防火墙实例:配置基于静态路由的GRE隧道

small_Sun

 关注

阅读 61

2022-05-12

FW1和FW2通过Internet相连,两者公网路由可达。10.1.1.0/24和10.1.2.0/24是两个私有的IP网络段,通过在两台FW之间建立GRE隧道实现两个私有IP网络互联

防火墙实例:配置基于静态路由的GRE隧道_安全域

实验规划表

设施

配置方式

详情

[FW1]

接口配置

接口:GigabitEthernet 1/0/1

ip:1.1.1.1/24

安全域:untrust[非信任区域]

接口:GigabitEthernet 1/0/2

ip:10.1.1.1/24

安全域:trust[信任区域]

GRE配置

接口名称:Tunnel 1

ip:172.16.1.1/24

源地址:1.1.1.1/24

目的地址:5.5.5.5/24

安全域:dmz[非军事化区域]

隧道识别关键字:123456

[FW2]

接口配置

接口:GigabitEthernet 1/0/1

ip:5.5.5.5/24

安全域:untrust[非信任区域]

接口:GigabitEthernet 1/0/2

ip:10.1.2.1/24

安全域:trust[信任区域]

GRE配置

接口名称:Tunnel 1

ip:172.16.1.2/24

源地址:5.5.5.5/24

目的地址:1.1.1.1/24

安全域:dmz[非军事化区域]

隧道识别关键字:123456

配置FW1

#配置ip及安全域
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 1.1.1.1 24
[FW1-GigabitEthernet1/0/1]quit
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ip address 10.1.1.1 24
[FW1-GigabitEthernet1/0/2]quit
#配置安全域
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/1
[FW1-zone-untrust]quit
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/2
[FW1-zone-trust]quit
#配置tunnel的封装及配置ip地址安全域
[FW1]interface Tunnel 1
FW1-Tunnel1]tunnel-protocol gre 
[FW1-Tunnel1]source 1.1.1.1
[FW1-Tunnel1]destination 5.5.5.5
[FW1-Tunnel1]gre key cipher 123456
[FW1-Tunnel1]ip address 172.16.1.1 24
[FW1-Tunnel1]quit
[FW1]firewall zone dmz 
[FW1-zone-dmz]add interface Tunnel 1
[FW1-zone-dmz]quit 
#配置路由,将需要经过GRE隧道传输的流量引入到GRE隧道中
[FW1]ip route-static 10.1.2.0 24 Tunnel 1
#配置域间安全策略
#配置Trust域和DMZ的域间安全策略,允许封装前的报文通过域间安全策略
[FW1]security-policy
[FW1-policy-security]rule name policy1
[FW1-policy-security-rule-policy1]source-zone trust dmz 
[FW1-policy-security-rule-policy1]destination-zone dmz trust
[FW1-policy-security-rule-policy1]action permit
[FW1-policy-security-rule-policy1]quit
[FW1-policy-security]quit
#配置Local和Untrust的域间安全策略,允许封装后的GRE报文通过域间安全策略
[FW1]security-policy
[FW1-policy-security]rule name policy2
[FW1-policy-security-rule-policy2]source-zone local untrust
[FW1-policy-security-rule-policy2]destination-zone untrust local
[FW1-policy-security-rule-policy2]service gre
[FW1-policy-security-rule-policy2]action permit
[FW1-policy-security-rule-policy2]quit
#配置去往10.1.2.0路由下一跳为172.16.1.2
[FW1]ip route-static 10.1.2.0 24 172.16.1.2

