1拓扑
![](https://img-blog.csdnimg.cn/img_convert/5090cb3efbb2ceb0e166d9a30ac3d605.png)
pc2 放在vsys1 pc1 流量的过程 pc2----vsys1--root----pc1
pc3 也是如此 也就是说各自的流量先经过虚拟防火墙,再经过root
2 配置
关键配置1
vsys enable
resource-class r0
resource-class 1
#
#
vsys name vsys1 1
assign interface GigabitEthernet1/0/1
assign resource-class 1
#
vsys name vsys2 2
assign interface GigabitEthernet1/0/2
assign resource-class 1
#
vsys name vsys3 3
assign interface GigabitEthernet1/0/3
assign resource-class 1
创建虚拟墙,关联相关的接口
2.1 vsys 的配置
#
interface GigabitEthernet1/0/1
undo shutdown
ip binding vpn-instance vsys1
ip address 192.168.10.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
#
interface Virtual-if1
#
sa
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface Virtual-if1
#
#
security-policy
rule name neibu
source-zone local
source-zone trust
destination-zone local
destination-zone trust
source-address 192.168.10.0 mask 255.255.255.0
destination-address 192.168.10.0 mask 255.255.255.0
destination-address 192.168.11.0 mask 255.255.255.0
action permit
rule name shangwang
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
ip route-static 0.0.0.0 0.0.0.0 public
#
2.2 vsys2的配置
同上
2.3 root 根墙的配置
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.1.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface Virtual-if0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
ip route-static 192.168.10.0 255.255.255.0 vpn-instance vsys1
#
security-policy
rule name wai
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
action permit
rule name shangwang
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
rule name shangwang
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action source-nat easy-ip
#
3 总结
1 配置虚拟墙 关联相关接口,配置虚拟墙上的安全域,接口服务等等
2 有个细节 vsys1 对应的vif1 接口 vsys2 对应的vif2
public 对应的vif0
3 流量的方向 都是先经过vsys 再经过root 所以再虚拟墙上的路由一定要指向public
4 pc2 要上外网 那么策略要再vsys1 和public 上分别做
5 验证流量有没有成功
[fw1]display firewall session table
2023-02-26 09:49:23.320
Current Total Sessions : 40
icmp VPN: public --> public 192.168.10.2:8235[10.1.1.1:2951] --> 10.1.1.2:204
8
icmp VPN: public --> public 10.1.1.2:6187 --> 10.1.1.1:2048
icmp VPN: public --> public 10.1.1.2:5675 --> 10.1.1.1:2048
icmp VPN: public --> public 192.168.10.2:9771[10.1.1.1:2957] --> 10.1.1.2:204
8
icmp VPN: public --> public 192.168.10.2:6443[10.1.1.1:2944]
这个说明再root 墙上有路由进行转换了