专业IT设备第三方维保_IT设备维保服务_IT备件服务_IT基础架构运维_IT设备维修-网度通信

华为防火墙企业双出口防火墙负载配置案例

2022-08-30 10:58
分享到:
华为防火墙企业双出口防火墙负载配置案例


项目要求
        公司内网有两个网段,FW1和FW2为企业双出口防火墙,内网与防火墙之间运行OSPF路由协议,出口防火墙做负载分担,VLAN 10走AR1,VLAN 20走AR2。
拓扑如下

 
相关设备
防火墙:USG6000系列
路由器:AR2200系列
交换机:S5700系列

 
SW3配置:
1、创建VLAN
vlan batch 10 13 20 23
 
2、配置接口
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
 stp edged-port enable
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20
 stp edged-port enable
#
interface GigabitEthernet0/0/23
 port link-type access
 port default vlan 13
 stp edged-port enable
#
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 23
 stp edged-port enable
 
 
3、配置IP地址和DHCP
dhcp enable
interface Vlanif10
 ip address 192.168.10.1 255.255.255.0
 dhcp select interface
 dhcp server excluded-ip-address 192.168.10.200 192.168.10.254
 dhcp server dns-list 114.114.114.114
#
interface Vlanif13
 ip address 13.0.0.3 255.255.255.0
#
interface Vlanif20
 ip address 192.168.20.1 255.255.255.0
 dhcp select interface
 dhcp server excluded-ip-address 192.168.20.200 192.168.20.254
 dhcp server dns-list 114.114.114.114
#
interface Vlanif23
 ip address 23.0.0.3 255.255.255.0
 
4、配置OSPF
ospf 10 router-id 3.3.3.3
 area 0.0.0.0
  network 192.168.10.1 0.0.0.0
  network 13.0.0.3 0.0.0.0
  network 192.168.20.1 0.0.0.0
  network 23.0.0.3 0.0.0.0
  network 3.3.3.3 0.0.0.0
 
FW1配置
 
1、配置接口IP
interface Eth-Trunk12
 ip address 10.1.12.1 255.255.255.0
 truckport gigabitethernet 1/0/5 1/0/6
 service-manage ping permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 100.1.11.1 255.255.255.0
  gateway 100.1.11.254
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 100.1.12.1 255.255.255.0
 gateway 100.1.12.254
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 13.0.0.1 255.255.255.0
 service-manage ping permit
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
 
2、接口加入区域
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/1
#
firewall zone dmz
 set priority 50
 add interface Eth-Trunk12
 
3、开启IP-LINK并配置
ip-link check enable
ip-link name isp1
 destination 3.3.3.3 interface GigabitEthernet1/0/0 mode icmp next-hop 100.1.11.254
ip-link name isp2
 destination 3.3.3.3 interface GigabitEthernet1/0/1 mode icmp next-hop 100.1.12.254
 
4、配置缺省路由指向AR1并绑定IP-LINK,当链路有故障时缺省路由失效并切换到另外一条链路
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 100.1.11.254 track ip-link isp1
 
5、配置安全策略
security-policy
 rule name internet
  source-zone trust
  destination-zone untrust
  action permit
 rule name inside
  source-zone dmz
  source-zone local
  source-zone trust
  destination-zone dmz
  destination-zone local
  destination-zone trust
  service icmp
  service ospf
  action permit
#
 
6、配置OSPF
ospf 10 router-id 1.1.1.1
 default-route-advertise
 area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 13.0.0.1 0.0.0.0
 
7、配置NAT策略
nat-policy
 rule name internet
  source-zone trust
  destination-zone untrust
  action source-nat easy-ip
#
8、配置PBR重定向VLAN20到AR2做负载分担,并绑定IP-LINK,当链路有故障时重定向失效并切换到另外一条链路
policy-based-route
 rule name toisp2 1
  source-zone trust
  source-address address-set vlan20
  track ip-link isp2
  action pbr egress-interface GigabitEthernet1/0/1 next-hop 100.1.12.254
#
 
9、出口配置vrrp,设置虚拟接口100.1.11.3 和100.1.12.3
interface GigabitEthernet1/0/0
 vrrp vrid 1 virtual-ip 100.1.11.3 active
#
interface GigabitEthernet1/0/1
 vrrp vrid 2 virtual-ip 100.1.12.3 standby
 
10、启用HRP,保证两个防火墙的会话表同步
 hrp enable
 hrp interface Eth-Trunk12 remote 10.1.12.2
 hrp mirror session enable
 
 
FW2配置
 
1、配置接口IP
interface Eth-Trunk12
 ip address 10.1.12.2 255.255.255.0
 truckport gigabitethernet 1/0/5 1/0/6
 service-manage ping permit
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 100.1.11.2 255.255.255.0
  gateway 100.1.11.254
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 100.1.12.2 255.255.255.0
 gateway 100.1.12.254
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 23.0.0.2 255.255.255.0
 service-manage ping permit
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
 
