ensp配置USG5500防火墙
[FW]firewall packet-filter default permit all ——————这个是放行默认所有接口
FW1:首先实现内网PC1可以访问到路由器。需要的配置有配置接口地址,安全策略放行,NAT转换,默认路由指到下一跳
[FW1]dis cur
13:20:19 2022/04/04
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.1.254 255.255.255.0
service-manage enable
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet0/0/1
ip address 12.12.12.1 255.255.255.0
service-manage enable
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface NULL0
alias NULL0
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
firewall zone dmz
set priority 50
aaa
local-user admin password cipher %
%
sA’mEjOqP*IooDS8mG]3[NE<%
%
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
nqa-jitter tag-version 1
ip route-static 0.0.0.0 0.0.0.0 12.12.12.2
banner enable
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
slb
right-manager server-group
sysname FW1
l2tp domain suffix-separator @
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outboun
d
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outboun
d
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
nat address-group 1 12.12.12.1 12.12.12.1
ip df-unreachables enable
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
dns resolve
firewall statistic system enable
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
undo dns proxy
license-server domain lic.huawei.com
web-manager enable
policy interzone trust untrust outbound
policy 1
action permit
nat-policy interzone trust untrust outbound
policy 1
action source-nat ————注意:这里如果是no-nat会导致内网访问不成功
address-group 1
return
——————————————————————————————————
【FW1】配置ipsec vpn的参数和协商。注意需要关闭两边内网的NAT
[FW1]display current-configuration
16:00:33 2022/04/04
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
ike proposal 1
dh group2
integrity-algorithm aes-xcbc-96
ike peer fw2
pre-shared-key %
%
+D(hUR47OOq%_^*DkdZ%[2)}%
%
ike-proposal 1
remote-address 23.23.23.3
ipsec proposal test
esp authentication-algorithm sha1
esp encryption-algorithm aes
ipsec policy map 1 isakmp
security acl 3000
ike-peer fw2
proposal test
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.1.254 255.255.255.0
service-manage enable
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet0/0/1
ip address 12.12.12.1 255.255.255.0
ipsec policy map
service-manage enable
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface NULL0
alias NULL0
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
firewall zone dmz
set priority 50
aaa
local-user admin password cipher %
%
sA’mEjOqP*IooDS8mG]3[NE<%
%
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
nqa-jitter tag-version 1
ip route-static 0.0.0.0 0.0.0.0 12.12.12.2
banner enable
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
slb
right-manager server-group
sysname FW1
l2tp domain suffix-separator @
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outboun
d
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outboun
d
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
nat address-group 1 12.12.12.1 12.12.12.1
ip df-unreachables enable
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
dns resolve
firewall statistic system enable
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
undo dns proxy
license-server domain lic.huawei.com
web-manager enable
policy interzone local untrust inbound
policy 1
policy interzone trust untrust inbound
policy 1
action permit
policy source 192.168.2.0 0.0.0.255
policy destination 192.168.1.0 0.0.0.255
policy interzone trust untrust outbound
policy 1
action permit
nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy destination 192.168.2.0 mask 24
address-group 1
policy 0
policy 2
action source-nat
address-group 1
return
[FW1]
——————————————————————————————————————
【FW3】
[FW3]dis cur
16:08:52 2022/04/04
stp region-configuration
region-name f0eedc15704f
active region-configuration
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
ike proposal 1
dh group2
integrity-algorithm aes-xcbc-96
ike peer fw1
pre-shared-key %
%
/d=U~a/WfP!1Jg9:/DyQ[@7.%
%
ike-proposal 1
remote-address 12.12.12.1
ipsec proposal test
esp authentication-algorithm sha1
esp encryption-algorithm aes
ipsec policy map 1 isakmp
security acl 3000
ike-peer fw1
proposal test
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.2.254 255.255.255.0
service-manage enable
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet0/0/1
ip address 23.23.23.3 255.255.255.0
ipsec policy map
service-manage enable
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface NULL0
alias NULL0
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
firewall zone dmz
set priority 50
aaa
local-user admin password cipher %
%
o#ro#KyHH#T=\T#<ul~*[>5,%
%
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
nqa-jitter tag-version 1
ip route-static 0.0.0.0 0.0.0.0 23.23.23.2
banner enable
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
slb
right-manager server-group
sysname FW3
l2tp domain suffix-separator @
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outboun
d
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outboun
d
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
nat address-group 2 23.23.23.3 23.23.23.3
ip df-unreachables enable
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
dns resolve
firewall statistic system enable
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
undo dns proxy
license-server domain lic.huawei.com
web-manager enable
policy interzone local untrust inbound
policy 1
action permit
policy interzone trust untrust inbound
policy 1
action permit
policy source 192.168.1.0 0.0.0.255
policy destination 192.168.2.0 0.0.0.255
nat-policy interzone trust untrust outbound
policy 2
action no-nat
policy destination 192.168.1.0 mask 24
policy 3
action source-nat
address-group 2
return