配置IP地址

[FW4-GigabitEthernet1/0/1]ip add 40.1.1.1 24

[FW4-GigabitEthernet1/0/0]ip add 10.1.1.1 24

[FW5-GigabitEthernet1/0/1]ip add 40.1.1.2 24

[FW5-GigabitEthernet1/0/0]ip add 10.1.2.2 24

将接口加入相关区域

[FW4]firewall zone trust

[FW4-zone-trust]add interface GigabitEthernet 1/0/0

[FW4]firewall zone untrust

[FW4-zone-untrust]add interface GigabitEthernet 1/0/1

[FW4]firewall zone dmz

[FW4-zone-dmz]add interface Tunnel 1

[FW5]firewall zone trust

[FW5-zone-trust]add interface GigabitEthernet1/0/0 

[FW5]firewall zone untrust

[FW5-zone-untrust]add interface GigabitEthernet 1/0/1

[FW5]firewall zone dmz

[FW5-zone-dmz]add interface Tunnel 1

放行相关服务

[FW4-GigabitEthernet1/0/1]service-manage ping permit

[FW4-GigabitEthernet1/0/0]service-manage ping permit

[FW5-GigabitEthernet1/0/1]service-manage ping permit

[FW5-GigabitEthernet1/0/0]service-manage ping permit

配置GRE隧道接口

[FW4]int Tunnel 1

[FW4-Tunnel1]ip add 172.16.2.1 30

[FW4-Tunnel1]tunnel-protocol gre

[FW4-Tunnel1]source 40.1.1.1

[FW4-Tunnel1]destination 40.1.1.2

[FW5]interface Tunnel 1

[FW5-Tunnel1]ip add 172.16.2.2 30

[FW5-Tunnel1]tunnel-protocol gre

[FW5-Tunnel1]source 40.1.1.2

[FW5-Tunnel1]destination 40.1.1.1

配置到对端的路由

[FW4]ip route-static 10.1.2.0 24 Tunnel 1

[FW5]ip route-static 10.1.1.0 24 Tunnel 1

配置安全策略

[FW4]security-policy

[FW4-policy-security]rule name gre1  //允许网段互访

[FW4-policy-security-rule-gre1]source-zone trust

[FW4-policy-security-rule-gre1]destination-zone dmz

[FW4-policy-security-rule-gre1]source-address 10.1.1.0 24

[FW4-policy-security-rule-gre1]destination-address 10.1.2.0 24

[FW4-policy-security-rule-gre1]action permit

[FW4-policy-security-rule-gre]rule name gre2

[FW4-policy-security-rule-gre2]source-zone dmz

[FW4-policy-security-rule-gre2]destination-zone trust

[FW4-policy-security-rule-gre2]source-address 10.1.2.0 24

[FW4-policy-security-rule-gre2]destination-address 10.1.1.0 24

[FW4-policy-security-rule-gre2]action permit

[FW4-policy-security]rule name gre3  //放行封装后的gre报文

[FW4-policy-security-rule-gre3]source-zone

[FW4-policy-security-rule-gre3]source-zone local untrust

[FW4-policy-security-rule-gre3]destination-zone local untrust

[FW4-policy-security-rule-gre3]service gre

[FW4-policy-security-rule-gre3]action permit

[FW5]security-policy

[FW5-policy-security]rule name gre1

[FW5-policy-security-rule-gre1]source-zone trust

[FW5-policy-security-rule-gre1]destination-zone dmz

[FW5-policy-security-rule-gre1]source-address 10.1.2.0 24

[FW5-policy-security-rule-gre1]destination-address 10.1.1.0 24

[FW5-policy-security-rule-gre1]action permit

[FW5-policy-security]rule name gre2

[FW5-policy-security-rule-gre2]source-zone dmz

[FW5-policy-security-rule-gre2]destination-zone trust

[FW5-policy-security-rule-gre2]source-address 10.1.1.0 24

[FW5-policy-security-rule-gre2]destination-address 10.1.2.0 24

[FW5-policy-security-rule-gre2]action permit

[FW5-policy-security]rule name gre3

[FW5-policy-security-rule-gre3]source-zone  local untrust

[FW5-policy-security-rule-gre3]destination-zone local untrust

[FW5-policy-security-rule-gre3]service gre

[FW5-policy-security-rule-gre3]action permit

验证

PC1 ping server1时在FW4的G1/0/1口抓包

©著作权归作者所有:来自51CTO博客作者Tony7483的原创作品,如需转载,请注明出处,否则将追究法律责任

更多相关文章

  1. 前端插件:datatables的入门和使用
  2. 基于 Ansible 的主机自动化配置管理
  3. nginx负载均衡简单设置
  4. Spring Boot 应用监控,早发现早
  5. 超赞!墙裂推荐这款开源、轻量无 Agent 自动化运维平台
  6. NginxWebUI 1.8.0版本发布
  7. ubuntu18.04网卡配置静态ip
  8. Spark部署模式另类详解
  9. Hadoop伪分布式集群安装部署

随机推荐

  1. android 关于自定义Application的使用
  2. Android APK文件在电脑上面运行方法
  3. Android中数据存储----SQLite数据库
  4. Android屏幕密度(Density)和分辨率的关系
  5. Android = Java
  6. Android中解决图像解码导致的OOM问题
  7. Android(安卓)studio 下载安装
  8. Activity 组件的启动流程
  9. Android 学习笔记——利用JNI技术在Andro
  10. Android HAL