当前位置: 首页 > article >正文

华为VPN技术

article 2024/11/20 11:08:38

1.启动设备

2.配置IP地址

[FW1]int g1/0/0

[FW1-GigabitEthernet1/0/0]ip add 192.168.1.254 24

[FW1-GigabitEthernet1/0/0]int g1/0/1

[FW1-GigabitEthernet1/0/1]ip add 100.1.1.1 24

[FW1-GigabitEthernet1/0/1]service-manage ping permit

[FW2]int g1/0/0

[FW2-GigabitEthernet1/0/0]ip add 192.168.2.254 24

[FW2-GigabitEthernet1/0/0]int g1/0/1

[FW2-GigabitEthernet1/0/1]ip add 200.1.1.2 24

[FW2-GigabitEthernet1/0/1]service-manage ping permit

[AR1]int g0/0/0

[AR1-GigabitEthernet0/0/0]ip add 100.1.1.2 24

[AR1-GigabitEthernet0/0/0]int g0/0/1

[AR1-GigabitEthernet0/0/1]ip add 200.1.1.1 24

3.配置Tunnel接口

[FW1]int Tunnel 0

[FW1-Tunnel0]ip add 172.16.1.1 24

[FW1-Tunnel0]tunnel-protocol gre

[FW1-Tunnel0]source 100.1.1.1

[FW1-Tunnel0]destination 200.1.1.2

[FW2]int Tunnel 0

[FW2-Tunnel0]ip add 172.16.1.2 24

[FW2-Tunnel0]tunnel-protocol gre

[FW2-Tunnel0]source 200.1.1.2

[FW2-Tunnel0]destination 100.1.1.1

4.将防火墙接口加入指定区域

[FW1]firewall zone trust

[FW1-zone-trust]add int g1/0/0

[FW1-zone-trust]q

[FW1]firewall zone untrust

[FW1-zone-untrust]add int g1/0/1

[FW1-zone-untrust]add int Tunnel 0

[FW2]firewall zone trust

[FW2-zone-trust]add int g1/0/0

[FW2-zone-trust]q

[FW2]firewall zone untrust

[FW2-zone-untrust]add int g1/0/1

[FW2-zone-untrust]add int Tunnel 0

5.配置OSPF

[FW1]ospf 1

[FW1-ospf-1]area 0

[FW1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255

[AR1]ospf 1

[AR1-ospf-1]area 0

[AR1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255

[AR1-ospf-1-area-0.0.0.0]network 200.1.1.0 0.0.0.255

[FW2]ospf 1

[FW2-ospf-1]area 0

[FW2-ospf-1-area-0.0.0.0]network 200.1.1.0 0.0.0.255

6.配置路由条目

[FW1]ip route-static 192.168.2.0 24 Tunnel 0

[FW2]ip route-static 192.168.1.0 24 Tunnel 0

7.配置防火墙策略

[FW1]security-policy

[FW1-policy-security]rule name local-untrust

[FW1-policy-security-rule-local-untrust]source-zone local

[FW1-policy-security-rule-local-untrust]destination-zone untrust

[FW1-policy-security-rule-local-untrust]source-address 100.1.1.0 0.0.0.255

[FW1-policy-security-rule-local-untrust]destination-address 200.1.1.0 0.0.0.255

[FW1-policy-security-rule-local-untrust]action permit

[FW1-policy-security-rule-local-untrust]q

[FW1-policy-security]rule name untrust-local

[FW1-policy-security-rule-untrust-local]source-zone untrust

[FW1-policy-security-rule-untrust-local]destination-zone local

[FW1-policy-security-rule-untrust-local]source-address 200.1.1.0 0.0.0.255

[FW1-policy-security-rule-untrust-local]destination-address 100.1.1.0 0.0.0.255

[FW1-policy-security-rule-untrust-local]action permit

[FW1-policy-security-rule-untrust-local]q

[FW1-policy-security]rule name trust-untrust

[FW1-policy-security-rule-trust-untrust]source-zone trust

[FW1-policy-security-rule-trust-untrust]destination-zone untrust

[FW1-policy-security-rule-trust-untrust]source-address 192.168.1.0 0.0.0.255

[FW1-policy-security-rule-trust-untrust]action permit

[FW1-policy-security-rule-trust-untrust]q

[FW1-policy-security]rule name untrust-trust

