如果一个防护墙在两个ospf区域的中间,配置可以 模仿如下
先在防火墙中配置ospf的配置
FW—1—防火墙的配置 sys un in en firewall zone trust #要将端口加入到默认的信任区域 add interface g1/0/1 add interface g1/0/0 int g1/0/1 ip add 192.168.2.2 24 service-manage all permit 开启所有图形化界面(其中包括了ping这种功能和其它功能) int g1/0/0 ip add 192.168.3.1 24 service-manage all permit 开启所有图形化界面(其中包括了ping这种功能和其它功能) q ospf 1 router-id 3.3.3.3 area 0 net 192.168.2.0 0.0.0.255 q ospf 1 router-id 3.3.3.3 area 1 net 192.168.3.0 0.0.0.255 接着是放行ospf流量的安全策略(这里是必须要设置的,其它的协议也是要设的,如icmp) ip service-set OSPF type object #这是ospf的,这里的ospf要大写 service 0 protocol 89 ip service-set ICMP type object #这是icmp的,这里的icmp要大写 service protocol icmp 配置安全策略 security-policy rule name permit_ospf source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.3.0 mask 0.0.0.255 source-address 192.168.2.0 mask 0.0.0.255 destination-address 192.168.3.0 mask 0.0.0.255 destination-address 192.168.2.0 mask 0.0.0.255 service OSPF 调用OSPF对象 action permit q rule name permit_icmp source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.3.0 mask 0.0.0.255 source-address 192.168.2.0 mask 0.0.0.255 destination-address 192.168.3.0 mask 0.0.0.255 destination-address 192.168.2.0 mask 0.0.0.255 service icmp 调用ICMP对象 action permit 配置安全策略(这里还可以这样配置) 因为ospf和icmp的配置信息是一样的,所以我们可以只创建一个规则也可以,命令如下 rule name permit_ospf_icmp source-zone local source-zone untrust destination-zone local destination-zone untrust source-address 192.168.3.0 mask 0.0.0.255 source-address 192.168.2.0 mask 0.0.0.255 destination-address 192.168.3.0 mask 0.0.0.255 destination-address 192.168.2.0 mask 0.0.0.255 service OSPF 调用OSPF对象 service icmp 调用ICMP对象 action permit 检查配置的安全规则 display security-policy rule permit_ospf |
AR—1的配置 sys un in en int g0/0/0 ip add 192.168.1.1 24 q ospf 1 router-id 1.1.1.1 area 0 net 192.168.1.0 0.0.0.255 |
AR—2的配置 sys un in en int g0/0/0 ip add 192.168.2.1 24 int g0/0/1 ip add 192.168.1.2 24 q ospf 1 router-id 2.2.2.2 area 0 net 192.168.1.0 0.0.0.255 net 192.168.2.0 0.0.0.255 |
AR—3的配置 sys un in en int g0/0/0 ip add 192.168.3.1 24 int g0/0/1 ip add 192.168.4.1 24 q ospf 1 router-id 4.4.4.4 area 1 net 192.168.3.0 0.0.0.255 net 192.168.4.0 0.0.0.255 |
AR—4的配置 sys un in en int g0/0/0 ip add 192.168.4.2 24 q ospf 1 router-id 5.5.5.5 area 1 net 192.168.4.0 0.0.0.255 |