1.防火墙IPSEC-NAT配置
1)防火墙区域配置
#FW1配置
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#FW2配置
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/0
2)配置内网-外网路由
#FW1
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
ip route-static 172.16.1.0 24 172.16.14.4
#FW2
ip route-static 0.0.0.0 0.0.0.0 33.1.1.1
ip route-static 172.17.1.0 24 172.17.35.5
#R4
ip route-static 0.0.0.0 0.0.0.0 172.16.14.1
#R5
ip route-static 0.0.0.0 0.0.0.0 172.17.35.3
3)配置安全策略
#FW1
#IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
source-address 12.1.1.12 32
destination-address 33.1.1.33 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 33.1.1.33 32
destination-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.16.0.0 16
destination-address 172.17.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.17.0.0 16
destination-address 172.16.0.0 16
action permit
#FW2
#IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
source-address 33.1.1.33 32
destination-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 12.1.1.12 32
destination-address 33.1.1.33 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.17.0.0 16
destination-address 172.16.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 16
destination-address 172.17.0.0 16
action permit
4)配置感兴趣流
#FW1
acl number 3001
rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
#FW2
acl number 3001
rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
5)配置IKE proposal
#FW1
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW2
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
6)配置IKE Peer
#FW1
ike peer fw3
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 33.1.1.33
#FW2
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12
7)配置IPSEC proposal
#FW1
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW2
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
8)配置IPSEC 策略
#FW1
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw3
proposal pps01
#FW2
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
9)接口调用IPSEC 策略
#FW1
interface GigabitEthernet1/0/0
ipsec policy pl01
#FW2
interface GigabitEthernet1/0/0
ipsec policy pl01
10)配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
action permit
11)配置NAT策略
nat-policy
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
action source-nat easy-ip
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
destination-address 172.17.0.0 mask 255.255.0.0
action no-nat
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
2.防火墙IPSEC无固定IP场景
1)安全区域配置
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/0
2)配置路由
#R6
ip route-static 0.0.0.0 0.0.0.0 172.18.36.3
#FW3
ip route-static 172.18.1.0 24 172.18.36.6
ip route-static 0.0.0.0 0.0.0.0 103.1.1.1
3)配置模板ipsec
(1)FW1(固定IP)
#IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
source-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
destination-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.16.0.0 16
destination-address 172.17.0.0 16
destination-address 172.18.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.17.0.0 16
source-address 172.18.0.0 16
destination-address 172.16.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
action source-nat easy-ip
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
destination-address 172.17.0.0 mask 255.255.0.0
destination-address 172.18.0.0 mask 255.255.0.0
action no-nat
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#FW1配置感兴趣流
acl number 3001
rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
rule 20 permit ip source 172.16.0.0 0.0.255.255 destination 172.18.0.0 0.0.255.255
#FW1配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW1配置IKE Peer
ike peer branch
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
#FW1配置IPSEC proposal
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW1配置IPSEC 策略模板
ipsec policy-template branch_tem 10
security acl 3001
ike-peer branch
proposal pps01
#从模板中复制策略
ipsec policy pl02 5 isakmp template branch_tem
#FW1接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl02
(2)FW2(不固定IP)
#FW2IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
destination-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.17.0.0 16
destination-address 172.16.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 16
destination-address 172.17.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action no-nat
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#FW2配置感兴趣流
acl number 3001
rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
#FW2配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW2配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12
#FW2配置IPSEC proposal
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW2配置IPSEC 策略
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
#FW2接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01
(3)FW3(不固定IP)
#FW3IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
destination-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.18.0.0 16
destination-address 172.16.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 16
destination-address 172.18.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.18.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.18.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action no-nat
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.18.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#FW3配置感兴趣流
acl number 3001
rule 10 permit ip source 172.18.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
#FW3配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW3配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12
#FW3配置IPSEC proposal
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW3配置IPSEC 策略
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
#FW3接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01
3.分支使用防火墙拨号
1)FW4配置安全区域
firewall zone trust
add interface GigabitEthernet1/0/1
firewall zone untrust
add interface GigabitEthernet1/0/0
2)配置路由
#R7
ip route-static 0.0.0.0 0.0.0.0 172.19.47.4
#FW4
ip route-static 172.19.1.0 24 172.19.47.7
3)R2拨号配置,创建拨号服务器
#R2创建拨号地址池
ip pool hz
