USG5500作為安全設備被部署在業務節點上。其中上下行設備均為交換機,USG5300A,USG5300B分別充當主設備和備用設備,且均工作在路由模式下。
網絡規劃如下:
需要保護的網段地址為192.168.1.0/24,與USG5300的GigabitEthernet 0/0/1接口相連,局部在Trust區域中。
●外部網絡與USG5300的GigabitEthernet 0/0/3接口相連,部署在Untrust區域。
●兩臺USG5300的HRP備份通道接口接口GigabitEthernet 0/0/2部署在DMZ區域。
其中,各安全區域對應的VRRP組虛擬IP地址如下:
信任區域對應的VRRP組虛擬IP為地址10.100.10.1/24
Untrust安全區域對應的VRRP組虛擬IP地址為202.38.10.1/24。
DMZ區域對應的VRRP組虛擬IP地址為10.100.20.1/24。
[FW1]接口GigabitEthernet 0/0/1 [FW1-GigabitEthernet0 / 0/1] ip address 10.100.10.2 24 [FW1-接口GigabitEthernet0 / 0/1]退出 [FW1]接口GigabitEthernet 0/0/2 [FW1-GigabitEthernet0 / 0/2] ip address 10.100.20.2 24 [FW1-接口GigabitEthernet0 / 0/2]退出 [FW1]接口GigabitEthernet 0/0/3 [FW1-GigabitEthernet0 / 0/3] ip address 202.38.10.2 24 [FW1-接口GigabitEthernet0 / 0/3]退出
[FW1]防火墻區域信任 [FW1-zone-trust]加入接口GigabitEthernet 0/0/1 [FW1區托拉斯]退出 [FW1]防火墻區域dmz [FW1-zone-dmz]將接口GigabitEthernet0 / 0/2加入 [FW1區-DMZ]退出 [FW1]防火墻區域不信任 [FW1-zone-untrust]添加接口GigabitEthernet 0/0/3 [FW1區-不可信]退出
[FW1]接口GigabitEthernet 0/0/1 [FW1-GigabitEthernet0 / 0/1] vrrp vrid 1 virtual-ip 10.100.10.1 master [FW1-GigabitEthernet0 / 0/1] vrrp virtual-mac enable [FW1]接口GigabitEthernet 0/0/3 [FW1-GigabitEthernet0 / 0/3] vrrp vrid 2 virtual-ip 202.38.10.1 master [FW1-GigabitEthernet0 / 0/3] vrrp virtual-mac enable [FW1]接口GigabitEthernet 0/0/2 [FW1-GigabitEthernet0 / 0/2] vrrp vrid 3 virtual-ip 10.100.20.1 master
[FW1] hrp interface GigabitEthernet 0/0/2 [FW1] hrp啟用
[FW2]接口GigabitEthernet 0/0/1 [FW2-GigabitEthernet0 / 0/1] ip address 10.100.10.3 24 [FW2-接口GigabitEthernet0 / 0/1]退出 [FW2]接口GigabitEthernet 0/0/2 [FW2-GigabitEthernet0 / 0/2] ip address 10.100.20.3 24 [FW2-接口GigabitEthernet0 / 0/2]退出 [FW2]接口GigabitEthernet 0/0/3 [FW2-GigabitEthernet0 / 0/3] ip address 202.38.10.3 24 [FW2-接口GigabitEthernet0 / 0/3]退出
[FW2]防火墻區域信任 [FW2-zone-trust]加入接口GigabitEthernet 0/0/1 [FW2區托拉斯]退出 [FW2]防火墻區域dmz [FW2-zone-dmz]將接口GigabitEthernet 0/0/2加入 [FW2區-DMZ]退出 [FW2]防火墻區域不信任 [FW2-zone-untrust]添加接口GigabitEthernet 0/0/3 [FW2區-不可信]退出
[FW2]接口GigabitEthernet 0/0/1 [FW2-GigabitEthernet0 / 0/1] vrrp vrid 1 virtual-ip 10.100.10.1 slave [FW2-GigabitEthernet0 / 0/1] vrrp virtual-mac enable [FW2]接口GigabitEthernet 0/0/3 [FW2-GigabitEthernet0 / 0/3] vrrp vrid 2 virtual-ip 202.38.10.1 slave [FW2-GigabitEthernet0 / 0/3] vrrp virtual-mac enable [FW2]接口GigabitEthernet 0/0/2 [FW2-GigabitEthernet0 / 0/2] vrrp vrid 3 virtual-ip 10.100.20.1 slave
[FW2] hrp interface GigabitEthernet 0/0/2 [FW2] hrp使能
HRP_S [FW2]顯示hrp狀態 防火墻的配置狀態是:SLAVE 配置為從站的虛擬路由器的當前狀態: GigabitEthernet0 / 0/2 vrid 3:slave GigabitEthernet0 / 0/3 vrid 2:slave GigabitEthernet0 / 0/1 vrid 1:slave HRP_S [FW2]顯示vrrp
HRP_M [FW1] hrp自動同步配置
HRP_M [FW1]策略域間信任不信任出站 HRP_M [FW1-policy-interzone-trust-untrust-outbound]策略1 HRP_M [FW1-policy-interzone-trust-untrust-outbound-1] policy source 192.168.1.0 0.0.0.255 HRP_M [FW1-policy-interzone-trust-untrust-outbound-1]動作許可 HRP_M [FW1-政策的域間信任,不可信的,出站1]退出