配置FW2

#配置ip及安全域
[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]ip address 5.5.5.5 24
[FW2-GigabitEthernet1/0/1]quit
[FW2]interface GigabitEthernet 1/0/2
[FW2-GigabitEthernet1/0/2]ip address 10.1.2.1 24
[FW2-GigabitEthernet1/0/2]quit
#配置安全域
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1
[FW2-zone-untrust]quit
[FW2]firewall zone trust
[FW2-zone-trust]add interface GigabitEthernet 1/0/2
[FW2-zone-trust]quit
#配置tunnel的封装及配置ip地址安全域
[FW2]interface Tunnel 1
[FW2-Tunnel1]tunnel-protocol gre 
[FW2-Tunnel1]source 5.5.5.5
[FW2-Tunnel1]destination 1.1.1.1
[FW2-Tunnel1]gre key cipher 123456
[FW2-Tunnel1]ip address 172.16.1.2 24
[FW2-Tunnel1]quit
[FW2]firewall zone dmz 
[FW2-zone-dmz]add interface Tunnel 1
[FW2-zone-dmz]quit 
#配置路由,将需要经过GRE隧道传输的流量引入到GRE隧道中
[FW2]ip route-static 10.1.1.0 24 Tunnel 1
#配置域间安全策略
#配置Trust域和DMZ的域间安全策略,允许封装前的报文通过域间安全策略
[FW2]security-policy
[FW2-policy-security]rule name policy1
[FW2-policy-security-rule-policy1]source-zone trust dmz 
[FW2-policy-security-rule-policy1]destination-zone dmz trust
[FW2-policy-security-rule-policy1]action permit
[FW2-policy-security-rule-policy1]quit
[FW2-policy-security]quit
#配置Local和Untrust的域间安全策略,允许封装后的GRE报文通过域间安全策略
[FW2]security-policy
[FW2-policy-security]rule name policy2
[FW2-policy-security-rule-policy2]source-zone local untrust
[FW2-policy-security-rule-policy2]destination-zone untrust local
[FW2-policy-security-rule-policy2]service gre
[FW2-policy-security-rule-policy2]action permit
[FW2-policy-security-rule-policy2]quit
#配置去往10.1.1.0路由下一跳为172.16.1.1
[FW2]ip route-static 10.1.1.0 24 172.16.1.1

配置Internet

[Huawei]sysname Internet
[Internet]interface GigabitEthernet 0/0/1
[Internet-GigabitEthernet0/0/1]ip address 1.1.1.254 24
[Internet-GigabitEthernet0/0/1]quit
[Internet]interface GigabitEthernet 0/0/2
[Internet-GigabitEthernet0/0/2]ip address 5.5.5.254 24
[Internet-GigabitEthernet0/0/2]quit

结果验证

#在FW1上查看路由表可以看见去往10.1.2.0的出接口为Tunnel 1
[FW1]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 10       Routes : 11       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   1.1.1.254       GigabitEthernet
1/0/1
        1.1.1.0/24  Direct  0    0           D   1.1.1.1         GigabitEthernet
1/0/1
        1.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
1/0/1
       10.1.1.0/24  Direct  0    0           D   10.1.1.1        GigabitEthernet
1/0/2
       10.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
1/0/2
       10.1.2.0/24  Static  60   0           D   172.16.1.1      Tunnel1
                    Static  60   0          RD   172.16.1.2      Tunnel1
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
     172.16.1.0/24  Direct  0    0           D   172.16.1.1      Tunnel1
     172.16.1.1/32  Direct  0    0           D   127.0.0.1       Tunnel1

相关推荐

华为防火墙:配置基于静态路由的GRE隧道

小布_cvg 77 0 0

华为防火墙GRE隧道配置

飞鸟不急 239 0 0

配置基于静态路由的GRE隧道

三分梦_0bc3 112 0 0

FortiGate防火墙GRE隧道监控

洲行 91 0 0

防火墙基础之安全策略和GRE隧道

工程与房产肖律师 113 0 0

防火墙基于Ensp的基本配置(防火墙web登录)

闲鱼不咸_99f1 153 0 0

思科防火墙如何配置静态NAT

陌岛 18 0 0

华为防火墙vsys之虚拟防火墙配置

b91bff6ffdb5 277 0 0

pfSense防火墙配置Hurricane Electric IPv6隧道

一枚路过的程序猿 41 0 0

配置firewalld防火墙

kmoon_b426 196 0 0

精彩评论(0)

0 0 举报