ip) [fw1]nat-policy [fw1-policy-nat]rule name zurkj [fw1-policy-nat-rule-zurkj]source-zonetrust [fw1-policy-nat-rule-zurkj]destination-zoneuntrust [fw1-policy-nat-rule-zurkj]source-addressrange 192.168.10.200 192.168.10.254 [fw1-policy-nat-rule-zurkj]actionsource-nat easy-ip [fw1-policy-nat-rule-zurkj]quit [fw1-policy-nat]quit 配置域间策略 [fw1-policy-security]rule name td-dt [fw1-policy-security-rule-td-dt]source-zonetrust dmz [fw1-policy-security-rule-td-dt]destination-zonedmz trust [fw1-policy-security-rule-td-dt]actionpermit [fw1-policy-security-rule-td-dt]quit [fw1-policy-security]rule name lu-ul [fw1-policy-security-rule-lu-ul]source-zonelocal untrust [fw1-policy-security-rule-lu-ul]destination-zoneuntrust local [fw1-policy-security-rule-lu-ul]service gre [fw1-policy-security-rule-lu-ul]actionpermit [fw1-policy-security-rule-lu-ul]quit [fw1-policy-security]rule name t-u [fw1-policy-security-rule-t-u]source-zonetrust [fw1-policy-security-rule-t-u]destination-zoneuntrust [fw1-policy-security-rule-t-u]action permit [fw1-policy-security-rule-t-u]quit [fw1-policy-security]quit FW2为镜像配置,与FW1完全一样。 | 
|Archiver|手机版|小黑屋|祖瑞科技 全国计算机 网络IT运维社区!
( 沪ICP备16021636号-2 )
发表于 2021-4-28 23:43:40
