華爲防火牆GRE ***配置
配置IP地址安全
[FW4-GigabitEthernet1/0/1]ip add 40.1.1.1 24ide
[FW4-GigabitEthernet1/0/0]ip add 10.1.1.1 24spa
[FW5-GigabitEthernet1/0/1]ip add 40.1.1.2 243d
[FW5-GigabitEthernet1/0/0]ip add 10.1.2.2 24server
將接口加入相關區域blog
[FW4]firewall zone trust 接口
[FW4-zone-trust]add interface GigabitEthernet 1/0/0ip
[FW4]firewall zone untrust 路由
[FW4-zone-untrust]add interface GigabitEthernet 1/0/1it
[FW4]firewall zone dmz
[FW4-zone-dmz]add interface Tunnel 1
[FW5]firewall zone trust
[FW5-zone-trust]add interface GigabitEthernet1/0/0
[FW5]firewall zone untrust
[FW5-zone-untrust]add interface GigabitEthernet 1/0/1
[FW5]firewall zone dmz
[FW5-zone-dmz]add interface Tunnel 1
放行相關服務
[FW4-GigabitEthernet1/0/1]service-manage ping permit
[FW4-GigabitEthernet1/0/0]service-manage ping permit
[FW5-GigabitEthernet1/0/1]service-manage ping permit
[FW5-GigabitEthernet1/0/0]service-manage ping permit
配置GRE隧道接口
[FW4]int Tunnel 1
[FW4-Tunnel1]ip add 172.16.2.1 30
[FW4-Tunnel1]tunnel-protocol gre
[FW4-Tunnel1]source 40.1.1.1
[FW4-Tunnel1]destination 40.1.1.2
[FW5]interface Tunnel 1
[FW5-Tunnel1]ip add 172.16.2.2 30
[FW5-Tunnel1]tunnel-protocol gre
[FW5-Tunnel1]source 40.1.1.2
[FW5-Tunnel1]destination 40.1.1.1
配置到對端的路由
[FW4]ip route-static 10.1.2.0 24 Tunnel 1
[FW5]ip route-static 10.1.1.0 24 Tunnel 1
配置安全策略
[FW4]security-policy
[FW4-policy-security]rule name gre1 //容許網段互訪
[FW4-policy-security-rule-gre1]source-zone trust
[FW4-policy-security-rule-gre1]destination-zone dmz
[FW4-policy-security-rule-gre1]source-address 10.1.1.0 24
[FW4-policy-security-rule-gre1]destination-address 10.1.2.0 24
[FW4-policy-security-rule-gre1]action permit
[FW4-policy-security-rule-gre]rule name gre2
[FW4-policy-security-rule-gre2]source-zone dmz
[FW4-policy-security-rule-gre2]destination-zone trust
[FW4-policy-security-rule-gre2]source-address 10.1.2.0 24
[FW4-policy-security-rule-gre2]destination-address 10.1.1.0 24
[FW4-policy-security-rule-gre2]action permit
[FW4-policy-security]rule name gre3 //放行封裝後的gre報文
[FW4-policy-security-rule-gre3]source-zone
[FW4-policy-security-rule-gre3]source-zone local untrust
[FW4-policy-security-rule-gre3]destination-zone local untrust
[FW4-policy-security-rule-gre3]service gre
[FW4-policy-security-rule-gre3]action permit
[FW5]security-policy
[FW5-policy-security]rule name gre1
[FW5-policy-security-rule-gre1]source-zone trust
[FW5-policy-security-rule-gre1]destination-zone dmz
[FW5-policy-security-rule-gre1]source-address 10.1.2.0 24
[FW5-policy-security-rule-gre1]destination-address 10.1.1.0 24
[FW5-policy-security-rule-gre1]action permit
[FW5-policy-security]rule name gre2
[FW5-policy-security-rule-gre2]source-zone dmz
[FW5-policy-security-rule-gre2]destination-zone trust
[FW5-policy-security-rule-gre2]source-address 10.1.1.0 24
[FW5-policy-security-rule-gre2]destination-address 10.1.2.0 24
[FW5-policy-security-rule-gre2]action permit
[FW5-policy-security]rule name gre3
[FW5-policy-security-rule-gre3]source-zone local untrust
[FW5-policy-security-rule-gre3]destination-zone local untrust
[FW5-policy-security-rule-gre3]service gre
[FW5-policy-security-rule-gre3]action permit
驗證
PC1 ping server1時在FW4的G1/0/1口抓包
- 1. 華爲防火牆
- 2. 華爲USG防火牆配置
- 3. 華爲防火牆USG6305E配置ipsec***
- 4. 華爲USG 5120防火牆配置syslog
- 5. 華爲USG5120配置透明防火牆
- 6. 華爲防火牆NAT配置
- 7. 華爲防火牆USG6330 NAT 配置
- 8. 華爲防火牆USG6000V配置實驗
- 9. 華爲防火牆L2TP配置
- 10. 華爲防火牆配置LDAP服務
- 更多相關文章...
- • 使用TCP協議檢測防火牆 - TCP/IP教程
- • Eclipse Debug 配置 - Eclipse 教程
- • IDEA下SpringBoot工程配置文件沒有提示
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. 華爲防火牆
- 2. 華爲USG防火牆配置
- 3. 華爲防火牆USG6305E配置ipsec***
- 4. 華爲USG 5120防火牆配置syslog
- 5. 華爲USG5120配置透明防火牆
- 6. 華爲防火牆NAT配置
- 7. 華爲防火牆USG6330 NAT 配置
- 8. 華爲防火牆USG6000V配置實驗
- 9. 華爲防火牆L2TP配置
- 10. 華爲防火牆配置LDAP服務