防火墙gre
.png)
1:配置ip地址(略)
2:防火墙接口加区域
[fw1]firewall zone trust
[fw1-zone-trust]add int g1/0/1
[fw1-zone-trust]q
[fw1]firewall zone untrust
[fw1-zone-untrust]add int g1/0/0
[fw1-zone-untrust]q
[fw2]firewall zone trust
[fw2-zone-trust]add int g1/0/1
[fw2-zone-trust]q
[fw2]firewall zone untrust
[fw2-zone-untrust]add int g1/0/0
[fw2-zone-untrust]q
3:配置防火墙路由
[fw1]ip route-static 2.2.2.2 24 1.1.1.254
[fw2]ip route-static 1.1.1.1 24 2.2.2.254
4:创建配置tunnel口
[fw1]interface Tunnel 1
[fw1-Tunnel1]tunnel-protocol gre
[fw1-Tunnel1]ip address 172.16.1.1 24
[fw1-Tunnel1]source 1.1.1.1 //源公网地址
[fw1-Tunnel1]destination 2.2.2.2 //目标公网地址
[fw1-Tunnel1]gre key cipher 123456 //两边tunnel的密文需要相同
[fw1-Tunnel1]q
[fw2]interface Tunnel 1
[fw2-Tunnel1]tunnel-protocol gre
[fw2-Tunnel1]ip add 172.168.1.2 24
[fw2-Tunnel1]source 2.2.2.2
[fw2-Tunnel1]destination 1.1.1.1
[fw2-Tunnel1]gre key cipher 123456
[fw2-Tunnel1]q
5:tunnel口加区域
[fw1]firewall zone untrust
[fw1-zone-untrust]add interface Tunnel 1
[fw1-zone-untrust]q
[fw2]firewall zone untrust
[fw2-zone-untrust]add interface Tunnel 1
[fw2-zone-untrust]q
6:配置tunnel路由
[fw1]ip route-static 192.168.1.0 24 Tunnel 1 //将流量引入tunnel
[fw2]ip route-static 10.1.1.0 24 Tunnel 1
7:防火墙策略放行 复杂的还没学,所以本实验的tunnel接口加入的是untrust区域(应该是dmz)策略也还没学完,所以改个默认策略放行不出意外的话应该还会有第二部配置
[fw1]security-policy
[fw1-policy-security]default action permit
[fw1-policy-security]q
[fw2]security-policy
[fw2-policy-security]default action permit
[fw2-policy-security]q
.png)
- 点赞
- 收藏
- 关注作者
评论(0)