7.3 防火墙虚拟系统互访

虚拟系统访问根系统(公共出口)

图片[1]-7.3 防火墙虚拟系统互访-大赛人网

1)FW1创建虚拟系统(添加接口到虚拟系统)

图片[2]-7.3 防火墙虚拟系统互访-大赛人网

2)配置根系统

(1)划分安全区域
firewall zone untrust
add interface GigabitEthernet1/0/1

firewall zone trust
 add interface Virtual-if0

(2)配置地址
interface GigabitEthernet1/0/1
 ip address 100.1.1.1 255.255.255.0
 service-manage all permit

interface Virtual-if0
 ip address 172.16.1.1 255.255.255.0


(3)安全策略
security-policy
 rule name internet
  source-zone trust
  destination-zone untrust
  action permit

(4)出口路由
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2

(5)NAT策略
nat-policy
 rule name nat
  source-zone trust
  egress-interface GigabitEthernet1/0/1
  source-address 10.1.0.0 mask 255.255.255.0
  source-address 10.3.0.0 mask 255.255.255.0
  action source-nat easy-ip

3)虚拟系统a配置

(1)进入vsysa
switch vsys vsysa
sys

(2)划分安全区域
firewall zone trust
 add interface GigabitEthernet1/0/2

firewall zone untrust
 add interface Virtual-if1

(3)配置地址
interface Virtual-if1
 ip address 172.16.2.1 255.255.255.0

interface GigabitEthernet1/0/2
 ip address 10.102.1.1 255.255.255.0
 service-manage all permit

(4)安全策略
security-policy
 rule name internet
  source-zone trust
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.255.0
  action permit

(5)出口路由
ip route-static 0.0.0.0 0.0.0.0 public

display  ip routing-table
0.0.0.0/0   Static  60   0           D   172.16.1.1      Virtual-if0

(6)回程路由
ip route-static 10.1.0.0 24 10.102.1.2 

4)虚拟系统b配置

(1)进入vsysb
switch vsys vsysb
sys

(2)划分安全区域
firewall zone trust
 add interface GigabitEthernet1/0/3

firewall zone untrust
 add interface Virtual-if2

(3)配置地址
interface Virtual-if2
 ip address 172.16.3.1 255.255.255.0

interface GigabitEthernet1/0/3
 ip address 10.103.1.1 255.255.255.0
 service-manage all permit

(4)安全策略
security-policy
 rule name internet
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  action permit

(5)出口路由
ip route-static 0.0.0.0 0.0.0.0 public

display ip routing-table
0.0.0.0/0   Static  60   0           D   172.16.1.1      Virtual-if0

(6)回程路由
ip route-static 10.3.0.0 24 10.103.1.2 

5)R2配置

ip route-static 0.0.0.0 0.0.0.0 10.102.1.1 

6)R3配置

ip route-static 0.0.0.0 0.0.0.0 10.103.1.1 

3.根系统访问虚拟系统

1)R1配置
ip route-static 199.1.1.1 32 100.1.1.1

2)防火墙根系统配置
(1)NAT-server
nat server web01 global 199.1.1.1 inside 10.2.0.100

(2)前往vsysa路由
ip route-static 10.2.0.0 24 vpn-instance vsysa

(3)安全策略
security-policy
 rule name nat_server
  source-zone untrust
  destination-zone trust
  destination-address 10.2.0.100 mask 255.255.255.255
  action permit

3)防火墙配置虚拟系统vsysa配置
(1)进入虚拟系统a

switch vsys vsysa
sys

(2)安全策略
security-policy
 rule name nat_server
  source-zone untrust
  destination-zone trust
  destination-address 10.2.0.100 mask 255.255.255.255
  action permit

(3)回程路由
ip route-static 10.2.0.0 24 10.102.1.2

4.虚拟系统之间互访

1)根系统下配置vsysa去往vsysb路由
ip route-static vpn-instance vsysa 10.3.0.0 24 vpn-instance vsysb

display ip routing-table vpn-instance vsysa
10.3.0.0/24  Static  60   0           D   172.16.3.1      Virtual-if2

2)虚拟系统b配置安全策略
switch vsys vsysb
sys

security-policy
 rule name vsysa_2_vsysb
  source-zone untrust
  destination-zone trust
  source-address 10.1.0.0 mask 255.255.255.0
  destination-address 10.3.0.0 mask 255.255.255.0
  action permit

3)根系统下配置vsysb去往vsysa路由
ip route-static vpn-instance vsysb 10.1.0.0 24 vpn-instance vsysa

10.1.0.0/24  Static  60   0           D   172.16.2.1      Virtual-if1

4)虚拟系统a配置安全策略
switch vsys vsysa
sys

 rule name vsysb_2_vsysa
  source-zone untrust
  destination-zone trust
  source-address 10.3.0.0 mask 255.255.255.0
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit
© 版权声明
THE END
喜欢就支持一下吧
点赞7 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容