2、接口加入区域
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/1
#
firewall zone dmz
 set priority 50
 add interface Eth-Trunk12
 
3、开启IP-LINK并配置
ip-link check enable
ip-link name isp1
 destination 3.3.3.3 interface GigabitEthernet1/0/0 mode icmp next-hop 100.1.11.254
ip-link name isp2
 destination 3.3.3.3 interface GigabitEthernet1/0/1 mode icmp next-hop 100.1.12.254
 
4、配置缺省路由指向AR1并绑定IP-LINK,当链路有故障时缺省路由失效并切换到另外一条链路
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 100.1.11.254 track ip-link isp1
 
5、配置安全策略
security-policy
 rule name internet
  source-zone trust
  destination-zone untrust
  action permit
 rule name inside
  source-zone dmz
  source-zone local
  source-zone trust
  destination-zone dmz
  destination-zone local
  destination-zone trust
  service icmp
  service ospf
  action permit
#
 
6、配置OSPF
ospf 10 router-id 2.2.2.2
 default-route-advertise
 area 0.0.0.0
  network 2.2.2.2 0.0.0.0
  network 23.0.0.2 0.0.0.0
 
7、配置NAT策略
nat-policy
 rule name internet
  source-zone trust
  destination-zone untrust
  action source-nat easy-ip
#
8、配置PBR重定向VLAN20到AR2做负载分担,并绑定IP-LINK,当链路有故障时重定向失效并切换到另外一条链路
policy-based-route
 rule name toisp2 1
  source-zone trust
  source-address address-set vlan20
  track ip-link isp2
  action pbr egress-interface GigabitEthernet1/0/1 next-hop 100.1.12.254
#
 
9、出口配置vrrp,设置虚拟接口100.1.11.3 和100.1.12.3
interface GigabitEthernet1/0/0
 vrrp vrid 1 virtual-ip 100.1.11.3 standby
#
interface GigabitEthernet1/0/1
 vrrp vrid 2 virtual-ip 100.1.12.3 active
 
10、启用HRP,保证两个防火墙的会话表同步
 hrp enable
 hrp interface Eth-Trunk12 remote 10.1.12.1
 hrp mirror session enable
 
双防火墙部署L2TP&IPSEC
 
配置如下:
FW1
接口和区域就不详细解说了
 
1、配置心跳同步会话表
hrp interface Eth-Trunk12 remote 10.1.12.2
hrp mirror session enable
hrp enable
2、配置安全区域
允许隧道流量:
 rule name untrust_local
  source-zone untrust
  destination-zone local
  destination-address 10.1.1.3 mask 255.255.255.255
  action permit
 rule name VPN
  source-zone untrust
  destination-zone trust
  destination-address address-set neiwang
  action permit
 
3、配置登录用户
图形化创建
 
4、配置L2TP&IPSEC
 
配置加密流量
acl number 3000
 rule 5 permit udp source-port eq 1701
 
配置IPSEC提议
ipsec proposal prop25815354029
 encapsulation-mode auto
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-256
 
配置IKE提议
ike proposal 1
 encryption-algorithm aes-256
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
 
配置IKE对等体
ike peer ike258153540293
 exchange-mode auto
 pre-shared-key %^%#vHz}X2hmkWAE[x.+(R9OUK8fG-~)):#E$<0jc!r9%^%#
 ike-proposal 1
 remote-id-type none
 dpd type periodic
 ike negotiate compatible
 
配置IPSEC策略模板
ipsec policy-template tpl258153540293 1
 security acl 3000
 ike-peer ike258153540293
 proposal prop25815354029
 tunnel local 10.1.1.3
 alias zon
 sa duration traffic-based 10485760
 sa duration time-based 3600
 scenario point-to-multi-point l2tp-user-access
 
 
配置应用IPSEC策略模板
ipsec policy ipsec2581535397 10000 isakmp template tpl258153540293
 
配置VPN连接地址
ip pool server
 section 0 172.16.10.10 172.16.10.100
 excluded-ip-address 172.16.10.10
 dns-list 114.114.114.114
 
配置L2TP
l2tp-group default-lns
 allow l2tp virtual-template 0
#
interface Virtual-Template0
 ppp authentication-mode chap pap
 remote service-scheme l2tpScheme_1661412940479
 ip address 172.16.10.10 255.255.255.255
 alias L2TP_LNS_0
 undo service-manage enable
 
5、接口应用
interface GigabitEthernet1/0/0
 ipsec policy ipsec2581535397
 
FW2
1、配置心跳同步会话表
hrp interface Eth-Trunk12 remote 10.1.12.2
hrp mirror session enable
hrp enable
2、配好心跳后自动同步安全区域和L2TP&IPSEC的配置
 
此处不再详细描述
上一篇:漯河、新乡、郑州三地思科MX800视频会议设备维保技术支持案例
下一篇:没有了