拓扑图:
#防火墙HA配置:
1.配置主备防火墙接口地址和vrrp组并开启主备同步。
配置如下:
#FW1
配置接口地址:
interface GigabitEthernet1/0/1
description BOTH
undo shutdown
ip address 10.10.0.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
description TO-UP
undo shutdown
ip address 1.1.1.2 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 active
service-manage ping permit
ipsec policy map1
#
interface GigabitEthernet1/0/3
description TO-DOWN
undo shutdown
ip address 10.3.0.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.2 active
service-manage ping permit
#接口加入指定区域
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#开启主备同步:
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.0.2
hrp track interface GigabitEthernet1/0/1
hrp track interface GigabitEthernet1/0/2
hrp track interface GigabitEthernet1/0/3
#FW2
配置接口地址:
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.0.2 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.3 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 standby
service-manage ping permit
ipsec policy map1
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.2 standby
service-manage ping permit
#接口加入指定区域
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#开启主备同步:
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.0.1
hrp track interface GigabitEthernet1/0/1
hrp track interface GigabitEthernet1/0/2
hrp track interface GigabitEthernet1/0/3
PS:VRRP组的虚拟IP地址可以和实际物理地址不在同一网段。
配置方法为:
vrrp vrid 1 virtual-ip 10.3.0.2 255.255.255.0 standby
即同一网段的虚拟IP地址不需要写掩码,不同一网段的虚拟IP地址需要写掩码来进行配 置。
2.上述配置完成后,防火墙同步配置开启。
#配置安全策略和IPsec ***。
#配置安全策略
security-policy
rule name 1 心跳线策略
source-zone dmz
source-zone local
destination-zone dmz
destination-zone local
action permit
rule name 2 ***交互访问策略
source-zone local
source-zone trust
destination-zone untrust
source-address 1.1.1.0 mask 255.255.255.0
source-address 10.3.0.0 mask 255.255.0.0
destination-address 10.4.1.0 mask 255.255.255.0
destination-address 4.4.4.0 mask 255.255.255.0
action permit
rule name 3 ***交互响应策略
source-zone local
source-zone untrust
destination-zone local
destination-zone trust
source-address 4.4.4.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
action permit
Ps:此时FW1会收到由IPsec加密后的报文,该报文S.IP和D.IP是隧道两端的IP地址。安全策略严格匹配是要进行如rule 3 的策略配置。
#
#配置IPsec:
#
acl number 3000
rule 5 permit ip source 10.3.0.0 0.0.0.255 destination 10.4.1.0 0.0.0.255
#
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer any
pre-shared-key Admin@123
ike-proposal 10
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy-template policy1 1 主端采用策略模板来建立***
security acl 3000
ike-peer any
proposal tran1
#
ipsec policy map1 10 isakmp template policy1
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.3 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 standby
service-manage ping permit
ipsec policy map1
#
3.配置NAT策略
配置地址池
#
nat address-group 1 0
mode pat
section 0 1.1.1.1 1.1.1.1
#
配置nat安全策略:
#
nat-policy
rule name 1
source-zone trust
destination-zone untrust
source-address 10.1.3.0 0.0.0.255
source-address 10.3.0.0 mask 255.255.255.0
destination-address 10.4.1.0 0.0.0.255
destination-address 10.4.1.0 mask 255.255.255.0
action no-nat
rule name nat
source-zone trust
destination-zone untrust
action source-nat address-group 1
#
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。