防火墙HA的配置
拓扑图:
创新互联专注于企业全网整合营销推广、网站重做改版、罗田网站定制设计、自适应品牌网站建设、H5场景定制、成都商城网站开发、集团公司官网建设、成都外贸网站建设、高端网站制作、响应式网页设计等建站业务,价格优惠性价比高,为罗田等各大城市提供网站开发制作服务。
#防火墙HA配置:
1.配置主备防火墙接口地址和vrrp组并开启主备同步。
配置如下:
#FW1
配置接口地址:
interface GigabitEthernet1/0/1
description BOTH
undo shutdown
ip address 10.10.0.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
description TO-UP
undo shutdown
ip address 1.1.1.2 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 active
service-manage ping permit
ipsec policy map1
#
interface GigabitEthernet1/0/3
description TO-DOWN
undo shutdown
ip address 10.3.0.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.2 active
service-manage ping permit
#接口加入指定区域
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#开启主备同步:
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.0.2
hrp track interface GigabitEthernet1/0/1
hrp track interface GigabitEthernet1/0/2
hrp track interface GigabitEthernet1/0/3
#FW2
配置接口地址:
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.0.2 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.3 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 standby
service-manage ping permit
ipsec policy map1
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.2 standby
service-manage ping permit
#接口加入指定区域
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#开启主备同步:
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.0.1
hrp track interface GigabitEthernet1/0/1
hrp track interface GigabitEthernet1/0/2
hrp track interface GigabitEthernet1/0/3
PS:VRRP组的虚拟IP地址可以和实际物理地址不在同一网段。
配置方法为:
vrrp vrid 1 virtual-ip 10.3.0.2 255.255.255.0 standby
即同一网段的虚拟IP地址不需要写掩码,不同一网段的虚拟IP地址需要写掩码来进行配 置。
2.上述配置完成后,防火墙同步配置开启。
#配置安全策略和IPsec ***。
#配置安全策略
security-policy
rule name 1 心跳线策略
source-zone dmz
source-zone local
destination-zone dmz
destination-zone local
action permit
rule name 2 ***交互访问策略
source-zone local
source-zone trust
destination-zone untrust
source-address 1.1.1.0 mask 255.255.255.0
source-address 10.3.0.0 mask 255.255.0.0
destination-address 10.4.1.0 mask 255.255.255.0
destination-address 4.4.4.0 mask 255.255.255.0
action permit
rule name 3 ***交互响应策略
source-zone local
source-zone untrust
destination-zone local
destination-zone trust
source-address 4.4.4.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
action permit
Ps:此时FW1会收到由IPsec加密后的报文,该报文S.IP和D.IP是隧道两端的IP地址。安全策略严格匹配是要进行如rule 3 的策略配置。
#
#配置IPsec:
#
acl number 3000
rule 5 permit ip source 10.3.0.0 0.0.0.255 destination 10.4.1.0 0.0.0.255
#
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer any
pre-shared-key Admin@123
ike-proposal 10
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy-template policy1 1 主端采用策略模板来建立***
security acl 3000
ike-peer any
proposal tran1
#
ipsec policy map1 10 isakmp template policy1
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.3 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 standby
service-manage ping permit
ipsec policy map1
#
3.配置NAT策略
配置地址池
#
nat address-group 1 0
mode pat
section 0 1.1.1.1 1.1.1.1
#
配置nat安全策略:
#
nat-policy
rule name 1
source-zone trust
destination-zone untrust
source-address 10.1.3.0 0.0.0.255
source-address 10.3.0.0 mask 255.255.255.0
destination-address 10.4.1.0 0.0.0.255
destination-address 10.4.1.0 mask 255.255.255.0
action no-nat
rule name nat
source-zone trust
destination-zone untrust
action source-nat address-group 1
#
标题名称:防火墙HA的配置
文章来源:https://www.cdcxhl.com/article26/pieicg.html
成都网站建设公司_创新互联,为您提供企业网站制作、外贸网站建设、动态网站、服务器托管、域名注册、网站内链
声明:本网站发布的内容(图片、视频和文字)以用户投稿、用户转载内容为主,如果涉及侵权请尽快告知,我们将会在第一时间删除。文章观点不代表本网站立场,如需处理请联系客服。电话:028-86922220;邮箱:631063699@qq.com。内容未经允许不得转载,或转载时需注明来源: 创新互联
- 企业品牌网站建设对企业具有长久利益 2016-09-13
- 成都网站建设品牌网站建设方案要怎么做? 2016-09-27
- 一个好的品牌网站建设应该注意哪些事项? 2022-11-25
- 如何做好品牌网站建设? 2018-03-04
- 网络品牌网站建设重点要素和重点 2016-09-12
- 什么是品牌网站建设?该如何开展? 2016-11-06
- 怎么实现品牌网站建设 2016-10-12
- 成都品牌网站建设与SEO优化这几步骤很重要 2023-04-08
- 成都品牌网站建设方案 2022-08-03
- 服装品牌网站建设对企业有哪些好处呢? 2020-07-09
- 品牌网站建设始于对体验的视觉归因 2023-02-05
- 陶瓷行业营销品牌网站建设哪家好 2022-08-27