华为防火墙GRE ***配置
配置IP地址
[FW4-GigabitEthernet1/0/1]ip add 40.1.1.1 24
[FW4-GigabitEthernet1/0/0]ip add 10.1.1.1 24
[FW5-GigabitEthernet1/0/1]ip add 40.1.1.2 24
[FW5-GigabitEthernet1/0/0]ip add 10.1.2.2 24
将接口加入相关区域
[FW4]firewall zone trust
[FW4-zone-trust]add interface GigabitEthernet 1/0/0
[FW4]firewall zone untrust
[FW4-zone-untrust]add interface GigabitEthernet 1/0/1
[FW4]firewall zone dmz
[FW4-zone-dmz]add interface Tunnel 1
[FW5]firewall zone trust
[FW5-zone-trust]add interface GigabitEthernet1/0/0
[FW5]firewall zone untrust
[FW5-zone-untrust]add interface GigabitEthernet 1/0/1
[FW5]firewall zone dmz
[FW5-zone-dmz]add interface Tunnel 1
放行相关服务
[FW4-GigabitEthernet1/0/1]service-manage ping permit
[FW4-GigabitEthernet1/0/0]service-manage ping permit
[FW5-GigabitEthernet1/0/1]service-manage ping permit
[FW5-GigabitEthernet1/0/0]service-manage ping permit
配置GRE隧道接口
[FW4]int Tunnel 1
[FW4-Tunnel1]ip add 172.16.2.1 30
[FW4-Tunnel1]tunnel-protocol gre
[FW4-Tunnel1]source 40.1.1.1
[FW4-Tunnel1]destination 40.1.1.2
[FW5]interface Tunnel 1
[FW5-Tunnel1]ip add 172.16.2.2 30
[FW5-Tunnel1]tunnel-protocol gre
[FW5-Tunnel1]source 40.1.1.2
[FW5-Tunnel1]destination 40.1.1.1
配置到对端的路由
[FW4]ip route-static 10.1.2.0 24 Tunnel 1
[FW5]ip route-static 10.1.1.0 24 Tunnel 1
配置安全策略
[FW4]security-policy
[FW4-policy-security]rule name gre1 //允许网段互访
[FW4-policy-security-rule-gre1]source-zone trust
[FW4-policy-security-rule-gre1]destination-zone dmz
[FW4-policy-security-rule-gre1]source-address 10.1.1.0 24
[FW4-policy-security-rule-gre1]destination-address 10.1.2.0 24
[FW4-policy-security-rule-gre1]action permit
[FW4-policy-security-rule-gre]rule name gre2
[FW4-policy-security-rule-gre2]source-zone dmz
[FW4-policy-security-rule-gre2]destination-zone trust
[FW4-policy-security-rule-gre2]source-address 10.1.2.0 24
[FW4-policy-security-rule-gre2]destination-address 10.1.1.0 24
[FW4-policy-security-rule-gre2]action permit
[FW4-policy-security]rule name gre3 //放行封装后的gre报文
[FW4-policy-security-rule-gre3]source-zone
[FW4-policy-security-rule-gre3]source-zone local untrust
[FW4-policy-security-rule-gre3]destination-zone local untrust
[FW4-policy-security-rule-gre3]service gre
[FW4-policy-security-rule-gre3]action permit
[FW5]security-policy
[FW5-policy-security]rule name gre1
[FW5-policy-security-rule-gre1]source-zone trust
[FW5-policy-security-rule-gre1]destination-zone dmz
[FW5-policy-security-rule-gre1]source-address 10.1.2.0 24
[FW5-policy-security-rule-gre1]destination-address 10.1.1.0 24
[FW5-policy-security-rule-gre1]action permit
[FW5-policy-security]rule name gre2
[FW5-policy-security-rule-gre2]source-zone dmz
[FW5-policy-security-rule-gre2]destination-zone trust
[FW5-policy-security-rule-gre2]source-address 10.1.1.0 24
[FW5-policy-security-rule-gre2]destination-address 10.1.2.0 24
[FW5-policy-security-rule-gre2]action permit
[FW5-policy-security]rule name gre3
[FW5-policy-security-rule-gre3]source-zone local untrust
[FW5-policy-security-rule-gre3]destination-zone local untrust
[FW5-policy-security-rule-gre3]service gre
[FW5-policy-security-rule-gre3]action permit
验证
PC1 ping server1时在FW4的G1/0/1口抓包
©著作权归作者所有:来自51CTO博客作者Tony7483的原创作品,如需转载,请注明出处,否则将追究法律责任更多相关文章
- 前端插件:datatables的入门和使用
- 基于 Ansible 的主机自动化配置管理
- nginx负载均衡简单设置
- Spring Boot 应用监控,早发现早
- 超赞!墙裂推荐这款开源、轻量无 Agent 自动化运维平台
- NginxWebUI 1.8.0版本发布
- ubuntu18.04网卡配置静态ip
- Spark部署模式另类详解
- Hadoop伪分布式集群安装部署