[FW1-policy-security-rule-untrust-trust]source-zone untrust

[FW1-policy-security-rule-untrust-trust]destination-zone trust

[FW1-policy-security-rule-untrust-trust]action permit

[FW2]security-policy

[FW2-policy-security]rule name untrust-local

[FW2-policy-security-rule-untrust-local]source-zone untrust

[FW2-policy-security-rule-untrust-local]destination-zone local

[FW2-policy-security-rule-untrust-local]action permit

[FW2-policy-security-rule-untrust-local]q

[FW2-policy-security]rule name local-untrust

[FW2-policy-security-rule-local-untrust]source-zone local

[FW2-policy-security-rule-local-untrust]destination-zone untrust

[FW2-policy-security-rule-local-untrust]action permit

[FW2-policy-security-rule-local-untrust]q

[FW2-policy-security]rule name trust-untrust

[FW2-policy-security-rule-trust-untrust]source-zone trust

[FW2-policy-security-rule-trust-untrust]destination-zone untrust

[FW2-policy-security-rule-trust-untrust]source-address 192.168.2.0 0.0.0.255

[FW2-policy-security-rule-trust-untrust]action permit

[FW2-policy-security-rule-trust-untrust]q

[FW2-policy-security]rule name untrust-trust

[FW2-policy-security-rule-untrust-trust]source-zone untrust

[FW2-policy-security-rule-untrust-trust]destination-zone trust

[FW2-policy-security-rule-untrust-trust]source-address 192.168.1.0 0.0.0.255

[FW2-policy-security-rule-untrust-trust]action permit

8.配置NAT策略

[FW1]nat-policy

[FW1-policy-nat]rule name trust-untrust

[FW1-policy-nat-rule-trust-untrust]source-zone trust

[FW1-policy-nat-rule-trust-untrust]destination-zone untrust

[FW1-policy-nat-rule-trust-untrust]source-address 192.168.1.0 0.0.0.255

[FW1-policy-nat-rule-trust-untrust]action source-nat easy-ip

[FW2]nat-policy

[FW2-policy-nat]rule name trust-untrust

[FW2-policy-nat-rule-trust-untrust]source-zone trust

[FW2-policy-nat-rule-trust-untrust]destination-zone untrust

[FW2-policy-nat-rule-trust-untrust]source-address 192.168.2.0 0.0.0.255

[FW2-policy-nat-rule-trust-untrust]action source-nat easy-ip

验证:

1.pc2ping通pc1

2.查看FW2防火墙会话表(看GRE协议的数据包走向)

3.查看NAT地址转换(pc2ping100.1.1.1时,查看防火墙会话表,可以看到私网地址转换成200.1.1.2后访问100.1.1.1)

4.抓FW2G1/0/1端口的包查看(GRE的端口是47)


http://www.kler.cn/a/401422.html

相关文章:

  • LeetCode:1. 两数之和
  • Java 核心技术卷 I 学习记录九
  • 【蓝桥杯C/C++】I/O优化技巧:cin.tie(nullptr)的详解与应用
  • Android开发实战班 - Activity 生命周期
  • 常见网络厂商设备默认用户名/密码大全
  • Stable Diffusion核心网络结构——CLIP Text Encoder
  • 12万字 | 企业智慧数字化运营平台重构建设项目实施技术方案
  • 【读书笔记-《网络是怎样连接的》- 7】Chapter3_2 路由器
  • 淘宝商品爬虫:Python实战指南
  • PMC要接受什么培训?
  • 【K8S系列】Kubernetes Pod节点ImagePullBackOff 状态及解决方案详解【已解决】
  • CentOS 9 无法启动急救方法
  • 前端框架主要做些什么工作
  • WPF中的登录界面
  • FastDDS之进程内通信
  • 统计学习模型相关知识简记
  • 基于springboot健康医院门诊在线挂号系统源码和论文
  • 2024山西省网络建设运维第十八届职业院校技能大赛解析答案(3. ansible 服务)
  • 计算机网络 (2)计算机网络的类别
  • Java-04 深入浅出 MyBatis - SqlSessionFactory 与 SqlSession DAO与Mapper 代理模式
  • Kubernetes部署Grafana详细教程
  • SpringBoot线程池的使用
  • H.265流媒体播放器EasyPlayer.js H5流媒体播放器如何验证视频播放是否走硬解
  • MyBatis-Plus中使用JSON 类型字段
  • 11.15机器学习_线性回归
  • Android开发实战班 - 现代 UI 开发之 Jetpack Compose 基础