场景说明:HQ与Branch之间客户端互访,HQ、Branch分别与本部核心交换机运行OSPF协议,HQ、Branch之间通过GREP隧道运行OSPF协议通告两端的客户端路由,使得客户端可以互访。同时HQ的客户端PC3可以访问公网100.100.100.100。
防火墙配置:
#
sysname A
#
acl number 3000 //配置IPSec感兴趣流,这里地址填写建立GRE隧道的地址,用于保护GRE隧道通讯的流量
rule 5 permit ip source 100.0.0.2 0 destination 200.0.0.2 0
#
ipsec proposal A_B //配置IPSec安全提议,这里封装模式使用的隧道模式,安全协议为esp,由于是默认配置因此不显示
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike proposal 1 //配置IKE安全提议
encryption-algorithm aes-256
dh group16
authentication-algorithm sha2-512
authentication-method pre-share
integrity-algorithm hmac-sha2-512
prf hmac-sha2-512
#
ike peer A //配置IKE PEER
pre-shared-key %^%#glANCEF9v&t}}(;!Esd(B}"V<;WDT@pxei&zBy;<%^%#
ike-proposal 1
remote-address 200.0.0.2
#
ipsec policy A_B 1 isakmp //配置IPSEC策略
security acl 3000
ike-peer A
proposal A_B
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.0.0.2 255.255.255.252
service-manage ping permit
ipsec policy A_B //将IPSec策略应用在出接口上,在此场景不能运行在Tunnel口上
#
interface GigabitEthernet1/0/6
undo shutdown
ip address 192.168.100.1 255.255.255.252
service-manage ping permit
#
interface Tunnel0 //配置GRE隧道的逻辑接口
ip address 10.0.12.1 255.255.255.252
tunnel-protocol gre
source 100.0.0.2
destination 200.0.0.2
gre key cipher %^%#v(`f',AH-Uy/SAL\~"C0|UOFK]:KoYQF4-#*R&gG%^%#
service-manage ping permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/6
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface Tunnel0
#
ospf 1
area 0.0.0.0
network 10.0.12.0 0.0.0.3
network 192.168.100.0 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 100.0.0.1
ip route-static 200.0.0.2 255.255.255.255 100.0.0.1
#
security-policy
rule name Local_Untrust //配置策略允许FW访问Untrust
source-zone local
destination-zone untrust
action permit
rule name Untrust_Local //允许Branch-FW访问HQ-FW
source-zone untrust
destination-zone local
source-address 200.0.0.2 mask 255.255.255.255
destination-address 100.0.0.2 mask 255.255.255.255
action permit
rule name Trust_Untrust //配置策略允许HQ终端访问公网
source-zone trust
destination-zone untrust
action permit
rule name Untrust_Trust_Permit //允许Branch终端访问HQ终端
source-zone untrust
destination-zone trust
source-address 192.168.20.0 mask 255.255.255.0
destination-address 192.168.10.0 mask 255.255.255.0
action permit
rule name Untrust_Local_IPsec //允许HQ与Branch之间GREP隧道建立
source-zone untrust
destination-zone local
source-address 10.0.12.2 mask 255.255.255.255
destination-address 10.0.12.1 mask 255.255.255.255
action permit
#
nat-policy
rule name Trust_Untrust_NO-NAT //配置NO-NAT策略,让HQ与Branch之间互访不走NAT
source-zone trust
destination-zone untrust
destination-address 192.168.20.0 mask 255.255.255.0
action no-nat
rule name Trust_Untrust_SNAT //配置HQ侧终端访问公网时进行SNAT
source-zone trust
destination-zone untrust
action source-nat easy-ip
#
return
#
sysname A
#
acl number 3000 //配置IPSec感兴趣流,这里地址填写建立GRE隧道的地址,用于保护GRE隧道通讯的流量
rule 5 permit ip source 100.0.0.2 0 destination 200.0.0.2 0
#
ipsec proposal A_B //配置IPSec安全提议,这里封装模式使用的隧道模式,安全协议为esp,由于是默认配置因此不显示
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike proposal 1 //配置IKE安全提议
encryption-algorithm aes-256
dh group16
authentication-algorithm sha2-512
authentication-method pre-share
integrity-algorithm hmac-sha2-512
prf hmac-sha2-512
#
ike peer A //配置IKE PEER
pre-shared-key %^%#glANCEF9v&t}}(;!Esd(B}"V<;WDT@pxei&zBy;<%^%#
ike-proposal 1
remote-address 200.0.0.2
#
ipsec policy A_B 1 isakmp //配置IPSEC策略
security acl 3000
ike-peer A
proposal A_B
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.0.0.2 255.255.255.252
service-manage ping permit
ipsec policy A_B //将IPSec策略应用在出接口上,在此场景不能运行在Tunnel口上
#
interface GigabitEthernet1/0/6
undo shutdown
ip address 192.168.100.1 255.255.255.252
service-manage ping permit
#
interface Tunnel0 //配置GRE隧道的逻辑接口
ip address 10.0.12.1 255.255.255.252
tunnel-protocol gre
source 100.0.0.2
destination 200.0.0.2
gre key cipher %^%#v(`f',AH-Uy/SAL\~"C0|UOFK]:KoYQF4-#*R&gG%^%#
service-manage ping permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/6
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface Tunnel0
