溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶(hù)服務(wù)條款》

防火墻HA的配置

發(fā)布時(shí)間:2020-05-25 21:11:54 來(lái)源:億速云 閱讀:378 作者:鴿子 欄目:安全技術(shù)

拓?fù)鋱D:

防火墻HA的配置
#防火墻HA配置:
1.配置主備防火墻接口地址和vrrp組并開(kāi)啟主備同步。
配置如下:
#FW1
配置接口地址:
interface GigabitEthernet1/0/1
description BOTH
undo shutdown
ip address 10.10.0.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
description TO-UP
undo shutdown
ip address 1.1.1.2 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 active
service-manage ping permit
ipsec policy map1
#
interface GigabitEthernet1/0/3
description TO-DOWN
undo shutdown
ip address 10.3.0.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.2 active
service-manage ping permit
#接口加入指定區(qū)域
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#開(kāi)啟主備同步:
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.0.2
hrp track interface GigabitEthernet1/0/1
hrp track interface GigabitEthernet1/0/2
hrp track interface GigabitEthernet1/0/3
#FW2
配置接口地址:
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.10.0.2 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.3 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 standby
service-manage ping permit
ipsec policy map1
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.3.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.2 standby
service-manage ping permit
#接口加入指定區(qū)域
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#開(kāi)啟主備同步:
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.10.0.1
hrp track interface GigabitEthernet1/0/1
hrp track interface GigabitEthernet1/0/2
hrp track interface GigabitEthernet1/0/3

PS:VRRP組的虛擬IP地址可以和實(shí)際物理地址不在同一網(wǎng)段。
配置方法為:
vrrp vrid 1 virtual-ip 10.3.0.2 255.255.255.0 standby
即同一網(wǎng)段的虛擬IP地址不需要寫(xiě)掩碼,不同一網(wǎng)段的虛擬IP地址需要寫(xiě)掩碼來(lái)進(jìn)行配    置。

2.上述配置完成后,防火墻同步配置開(kāi)啟。
#配置安全策略和IPsec ***。
#配置安全策略
security-policy                    
rule name 1                                        心跳線(xiàn)策略
source-zone dmz
source-zone local
destination-zone dmz
destination-zone local
action permit
rule name 2                                        ***交互訪(fǎng)問(wèn)策略
source-zone local
source-zone trust
destination-zone untrust
source-address 1.1.1.0 mask 255.255.255.0
source-address 10.3.0.0 mask 255.255.0.0
destination-address 10.4.1.0 mask 255.255.255.0
destination-address 4.4.4.0 mask 255.255.255.0
action permit
rule name 3                                        ***交互響應(yīng)策略
source-zone local
source-zone untrust
destination-zone local
destination-zone trust
source-address 4.4.4.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
action permit
Ps:此時(shí)FW1會(huì)收到由IPsec加密后的報(bào)文,該報(bào)文S.IP和D.IP是隧道兩端的IP地址。安全策略嚴(yán)格匹配是要進(jìn)行如rule 3 的策略配置。
#
#配置IPsec:
#
acl number 3000
rule 5 permit ip source 10.3.0.0 0.0.0.255 destination 10.4.1.0     0.0.0.255
#
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer any
pre-shared-key Admin@123
ike-proposal 10
#
ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#
ipsec policy-template policy1 1             主端采用策略模板來(lái)建立***
security acl 3000
ike-peer any
proposal tran1
#
ipsec policy map1 10 isakmp template policy1
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 1.1.1.3 255.255.255.0
vrrp vrid 2 virtual-ip 1.1.1.1 standby
service-manage ping permit
ipsec policy map1
#
3.配置NAT策略
配置地址池
#
nat address-group 1 0
mode pat
section 0 1.1.1.1 1.1.1.1
#
配置nat安全策略:
#
nat-policy
rule name 1
source-zone trust
destination-zone untrust
source-address 10.1.3.0 0.0.0.255
source-address 10.3.0.0 mask 255.255.255.0
destination-address 10.4.1.0 0.0.0.255
destination-address 10.4.1.0 mask 255.255.255.0
action no-nat
rule name nat
source-zone trust
destination-zone untrust
action source-nat address-group 1
#

向AI問(wèn)一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀(guān)點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI