华为代理服务器相关配置

 

华为防火墙1配置

基本配置：

[SRG]int g0/0/1

[SRG-GigabitEthernet0/0/1]ip add 192.168.10.1 24

[SRG-GigabitEthernet0/0/1]undo shut

[SRG-GigabitEthernet0/0/1]int g0/0/2

[SRG-GigabitEthernet0/0/2]ip add 1.1.1.1 24

[SRG-GigabitEthernet0/0/2]undo shut

[SRG-GigabitEthernet0/0/2]quit

[SRG]firewall zone untrust

[SRG-zone-untrust]add int g0/0/2

[SRG-zone-untrust]quit

[SRG]firewall zone trust

[SRG-zone-trust]add int g0/0/1

[SRG-zone-trust]quit

[SRG]firewall packet-filter default permit all

[SRG]ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

创建acl列表，监控流量

[SRG]acl 3000

[SRG-acl-adv-3000]rule 10 permit ip source 192.168.10.0 0.0.0.255 destination

192.168.20.0 0.0.0.255

[SRG-acl-adv-3000]quit

配置IPSec安全协议：

[SRG]ipsec proposal 1

[SRG-ipsec-proposal-1]encapsulation-mode tunnel

[SRG-ipsec-proposal-1]transform esp

[SRG-ipsec-proposal-1]esp authentication-algorithm sha

[SRG-ipsec-proposal-1]esp encryption-algorithm des

[SRG-ipsec-proposal-1]quit

创建IKE安全协议

[SRG]ike proposal 1

[SRG-ike-proposal-1]authentication-method pre-share

[SRG-ike-proposal-1]authentication-algorithm sha1

[SRG-ike-proposal-1]integrity-algorithm hmac-sha1-96

[SRG-ike-proposal-1]dh  group2

[SRG-ike-proposal-1]quit

配置IKE peer

[SRG]ike  peer  b

[SRG-ike-peer-b]ike-proposal 1

[SRG-ike-peer-b]remote-address 2.1.1.2

[SRG-ike-peer-b]pre-shared-key 123.com

[SRG-ike-peer-b]quit

创建安全策略

[SRG]ipsec policy map 1 isakmp

[SRG-ipsec-policy-isakmp-map-1]security acl 3000

[SRG-ipsec-policy-isakmp-map-1]proposal 1

[SRG-ipsec-policy-isakmp-map-1]ike-peer b

[SRG-ipsec-policy-isakmp-map-1]quit

在接口上引用安全策略

[SRG]int g0/0/2

[SRG-GigabitEthernet0/0/2]ipsec policy map

[SRG-GigabitEthernet0/0/2]quit

华为防火墙2配置

基本配置：

[SRG]int g0/0/1

[SRG-GigabitEthernet0/0/1]ip add 2.1.1.2 24

[SRG-GigabitEthernet0/0/1]undo shut

[SRG-GigabitEthernet0/0/1]int g0/0/2

[SRG-GigabitEthernet0/0/2]ip add 192.168.20.1 24

[SRG-GigabitEthernet0/0/2]undo shut

[SRG-GigabitEthernet0/0/2]quit

[SRG]firewall zone untrust

[SRG-zone-untrust]add int g0/0/1

[SRG-zone-untrust]quit

[SRG]firewall zone trust

[SRG-zone-trust]add int g0/0/2

[SRG-zone-trust]quit

[SRG]firewall packet-filter default permit all

[SRG]ip route-static 0.0.0.0 0.0.0.0 2.1.1.1

创建acl列表，监控流量

[SRG]acl 3000

[SRG-acl-adv-3000]rule 10 permit ip source 192.168.20.0 0.0.0.255 destination

192.168.10.0 0.0.0.255

[SRG-acl-adv-3000]quit

配置IPSec安全协议：

[SRG]ipsec proposal 1

[SRG-ipsec-proposal-1]encapsulation-mode tunnel

[SRG-ipsec-proposal-1]transform esp

[SRG-ipsec-proposal-1]esp authentication-algorithm sha

[SRG-ipsec-proposal-1]esp encryption-algorithm des

[SRG-ipsec-proposal-1]quit

创建IKE安全协议

[SRG]ike proposal 1

[SRG-ike-proposal-1]authentication-method pre-share

[SRG-ike-proposal-1]authentication-algorithm sha1

[SRG-ike-proposal-1]integrity-algorithm hmac-sha1-96

[SRG-ike-proposal-1]dh  group2

[SRG-ike-proposal-1]quit

配置IKE peer

[SRG]ike  peer  b

[SRG-ike-peer-b]ike-proposal 1

[SRG-ike-peer-b]remote-address 1.1.1.1

[SRG-ike-peer-b]pre-shared-key 123.com

[SRG-ike-peer-b]quit

创建安全策略

[SRG]ipsec policy map 1 isakmp

[SRG-ipsec-policy-isakmp-map-1]security acl 3000

[SRG-ipsec-policy-isakmp-map-1]proposal 1

[SRG-ipsec-policy-isakmp-map-1]ike-peer b

[SRG-ipsec-policy-isakmp-map-1]quit

在接口上引用安全策略

[SRG]int g0/0/1

[SRG-GigabitEthernet0/0/1]ipsec policy map

[SRG-GigabitEthernet0/0/1]quit