1 拓扑
1
2 拓扑解释
fw1 vsys1 vlan10 trust vif 1 对应untrust
fw1 vsys2 vlan20 trust vif2 对应untrust
public vif 0 对应trust g1/0/1 对应untrust
pc1-----fw1 vsys1 vlan10 --------fw1 root ----------fw1 vsys2 vif2 ------fw1 vsys2 vlan20 地址
所有的流量都是经过各自的虚拟墙并且通过root 墙。
3 配置
虚拟墙1 的配置
[fw1-vsys1]dis current-configuration
2023-03-31 08:51:18.460
#
switch vsys vsys1
#
l2tp domain suffix-separator @
#
firewall defend action discard
#
page-setting
password-policy
level high
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
#
interface Vlanif10
ip binding vpn-instance vsys1
ip address 10.1.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
#
l2tp-group default-lns
#
interface Virtual-if1
#
sa
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Vlanif10
#
firewall zone untrust
set priority 5
add interface Virtual-if1
#
firewall zone dmz
set priority 50
#
location
#
multi-linkif
mode proportion-of-weight
#
security-policy
rule name zhilian
source-zone local
source-zone trust
destination-zone local
destination-zone trust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
action permit
rule name tong
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
source-address 20.1.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 20.1.1.0 mask 255.255.255.0
action permit
rule name 1.1.1.1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
destination-address 1.1.1.1 mask 255.255.255.255
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
ip route-static 0.0.0.0 0.0.0.0 public
#
return
虚拟墙vsys2 的配置
[fw1-vsys2]dis current-configuration
2023-03-31 08:52:01.540
#
switch vsys vsys2
#
l2tp domain suffix-separator @
#
firewall defend action discard
#
page-setting
password-policy
level high
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
#
interface Vlanif20
ip binding vpn-instance vsys2
ip address 20.1.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
#
l2tp-group default-lns
#
interface Virtual-if2
#
sa
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Vlanif20
#
firewall zone untrust
set priority 5
add interface Virtual-if2
#
firewall zone dmz
set priority 50
#
location
#
multi-linkif
mode proportion-of-weight
#
security-policy
rule name zhilian
source-zone local
source-zone trust
destination-zone local
destination-zone trust
source-address 20.1.1.0 mask 255.255.255.0
destination-address 20.1.1.0 mask 255.255.255.0
action permit
rule name tong
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
source-address 10.1.1.0 mask 255.255.255.0
source-address 20.1.1.0 mask 255.255.255.0
destination-address 10.1.1.0 mask 255.255.255.0
destination-address 20.1.1.0 mask 255.255.255.0
action permit
rule name 1.1.1.1
source-zone trust
destination-zone untrust
source-address 20.1.1.0 mask 255.255.255.0
destination-address 1.1.1.1 mask 255.255.255.255
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
ip route-static 0.0.0.0 0.0.0.0 public
#
return
root 墙的配置
#
ip vpn-instance vsys2
ipv4-family
ipv6-family
#
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%G$WRMG8`]Tr)/b;:TSh;GdGR^a&l8v)qT3|,\JQfx~0)dGUG@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%kE~/Ahp_n.F,6$PdMkeG{*cL}4hH!}3m*@y=GhOfT>10*cO{@%@%
level 15
manager-user admin
password cipher @%@%R%crQu@0*>R'M7KMo%d2e^\8~4]J$Ya8c%U*mJ$(4K$R^\;e@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
interface Vlanif10
ip binding vpn-instance vsys1
ip address 10.1.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
#
interface Vlanif20
ip binding vpn-instance vsys2
ip address 20.1.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/0
portswitch
undo shutdown
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/2
undo shutdown
#
interface GigabitEthernet1/0/3
undo shutdown
#
interface GigabitEthernet1/0/4
undo shutdown
#
interface GigabitEthernet1/0/5
undo shutdown
#
interface GigabitEthernet1/0/6
undo shutdown
#
interface Virtual-if0
#
interface Virtual-if1
#
interface Virtual-if2
#
interface NULL0
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface Virtual-if0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
ip route-static 10.1.1.0 255.255.255.0 vpn-instance vsys1
ip route-static 20.1.1.0 255.255.255.0 vpn-instance vsys2
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
right-manager server-group
#
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
rule name 1.1.1.1
source-zone trust
destination-zone local
source-address 10.1.1.0 mask 255.255.255.0
source-address 20.1.1.0 mask 255.255.255.0
destination-address 1.1.1.1 mask 255.255.255.255
action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return
#
3 配置讲解
pc1 访问pc2 注意的是流量是经过各自的虚拟墙,
pc1 fw1——vsys1 trust vlan10 ------fw1 vsys1 untrust vif1 ---------fw1 root ------fw1 vsys2 untrust vif2 -------fw1 vsys2 trust vlan20
1 每个虚拟墙都要写一条路由到public
2 每个虚拟墙都要各自的策略 都要放行
3 比较重要的在root 墙一定要写到各自虚拟墙所在的路由,
4 这样的话路由直接在墙里面转发,这是横向的作用
5 如果需要管理 在public 墙上做一个 lookback 地址这个时候注意public 墙上的策略
这个时候是trust2local local2trust 放行管理网段