华为虚拟墙之间访问，虚拟墙和root墙之间的访问

1 拓扑

1

                             

 2  拓扑解释

fw1  vsys1   vlan10   trust      vif 1  对应untrust

fw1  vsys2    vlan20  trust    vif2  对应untrust

public      vif 0 对应trust      g1/0/1  对应untrust

pc1-----fw1  vsys1   vlan10 --------fw1  root ----------fw1  vsys2   vif2 ------fw1 vsys2 vlan20 地址

所有的流量都是经过各自的虚拟墙并且通过root 墙。

3 配置

虚拟墙1 的配置

[fw1-vsys1]dis current-configuration  
2023-03-31 08:51:18.460 
#
switch vsys vsys1
#
 l2tp domain suffix-separator @
#
 firewall defend action discard
#
page-setting
password-policy
 level high
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
#
interface Vlanif10
 ip binding vpn-instance vsys1
 ip address 10.1.1.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage telnet permit
#
l2tp-group default-lns
#
interface Virtual-if1
#
sa
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface Vlanif10
#
firewall zone untrust
 set priority 5
 add interface Virtual-if1
#
firewall zone dmz
 set priority 50
#
location
#
multi-linkif
 mode proportion-of-weight
#
security-policy
 rule name zhilian
  source-zone local
  source-zone trust
  destination-zone local
  destination-zone trust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  action permit
 rule name tong
  source-zone trust
  source-zone untrust
  destination-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 20.1.1.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 20.1.1.0 mask 255.255.255.0
  action permit
 rule name 1.1.1.1
  source-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
ip route-static 0.0.0.0 0.0.0.0 public
#
return

虚拟墙vsys2 的配置

[fw1-vsys2]dis current-configuration  
2023-03-31 08:52:01.540 
#
switch vsys vsys2
#
 l2tp domain suffix-separator @
#
 firewall defend action discard
#
page-setting
password-policy
 level high
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
#
interface Vlanif20
 ip binding vpn-instance vsys2
 ip address 20.1.1.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage telnet permit
#
l2tp-group default-lns
#
interface Virtual-if2
#
sa
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface Vlanif20
#
firewall zone untrust
 set priority 5
 add interface Virtual-if2
#
firewall zone dmz
 set priority 50
#
location
#
multi-linkif
 mode proportion-of-weight
#
security-policy
 rule name zhilian
  source-zone local
  source-zone trust
  destination-zone local
  destination-zone trust
  source-address 20.1.1.0 mask 255.255.255.0
  destination-address 20.1.1.0 mask 255.255.255.0
  action permit
 rule name tong
  source-zone trust
  source-zone untrust
  destination-zone trust
  destination-zone untrust
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 20.1.1.0 mask 255.255.255.0
  destination-address 10.1.1.0 mask 255.255.255.0
  destination-address 20.1.1.0 mask 255.255.255.0
  action permit
 rule name 1.1.1.1
  source-zone trust
  destination-zone untrust
  source-address 20.1.1.0 mask 255.255.255.0
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
ip route-static 0.0.0.0 0.0.0.0 public
#
return

root 墙的配置

#
ip vpn-instance vsys2
 ipv4-family
 ipv6-family
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128
 dh group14
 authentication-algorithm sha2-512 sha2-384 sha2-256
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256
 prf hmac-sha2-256
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin
  password cipher @%@%G$WRMG8`]Tr)/b;:TSh;GdGR^a&l8v)qT3|,\JQfx~0)dGUG@%@%
  service-type web terminal
  level 15

 manager-user api-admin
  password cipher @%@%kE~/Ahp_n.F,6$PdMkeG{*cL}4hH!}3m*@y=GhOfT>10*cO{@%@%
  level 15

 manager-user admin
  password cipher @%@%R%crQu@0*>R'M7KMo%d2e^\8~4]J$Ya8c%U*mJ$(4K$R^\;e@%@%
  service-type web terminal
  level 15

 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
interface Vlanif10
 ip binding vpn-instance vsys1
 ip address 10.1.1.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage telnet permit
#
interface Vlanif20
 ip binding vpn-instance vsys2
 ip address 20.1.1.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage telnet permit
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.0.1 255.255.255.0
 alias GE0/METH
#
interface GigabitEthernet1/0/0
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 100.1.1.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/2
 undo shutdown
#
interface GigabitEthernet1/0/3
 undo shutdown
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface GigabitEthernet1/0/5
 undo shutdown
#
interface GigabitEthernet1/0/6
 undo shutdown
#
interface Virtual-if0
#
interface Virtual-if1
#
interface Virtual-if2
#
interface NULL0
#
interface LoopBack1
 ip address 1.1.1.1 255.255.255.0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface Virtual-if0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/1
#
firewall zone dmz
 set priority 50
#
ip route-static 10.1.1.0 255.255.255.0 vpn-instance vsys1
ip route-static 20.1.1.0 255.255.255.0 vpn-instance vsys2
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 rule name 1.1.1.1
  source-zone trust
  destination-zone local
  source-address 10.1.1.0 mask 255.255.255.0
  source-address 20.1.1.0 mask 255.255.255.0
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return
#

3  配置讲解

pc1  访问pc2  注意的是流量是经过各自的虚拟墙，

pc1    fw1——vsys1    trust vlan10     ------fw1  vsys1  untrust  vif1   ---------fw1  root   ------fw1 vsys2   untrust   vif2 -------fw1  vsys2 trust   vlan20 

1  每个虚拟墙都要写一条路由到public 

2  每个虚拟墙都要各自的策略  都要放行

3  比较重要的在root 墙一定要写到各自虚拟墙所在的路由，

4 这样的话路由直接在墙里面转发，这是横向的作用

5 如果需要管理 在public 墙上做一个 lookback  地址这个时候注意public  墙上的策略

这个时候是trust2local    local2trust  放行管理网段