虚拟系统访问根系统(公共出口)
1)FW1创建虚拟系统(添加接口到虚拟系统)
2)配置根系统
(1)划分安全区域
firewall zone untrust
add interface GigabitEthernet1/0/1
firewall zone trust
add interface Virtual-if0
(2)配置地址
interface GigabitEthernet1/0/1
ip address 100.1.1.1 255.255.255.0
service-manage all permit
interface Virtual-if0
ip address 172.16.1.1 255.255.255.0
(3)安全策略
security-policy
rule name internet
source-zone trust
destination-zone untrust
action permit
(4)出口路由
ip route-static 0.0.0.0 0.0.0.0 100.1.1.2
(5)NAT策略
nat-policy
rule name nat
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 10.1.0.0 mask 255.255.255.0
source-address 10.3.0.0 mask 255.255.255.0
action source-nat easy-ip
3)虚拟系统a配置
(1)进入vsysa
switch vsys vsysa
sys
(2)划分安全区域
firewall zone trust
add interface GigabitEthernet1/0/2
firewall zone untrust
add interface Virtual-if1
(3)配置地址
interface Virtual-if1
ip address 172.16.2.1 255.255.255.0
interface GigabitEthernet1/0/2
ip address 10.102.1.1 255.255.255.0
service-manage all permit
(4)安全策略
security-policy
rule name internet
source-zone trust
destination-zone untrust
source-address 10.1.0.0 mask 255.255.255.0
action permit
(5)出口路由
ip route-static 0.0.0.0 0.0.0.0 public
display ip routing-table
0.0.0.0/0 Static 60 0 D 172.16.1.1 Virtual-if0
(6)回程路由
ip route-static 10.1.0.0 24 10.102.1.2
4)虚拟系统b配置
(1)进入vsysb
switch vsys vsysb
sys
(2)划分安全区域
firewall zone trust
add interface GigabitEthernet1/0/3
firewall zone untrust
add interface Virtual-if2
(3)配置地址
interface Virtual-if2
ip address 172.16.3.1 255.255.255.0
interface GigabitEthernet1/0/3
ip address 10.103.1.1 255.255.255.0
service-manage all permit
(4)安全策略
security-policy
rule name internet
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
action permit
(5)出口路由
ip route-static 0.0.0.0 0.0.0.0 public
display ip routing-table
0.0.0.0/0 Static 60 0 D 172.16.1.1 Virtual-if0
(6)回程路由
ip route-static 10.3.0.0 24 10.103.1.2
5)R2配置
ip route-static 0.0.0.0 0.0.0.0 10.102.1.1
6)R3配置
ip route-static 0.0.0.0 0.0.0.0 10.103.1.1
3.根系统访问虚拟系统
1)R1配置
ip route-static 199.1.1.1 32 100.1.1.1
2)防火墙根系统配置
(1)NAT-server
nat server web01 global 199.1.1.1 inside 10.2.0.100
(2)前往vsysa路由
ip route-static 10.2.0.0 24 vpn-instance vsysa
(3)安全策略
security-policy
rule name nat_server
source-zone untrust
destination-zone trust
destination-address 10.2.0.100 mask 255.255.255.255
action permit
3)防火墙配置虚拟系统vsysa配置
(1)进入虚拟系统a
switch vsys vsysa
sys
(2)安全策略
security-policy
rule name nat_server
source-zone untrust
destination-zone trust
destination-address 10.2.0.100 mask 255.255.255.255
action permit
(3)回程路由
ip route-static 10.2.0.0 24 10.102.1.2
4.虚拟系统之间互访
1)根系统下配置vsysa去往vsysb路由
ip route-static vpn-instance vsysa 10.3.0.0 24 vpn-instance vsysb
display ip routing-table vpn-instance vsysa
10.3.0.0/24 Static 60 0 D 172.16.3.1 Virtual-if2
2)虚拟系统b配置安全策略
switch vsys vsysb
sys
security-policy
rule name vsysa_2_vsysb
source-zone untrust
destination-zone trust
source-address 10.1.0.0 mask 255.255.255.0
destination-address 10.3.0.0 mask 255.255.255.0
action permit
3)根系统下配置vsysb去往vsysa路由
ip route-static vpn-instance vsysb 10.1.0.0 24 vpn-instance vsysa
10.1.0.0/24 Static 60 0 D 172.16.2.1 Virtual-if1
4)虚拟系统a配置安全策略
switch vsys vsysa
sys
rule name vsysb_2_vsysa
source-zone untrust
destination-zone trust
source-address 10.3.0.0 mask 255.255.255.0
destination-address 10.1.0.0 mask 255.255.255.0
action permit
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容