HRP_M [FW1] NAT地址組1 202.38.10.20 202.38.10.25 HRP_M [FW1] nat-policy域間信任不信任出站 HRP_M [FW1-nat-policy-interzone-trust-untrust-outbound]策略1 HRP_M [FW1-nat-policy-interzone-trust-untrust-outbound-1] policy source 192.168.1.0 0.0.0.255 HRP_M [FW1-nat-policy-interzone-trust-untrust-outbound-1] action source-nat HRP_M [FW1-nat-policy-interzone-trust-untrust-outbound-1]地址組1 HRP_M [FW1 NAT-政策的域間信任,不可信的,出站1]退出
HRP_M [FW1] ip route-static 192.168.1.0 24 10.100.10.10 HRP_M [FW1] ip route-static 0.0.0.0 0.0.0.0 202.38.10.10 HRP_S [FW2] ip route-static 192.168.1.0 24 10.100.10.10 HRP_S [FW2] ip route-static 0.0.0.0 0.0.0.0 202.38.10.10
[SW1] vlan批量192 10 [SW1]接口Vlanif 10 [SW1-Vlanif10] ip地址10.100.10.10 24 [SW1-VLANIF10]退出 [SW1]接口Vlanif 192 [SW1-Vlanif192] ip地址192.168.1.254 24 [SW1-Vlanif192]退出
[SW1]接口GigabitEthernet 0/0/1 [SW1-GigabitEthernet0 / 0/1] port link-type trunk [SW1-GigabitEthernet0 / 0/1] port trunk pvid vlan 10 [SW1-GigabitEthernet0 / 0/1] port trunk allow-pass vlan all [SW1]接口GigabitEthernet 0/0/2 [SW1-GigabitEthernet0 / 0/2] port link-type trunk [SW1-GigabitEthernet0 / 0/2] port trunk pvid vlan 10 [SW1-GigabitEthernet0 / 0/2] port trunk allow-pass vlan all [SW1]接口GigabitEthernet 0/0/3 [SW1-GigabitEthernet0 / 0/3]端口鏈路類型接入 [SW1-GigabitEthernet0 / 0/3] port default vlan 192 [SW1-接口GigabitEthernet0 / 0/3]● [SW1]接口GigabitEthernet 0/0/4 [SW1-GigabitEthernet0 / 0/4] port link-type access [SW1-GigabitEthernet0 / 0/4] port default vlan 192 [SW1-接口GigabitEthernet0 / 0/4]退出
[SW1] ip route-static 0.0.0.0 0.0.0.0 10.100.10.1
1,劃分VLAN并設置IP
[SW2] vlan批次172 202 [SW2]接口Vlanif 172 [SW2-Vlanif172] IP地址172.16.1.254 24 [SW2-Vlanif172]退出 [SW2]接口Vlanif 202 [SW2-Vlanif202] ip地址202.38.10.10 24 [SW2-Vlanif202]退出
2,端口加入對應VLAN
[SW2]接口GigabitEthernet 0/0/3 [SW2-GigabitEthernet0 / 0/3]端口鏈路類型接入 [SW2-GigabitEthernet0 / 0/3] port default vlan 172 [SW2-接口GigabitEthernet0 / 0/3]退出 [SW2]接口GigabitEthernet 0/0/2 [SW2-GigabitEthernet0 / 0/2] port link-type trunk [SW2-GigabitEthernet0 / 0/2] port trunk pvid vlan 202 [SW2-GigabitEthernet0 / 0/2] port trunk allow-pass vlan all [SW2] interface GigabitEthernet 0/0/1 [SW2-GigabitEthernet0 / 0/1] port link-type Trunk [SW2-GigabitEthernet0 / 0/1] port trunk pvid vlan 202 [SW2-GigabitEthernet0 / 0/1] port trunk allow-pass vlan all
3,配置路由
[SW2] ip route-static 0.0.0.0 0.0.0.0 202.38.10.1
使用trust區域的192.168.1.10 ping untrust區域的172.16.1.10
然后在FW1使用:顯示防火墻會話表就會看到內網IP是使用NAT地址池的IP訪問出去的
HRP_M顯示防火墻會話表 13:00:04 2018/04/29 當前總會話數:4 icmp VPN:public - > public 192.168.1.10:19025[202.38.10.23:2290]--> 172.16.1.1 0:2048 icmp VPN:public - > public 192.168.1.10:19281[202.38.10.23:2291]--> 172.16.1.1 0:2048 icmp VPN:public - > public 192.168.1.11:20561[202.38.10.22:2278]--> 172.16.1.1 0:2048 icmp VPN:public - > public 192.168.1.11:20817 [202.38.10.22:2279] - > 172.16.1.1 0:2048