network 104.1.1.0 mask 255.255.255.0
#R2创建拨号用户
aaa
local-user abc123 password cipher Admin@1234
local-user abc123 service-type ppp
#R2创建拨号模板
interface Virtual-Template1
ppp authentication-mode chap
remote address pool hz
ip address 104.1.1.1 255.255.255.0
#R2将拨号模板配置在接口上
interface GigabitEthernet2/0/0
pppoe-server bind Virtual-Template 1
4)FW4拨号配置
#创建拨号接口
interface Dialer1
link-protocol ppp
ppp chap user abc123
ppp chap password cipher Admin@1234
ip address ppp-negotiate
dialer user abc123
dialer bundle 1
dialer-group 1
#添加PPPOE拨号规则
dialer-rule 1 ip permit
#将拨号接口添加到接口
interface GigabitEthernet1/0/0
pppoe-client dial-bundle-number 1
#查看接口信息
display ip interface brief
Interface IP Address/Mask Physical Protocol
Dialer1 104.1.1.254/32 up up(s)
#将拨号接口添加到安全区域
firewall zone untrust
add interface Dialer 1
4.防火墙拨号网络进行IPSEC连接
1)FW1配置(固定IP)
#IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
source-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
destination-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.16.0.0 16
destination-address 172.17.0.0 16
destination-address 172.18.0.0 16
destination-address 172.19.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.17.0.0 16
source-address 172.18.0.0 16
source-address 172.19.0.0 16
destination-address 172.16.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
destination-address 172.17.0.0 mask 255.255.0.0
destination-address 172.18.0.0 mask 255.255.0.0
destination-address 172.19.0.0 mask 255.255.0.0
action no-nat
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.16.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#配置感兴趣流
acl number 3001
rule 10 permit ip source 172.16.0.0 0.0.255.255 destination 172.17.0.0 0.0.255.255
rule 20 permit ip source 172.16.0.0 0.0.255.255 destination 172.18.0.0 0.0.255.255
rule 30 permit ip source 172.16.0.0 0.0.255.255 destination 172.19.0.0 0.0.255.255
#FW1配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW1配置IKE Peer
ike peer branch
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
#FW1配置IPSEC proposal
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW1配置IPSEC 策略模板
ipsec policy-template branch_tem 10
security acl 3001
ike-peer branch
proposal pps01
#从模板中复制策略
ipsec policy pl02 5 isakmp template branch_tem
#FW1接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl02
2)FW2(不固定IP)
#FW2IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
destination-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.17.0.0 16
destination-address 172.16.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 16
destination-address 172.17.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action no-nat
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.17.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#FW2配置感兴趣流
acl number 3001
rule 10 permit ip source 172.17.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
#FW2配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW2配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12
#FW2配置IPSEC proposal
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW2配置IPSEC 策略
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
#FW2接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01
3)FW3(不固定IP)
#FW3IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
destination-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.18.0.0 16
destination-address 172.16.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 16
destination-address 172.18.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.18.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.18.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action no-nat
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.18.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#FW3配置感兴趣流
acl number 3001
rule 10 permit ip source 172.18.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
#FW3配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW3配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12
#FW3配置IPSEC proposal
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW3配置IPSEC 策略
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
#FW3接口调用IPSEC 策略
interface GigabitEthernet1/0/0
ipsec policy pl01
4)FW4配置(拨号)
#FW4IKE协商流量策略
security-policy
rule name ike_l_2_u
source-zone local
destination-zone untrust
destination-address 12.1.1.12 32
action permit
rule name ike_u_2_l
source-zone untrust
destination-zone local
source-address 12.1.1.12 32
action permit
#IPSEC保护流量策略
security-policy
rule name ipsec_t_2_un
source-zone trust
destination-zone untrust
source-address 172.19.0.0 16
destination-address 172.16.0.0 16
action permit
rule name ipsec_un_2_t
source-zone untrust
destination-zone trust
source-address 172.16.0.0 16
destination-address 172.19.0.0 16
action permit
#配置前往internet安全策略
security-policy
rule name t_2_internet
source-zone trust
destination-zone untrust
source-address 172.19.0.0 mask 255.255.0.0
action permit
#配置NAT策略
nat-policy
rule name ipsec_flow_no_nat
source-zone trust
destination-zone untrust
source-address 172.19.0.0 mask 255.255.0.0
destination-address 172.16.0.0 mask 255.255.0.0
action no-nat
rule name access_2_internet
source-zone trust
destination-zone untrust
source-address 172.19.0.0 mask 255.255.0.0
action source-nat easy-ip
#配置使ipsec流量在NAT流量之前
rule move ipsec_flow_no_nat before access_2_internet
#FW4配置感兴趣流
acl number 3001
rule 10 permit ip source 172.19.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
#FW4配置IKE proposal
ike proposal 5
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#FW4配置IKE Peer
ike peer fw1
#禁用IKEv2版本
undo version 2
exchange-mode main
pre-shared-key Admin@1234
ike-proposal 5
remote-address 12.1.1.12
#FW4配置IPSEC proposal
ipsec proposal pps01
transform ah-esp
ah authentication-algorithm sha2-256
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256
#FW4配置IPSEC 策略
ipsec policy pl01 10 isakmp
security acl 3001
ike-peer fw1
proposal pps01
#FW4接口调用IPSEC 策略
interface Dialer1
ipsec policy pl01
#将拨号接口设置成为默认路由出口
ip route-static 0.0.0.0 0.0.0.0 Dialer 1
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容