#
ospf 1
area 0.0.0.0
network 10.0.12.0 0.0.0.3
network 192.168.100.0 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 100.0.0.1
ip route-static 200.0.0.2 255.255.255.255 100.0.0.1
#
security-policy
rule name Local_Untrust //配置策略允许FW访问Untrust
source-zone local
destination-zone untrust
action permit
rule name Untrust_Local //允许Branch-FW访问HQ-FW
source-zone untrust
destination-zone local
source-address 200.0.0.2 mask 255.255.255.255
destination-address 100.0.0.2 mask 255.255.255.255
action permit
rule name Trust_Untrust //配置策略允许HQ终端访问公网
source-zone trust
destination-zone untrust
action permit
rule name Untrust_Trust_Permit //允许Branch终端访问HQ终端
source-zone untrust
destination-zone trust
source-address 192.168.20.0 mask 255.255.255.0
destination-address 192.168.10.0 mask 255.255.255.0
action permit
rule name Untrust_Local_IPsec //允许HQ与Branch之间GREP隧道建立
source-zone untrust
destination-zone local
source-address 10.0.12.2 mask 255.255.255.255
destination-address 10.0.12.1 mask 255.255.255.255
action permit
#
nat-policy
rule name Trust_Untrust_NO-NAT //配置NO-NAT策略,让HQ与Branch之间互访不走NAT
source-zone trust
destination-zone untrust
destination-address 192.168.20.0 mask 255.255.255.0
action no-nat
rule name Trust_Untrust_SNAT //配置HQ侧终端访问公网时进行SNAT
source-zone trust
destination-zone untrust
action source-nat easy-ip
#
return
# sysname A # acl number 3000 //配置IPSec感兴趣流,这里地址填写建立GRE隧道的地址,用于保护GRE隧道通讯的流量 rule 5 permit ip source 100.0.0.2 0 destination 200.0.0.2 0 # ipsec proposal A_B //配置IPSec安全提议,这里封装模式使用的隧道模式,安全协议为esp,由于是默认配置因此不显示 esp authentication-algorithm sha2-512 esp encryption-algorithm aes-256 # ike proposal 1 //配置IKE安全提议 encryption-algorithm aes-256 dh group16 authentication-algorithm sha2-512 authentication-method pre-share integrity-algorithm hmac-sha2-512 prf hmac-sha2-512 # ike peer A //配置IKE PEER pre-shared-key %^%#glANCEF9v&t}}(;!Esd(B}"V<;WDT@pxei&zBy;<%^%# ike-proposal 1 remote-address 200.0.0.2 # ipsec policy A_B 1 isakmp //配置IPSEC策略 security acl 3000 ike-peer A proposal A_B # interface GigabitEthernet1/0/0 undo shutdown ip address 100.0.0.2 255.255.255.252 service-manage ping permit ipsec policy A_B //将IPSec策略应用在出接口上,在此场景不能运行在Tunnel口上 # interface GigabitEthernet1/0/6 undo shutdown ip address 192.168.100.1 255.255.255.252 service-manage ping permit # interface Tunnel0 //配置GRE隧道的逻辑接口 ip address 10.0.12.1 255.255.255.252 tunnel-protocol gre source 100.0.0.2 destination 200.0.0.2 gre key cipher %^%#v(`f',AH-Uy/SAL\~"C0|UOFK]:KoYQF4-#*R&gG%^%# service-manage ping permit # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/6 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/0 add interface Tunnel0 # ospf 1 area 0.0.0.0 network 10.0.12.0 0.0.0.3 network 192.168.100.0 0.0.0.3 # ip route-static 0.0.0.0 0.0.0.0 100.0.0.1 ip route-static 200.0.0.2 255.255.255.255 100.0.0.1 # security-policy rule name Local_Untrust //配置策略允许FW访问Untrust source-zone local destination-zone untrust action permit rule name Untrust_Local //允许Branch-FW访问HQ-FW source-zone untrust destination-zone local source-address 200.0.0.2 mask 255.255.255.255 destination-address 100.0.0.2 mask 255.255.255.255 action permit rule name Trust_Untrust //配置策略允许HQ终端访问公网 source-zone trust destination-zone untrust action permit rule name Untrust_Trust_Permit //允许Branch终端访问HQ终端 source-zone untrust destination-zone trust source-address 192.168.20.0 mask 255.255.255.0 destination-address 192.168.10.0 mask 255.255.255.0 action permit rule name Untrust_Local_IPsec //允许HQ与Branch之间GREP隧道建立 source-zone untrust destination-zone local source-address 10.0.12.2 mask 255.255.255.255 destination-address 10.0.12.1 mask 255.255.255.255 action permit # nat-policy rule name Trust_Untrust_NO-NAT //配置NO-NAT策略,让HQ与Branch之间互访不走NAT source-zone trust destination-zone untrust destination-address 192.168.20.0 mask 255.255.255.0 action no-nat rule name Trust_Untrust_SNAT //配置HQ侧终端访问公网时进行SNAT source-zone trust destination-zone untrust action source-nat easy-ip # return
实验结果: