公司内网有两个网段,FW1和FW2为企业双出口防火墙,内网与防火墙之间运行OSPF路由协议,出口防火墙做负载分担,VLAN 10走AR1,VLAN 20走AR2。
拓扑如下
SW3配置:
1、创建VLAN
vlan batch 10 13 20 23
2、配置接口
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
stp edged-port enable
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
stp edged-port enable
#
interface GigabitEthernet0/0/23
port link-type access
port default vlan 13
stp edged-port enable
#
interface GigabitEthernet0/0/24
port link-type access
port default vlan 23
stp edged-port enable
3、配置IP地址和DHCP
dhcp enable
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 192.168.10.200 192.168.10.254
dhcp server dns-list 114.114.114.114
#
interface Vlanif13
ip address 13.0.0.3 255.255.255.0
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
dhcp server excluded-ip-address 192.168.20.200 192.168.20.254
dhcp server dns-list 114.114.114.114
#
interface Vlanif23
ip address 23.0.0.3 255.255.255.0
4、配置OSPF
ospf 10 router-id 3.3.3.3
area 0.0.0.0
network 192.168.10.1 0.0.0.0
network 13.0.0.3 0.0.0.0
network 192.168.20.1 0.0.0.0
network 23.0.0.3 0.0.0.0
network 3.3.3.3 0.0.0.0
FW1配置
1、配置接口IP
interface Eth-Trunk12
ip address 10.1.12.1 255.255.255.0
truckport gigabitethernet 1/0/5 1/0/6
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.1.11.1 255.255.255.0
gateway 100.1.11.254
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.12.1 255.255.255.0
gateway 100.1.12.254
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 13.0.0.1 255.255.255.0
service-manage ping permit
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
2、接口加入区域
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface Eth-Trunk12
3、开启IP-LINK并配置
ip-link check enable
ip-link name isp1
destination 3.3.3.3 interface GigabitEthernet1/0/0 mode icmp next-hop 100.1.11.254
ip-link name isp2
destination 3.3.3.3 interface GigabitEthernet1/0/1 mode icmp next-hop 100.1.12.254
4、配置缺省路由指向AR1并绑定IP-LINK,当链路有故障时缺省路由失效并切换到另外一条链路
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 100.1.11.254 track ip-link isp1
5、配置安全策略
security-policy
rule name internet
source-zone trust
destination-zone untrust
action permit
rule name inside
source-zone dmz
source-zone local
source-zone trust
destination-zone dmz
destination-zone local
destination-zone trust
service icmp
service ospf
action permit
#
6、配置OSPF
ospf 10 router-id 1.1.1.1
default-route-advertise
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 13.0.0.1 0.0.0.0
7、配置NAT策略
nat-policy
rule name internet
source-zone trust
destination-zone untrust
action source-nat easy-ip
#
8、配置PBR重定向VLAN20到AR2做负载分担,并绑定IP-LINK,当链路有故障时重定向失效并切换到另外一条链路
policy-based-route
rule name toisp2 1
source-zone trust
source-address address-set vlan20
track ip-link isp2
action pbr egress-interface GigabitEthernet1/0/1 next-hop 100.1.12.254
#
9、出口配置vrrp,设置虚拟接口100.1.11.3 和100.1.12.3
interface GigabitEthernet1/0/0
vrrp vrid 1 virtual-ip 100.1.11.3 active
#
interface GigabitEthernet1/0/1
vrrp vrid 2 virtual-ip 100.1.12.3 standby
10、启用HRP,保证两个防火墙的会话表同步
hrp enable
hrp interface Eth-Trunk12 remote 10.1.12.2
hrp mirror session enable
FW2配置
1、配置接口IP
interface Eth-Trunk12
ip address 10.1.12.2 255.255.255.0
truckport gigabitethernet 1/0/5 1/0/6
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.1.11.2 255.255.255.0
gateway 100.1.11.254
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.12.2 255.255.255.0
gateway 100.1.12.254
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 23.0.0.2 255.255.255.0
