Bootstrap

华为VPN技术

1.启动设备

2.配置IP地址

[FW1]int g1/0/0

[FW1-GigabitEthernet1/0/0]ip add 192.168.1.254 24

[FW1-GigabitEthernet1/0/0]int g1/0/1

[FW1-GigabitEthernet1/0/1]ip add 100.1.1.1 24

[FW1-GigabitEthernet1/0/1]service-manage ping permit

[FW2]int g1/0/0

[FW2-GigabitEthernet1/0/0]ip add 192.168.2.254 24

[FW2-GigabitEthernet1/0/0]int g1/0/1

[FW2-GigabitEthernet1/0/1]ip add 200.1.1.2 24

[FW2-GigabitEthernet1/0/1]service-manage ping permit

[AR1]int g0/0/0

[AR1-GigabitEthernet0/0/0]ip add 100.1.1.2 24

[AR1-GigabitEthernet0/0/0]int g0/0/1

[AR1-GigabitEthernet0/0/1]ip add 200.1.1.1 24

3.配置Tunnel接口

[FW1]int Tunnel 0

[FW1-Tunnel0]ip add 172.16.1.1 24

[FW1-Tunnel0]tunnel-protocol gre

[FW1-Tunnel0]source 100.1.1.1

[FW1-Tunnel0]destination 200.1.1.2

[FW2]int Tunnel 0

[FW2-Tunnel0]ip add 172.16.1.2 24

[FW2-Tunnel0]tunnel-protocol gre

[FW2-Tunnel0]source 200.1.1.2

[FW2-Tunnel0]destination 100.1.1.1

4.将防火墙接口加入指定区域

[FW1]firewall zone trust

[FW1-zone-trust]add int g1/0/0

[FW1-zone-trust]q

[FW1]firewall zone untrust

[FW1-zone-untrust]add int g1/0/1

[FW1-zone-untrust]add int Tunnel 0

[FW2]firewall zone trust

[FW2-zone-trust]add int g1/0/0

[FW2-zone-trust]q

[FW2]firewall zone untrust

[FW2-zone-untrust]add int g1/0/1

[FW2-zone-untrust]add int Tunnel 0

5.配置OSPF

[FW1]ospf 1

[FW1-ospf-1]area 0

[FW1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255

[AR1]ospf 1

[AR1-ospf-1]area 0

[AR1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255

[AR1-ospf-1-area-0.0.0.0]network 200.1.1.0 0.0.0.255

[FW2]ospf 1

[FW2-ospf-1]area 0

[FW2-ospf-1-area-0.0.0.0]network 200.1.1.0 0.0.0.255

6.配置路由条目

[FW1]ip route-static 192.168.2.0 24 Tunnel 0

[FW2]ip route-static 192.168.1.0 24 Tunnel 0

7.配置防火墙策略

[FW1]security-policy

[FW1-policy-security]rule name local-untrust

[FW1-policy-security-rule-local-untrust]source-zone local

[FW1-policy-security-rule-local-untrust]destination-zone untrust

[FW1-policy-security-rule-local-untrust]source-address 100.1.1.0 0.0.0.255

[FW1-policy-security-rule-local-untrust]destination-address 200.1.1.0 0.0.0.255

[FW1-policy-security-rule-local-untrust]action permit

[FW1-policy-security-rule-local-untrust]q

[FW1-policy-security]rule name untrust-local

[FW1-policy-security-rule-untrust-local]source-zone untrust

[FW1-policy-security-rule-untrust-local]destination-zone local

[FW1-policy-security-rule-untrust-local]source-address 200.1.1.0 0.0.0.255

[FW1-policy-security-rule-untrust-local]destination-address 100.1.1.0 0.0.0.255

[FW1-policy-security-rule-untrust-local]action permit

[FW1-policy-security-rule-untrust-local]q

[FW1-policy-security]rule name trust-untrust

[FW1-policy-security-rule-trust-untrust]source-zone trust

[FW1-policy-security-rule-trust-untrust]destination-zone untrust

[FW1-policy-security-rule-trust-untrust]source-address 192.168.1.0 0.0.0.255

[FW1-policy-security-rule-trust-untrust]action permit

[FW1-policy-security-rule-trust-untrust]q

[FW1-policy-security]rule name untrust-trust

[FW1-policy-security-rule-untrust-trust]source-zone untrust

[FW1-policy-security-rule-untrust-trust]destination-zone trust

[FW1-policy-security-rule-untrust-trust]action permit

[FW2]security-policy

[FW2-policy-security]rule name untrust-local

[FW2-policy-security-rule-untrust-local]source-zone untrust

[FW2-policy-security-rule-untrust-local]destination-zone local

[FW2-policy-security-rule-untrust-local]action permit

[FW2-policy-security-rule-untrust-local]q

[FW2-policy-security]rule name local-untrust

[FW2-policy-security-rule-local-untrust]source-zone local

[FW2-policy-security-rule-local-untrust]destination-zone untrust

[FW2-policy-security-rule-local-untrust]action permit

[FW2-policy-security-rule-local-untrust]q

[FW2-policy-security]rule name trust-untrust

[FW2-policy-security-rule-trust-untrust]source-zone trust

[FW2-policy-security-rule-trust-untrust]destination-zone untrust

[FW2-policy-security-rule-trust-untrust]source-address 192.168.2.0 0.0.0.255

[FW2-policy-security-rule-trust-untrust]action permit

[FW2-policy-security-rule-trust-untrust]q

[FW2-policy-security]rule name untrust-trust

[FW2-policy-security-rule-untrust-trust]source-zone untrust

[FW2-policy-security-rule-untrust-trust]destination-zone trust

[FW2-policy-security-rule-untrust-trust]source-address 192.168.1.0 0.0.0.255

[FW2-policy-security-rule-untrust-trust]action permit

8.配置NAT策略

[FW1]nat-policy

[FW1-policy-nat]rule name trust-untrust

[FW1-policy-nat-rule-trust-untrust]source-zone trust

[FW1-policy-nat-rule-trust-untrust]destination-zone untrust

[FW1-policy-nat-rule-trust-untrust]source-address 192.168.1.0 0.0.0.255

[FW1-policy-nat-rule-trust-untrust]action source-nat easy-ip

[FW2]nat-policy

[FW2-policy-nat]rule name trust-untrust

[FW2-policy-nat-rule-trust-untrust]source-zone trust

[FW2-policy-nat-rule-trust-untrust]destination-zone untrust

[FW2-policy-nat-rule-trust-untrust]source-address 192.168.2.0 0.0.0.255

[FW2-policy-nat-rule-trust-untrust]action source-nat easy-ip

验证:

1.pc2ping通pc1

2.查看FW2防火墙会话表(看GRE协议的数据包走向)

3.查看NAT地址转换(pc2ping100.1.1.1时,查看防火墙会话表,可以看到私网地址转换成200.1.1.2后访问100.1.1.1)

4.抓FW2G1/0/1端口的包查看(GRE的端口是47)

;