防火墻HA的配置

拓?fù)鋱D:

創(chuàng)新互聯(lián)專注于企業(yè)全網(wǎng)整合營(yíng)銷推廣、網(wǎng)站重做改版、羅田網(wǎng)站定制設(shè)計(jì)、自適應(yīng)品牌網(wǎng)站建設(shè)、H5場(chǎng)景定制、成都商城網(wǎng)站開發(fā)、集團(tuán)公司官網(wǎng)建設(shè)、成都外貿(mào)網(wǎng)站建設(shè)、高端網(wǎng)站制作、響應(yīng)式網(wǎng)頁(yè)設(shè)計(jì)等建站業(yè)務(wù),價(jià)格優(yōu)惠性價(jià)比高,為羅田等各大城市提供網(wǎng)站開發(fā)制作服務(wù)。

防火墻HA的配置
#防火墻HA配置:
1.配置主備防火墻接口地址和vrrp組并開啟主備同步。
配置如下:
#FW1
配置接口地址:
interface GigabitEthernet1/0/1
description BOTH
undo shutdown
ip address 10.10.0.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
description TO-UP
undo shutdown
ip address 1.1.1.2 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 active
service-manage ping permit
ipsec policy map1
#
interface GigabitEthernet1/0/3
description TO-DOWN
undo shutdown
ip address 10.3.0.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.2 active
service-manage ping permit
#接口加入指定區(qū)域
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#開啟主備同步:
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.0.2
hrp track interface GigabitEthernet1/0/1
hrp track interface GigabitEthernet1/0/2
hrp track interface GigabitEthernet1/0/3
#FW2
配置接口地址:
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.0.2 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.3 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 standby
service-manage ping permit
ipsec policy map1
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.2 standby
service-manage ping permit
#接口加入指定區(qū)域
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#開啟主備同步:
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.0.1
hrp track interface GigabitEthernet1/0/1
hrp track interface GigabitEthernet1/0/2
hrp track interface GigabitEthernet1/0/3

PS:VRRP組的虛擬IP地址可以和實(shí)際物理地址不在同一網(wǎng)段。
配置方法為:
vrrp vrid 1 virtual-ip 10.3.0.2 255.255.255.0 standby
即同一網(wǎng)段的虛擬IP地址不需要寫掩碼,不同一網(wǎng)段的虛擬IP地址需要寫掩碼來(lái)進(jìn)行配    置。

2.上述配置完成后,防火墻同步配置開啟。
#配置安全策略和IPsec ***。
#配置安全策略
security-policy                    
rule name 1                                        心跳線策略
source-zone dmz
source-zone local
destination-zone dmz
destination-zone local
action permit
rule name 2                                        ***交互訪問策略
source-zone local
source-zone trust
destination-zone untrust
source-address 1.1.1.0 mask 255.255.255.0
source-address 10.3.0.0 mask 255.255.0.0
destination-address 10.4.1.0 mask 255.255.255.0
destination-address 4.4.4.0 mask 255.255.255.0
action permit
rule name 3                                        ***交互響應(yīng)策略
source-zone local
source-zone untrust
destination-zone local
destination-zone trust
source-address 4.4.4.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
action permit
Ps:此時(shí)FW1會(huì)收到由IPsec加密后的報(bào)文,該報(bào)文S.IP和D.IP是隧道兩端的IP地址。安全策略嚴(yán)格匹配是要進(jìn)行如rule 3 的策略配置。
#
#配置IPsec:
#
acl number 3000
rule 5 permit ip source 10.3.0.0 0.0.0.255 destination 10.4.1.0     0.0.0.255
#
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer any
pre-shared-key Admin@123
ike-proposal 10
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy-template policy1 1             主端采用策略模板來(lái)建立***
security acl 3000
ike-peer any
proposal tran1
#
ipsec policy map1 10 isakmp template policy1
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.3 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 standby
service-manage ping permit
ipsec policy map1
#
3.配置NAT策略
配置地址池
#
nat address-group 1 0
mode pat
section 0 1.1.1.1 1.1.1.1
#
配置nat安全策略:
#
nat-policy
rule name 1
source-zone trust
destination-zone untrust
source-address 10.1.3.0 0.0.0.255
source-address 10.3.0.0 mask 255.255.255.0
destination-address 10.4.1.0 0.0.0.255
destination-address 10.4.1.0 mask 255.255.255.0
action no-nat
rule name nat
source-zone trust
destination-zone untrust
action source-nat address-group 1
#

標(biāo)題名稱:防火墻HA的配置
文章來(lái)源:http://www.muchs.cn/article26/pieicg.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供企業(yè)網(wǎng)站制作外貿(mào)網(wǎng)站建設(shè)、動(dòng)態(tài)網(wǎng)站服務(wù)器托管、域名注冊(cè)、網(wǎng)站內(nèi)鏈

廣告

聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來(lái)源: 創(chuàng)新互聯(lián)

網(wǎng)站建設(shè)網(wǎng)站維護(hù)公司