service-manage ping permit
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
2、接口加入区域
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface Eth-Trunk12
3、开启IP-LINK并配置
ip-link check enable
ip-link name isp1
destination 3.3.3.3 interface GigabitEthernet1/0/0 mode icmp next-hop 100.1.11.254
ip-link name isp2
destination 3.3.3.3 interface GigabitEthernet1/0/1 mode icmp next-hop 100.1.12.254
4、配置缺省路由指向AR1并绑定IP-LINK,当链路有故障时缺省路由失效并切换到另外一条链路
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 100.1.11.254 track ip-link isp1
5、配置安全策略
security-policy
rule name internet
source-zone trust
destination-zone untrust
action permit
rule name inside
source-zone dmz
source-zone local
source-zone trust
destination-zone dmz
destination-zone local
destination-zone trust
service icmp
service ospf
action permit
#
6、配置OSPF
ospf 10 router-id 2.2.2.2
default-route-advertise
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 23.0.0.2 0.0.0.0
7、配置NAT策略
nat-policy
rule name internet
source-zone trust
destination-zone untrust
action source-nat easy-ip
#
8、配置PBR重定向VLAN20到AR2做负载分担,并绑定IP-LINK,当链路有故障时重定向失效并切换到另外一条链路
policy-based-route
rule name toisp2 1
source-zone trust
source-address address-set vlan20
track ip-link isp2
action pbr egress-interface GigabitEthernet1/0/1 next-hop 100.1.12.254
#
9、出口配置vrrp,设置虚拟接口100.1.11.3 和100.1.12.3
interface GigabitEthernet1/0/0
vrrp vrid 1 virtual-ip 100.1.11.3 standby
#
interface GigabitEthernet1/0/1
vrrp vrid 2 virtual-ip 100.1.12.3 active
10、启用HRP,保证两个防火墙的会话表同步
hrp enable
hrp interface Eth-Trunk12 remote 10.1.12.1
hrp mirror session enable
双防火墙部署L2TP&IPSEC
配置如下:
FW1
接口和区域就不详细解说了
1、配置心跳同步会话表
hrp interface Eth-Trunk12 remote 10.1.12.2
hrp mirror session enable
hrp enable
2、配置安全区域
允许隧道流量:
rule name untrust_local
source-zone untrust
destination-zone local
destination-address 10.1.1.3 mask 255.255.255.255
action permit
rule name VPN
source-zone untrust
destination-zone trust
destination-address address-set neiwang
action permit
3、配置登录用户
图形化创建
4、配置L2TP&IPSEC
配置加密流量
acl number 3000
rule 5 permit udp source-port eq 1701
配置IPSEC提议
ipsec proposal prop25815354029
encapsulation-mode auto
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
配置IKE提议
ike proposal 1
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
配置IKE对等体
ike peer ike258153540293
exchange-mode auto
pre-shared-key %^%#vHz}X2hmkWAE[x.+(R9OUK8fG-~)):#E$<0jc!r9%^%#
ike-proposal 1
remote-id-type none
dpd type periodic
ike negotiate compatible
配置IPSEC策略模板
ipsec policy-template tpl258153540293 1
security acl 3000
ike-peer ike258153540293
proposal prop25815354029
tunnel local 10.1.1.3
alias zon
sa duration traffic-based 10485760
sa duration time-based 3600
scenario point-to-multi-point l2tp-user-access
配置应用IPSEC策略模板
ipsec policy ipsec2581535397 10000 isakmp template tpl258153540293
配置VPN连接地址
ip pool server
section 0 172.16.10.10 172.16.10.100
excluded-ip-address 172.16.10.10
dns-list 114.114.114.114
配置L2TP
l2tp-group default-lns
allow l2tp virtual-template 0
#
interface Virtual-Template0
ppp authentication-mode chap pap
remote service-scheme l2tpScheme_1661412940479
ip address 172.16.10.10 255.255.255.255
alias L2TP_LNS_0
undo service-manage enable
5、接口应用
interface GigabitEthernet1/0/0
ipsec policy ipsec2581535397
FW2
1、配置心跳同步会话表
hrp interface Eth-Trunk12 remote 10.1.12.2
hrp mirror session enable
hrp enable
2、配好心跳后自动同步安全区域和L2TP&IPSEC的配置
此处不再详细描述
