场景
公司的网络分为总部区域、分部网络和分支办公室三个部分。要求分部Trust区域的用户和分支办公室能够访问总部Trust区域。传输的数据需要加密。
步骤一:基本配置
[R1]interface GigabitEthernet 0/0/1 [R1-GigabitEthernet 0/0/1]ip address 10.0.10.2 24 [R1-GigabitEthernet 0/0/1]interface Serial 1/0/0 [R1- Serial 1/0/0]ip address 10.0.12.1 24 [R1- Serial 1/0/0]interface loopback 0 [R1-LoopBack0]ip address 10.0.1.1 24 [Huawei]sysname R2 [R2]interface GigabitEthernet 0/0/2 [R2-GigabitEthernet 0/0/2]ip address 10.0.20.1 24 [R2-GigabitEthernet 0/0/2]interface Serial 1/0/0 [R2- Serial 1/0/0]ip address 10.0.12.2 24 [R2- Serial 1/0/0]interface loopback 0 [R2-LoopBack0]ip address 10.0.2.2 24 [Huawei]sysname R3 [R3]interface Serial2/0/0 [R3- Serial 2/0/0]ip address 10.0.23.3 24 [R3- Serial 2/0/0]interface loopback 0 [R3-LoopBack0]ip address 10.0.3.3 24 配置FW1和FW2防火墙 - .可修编 . - - [FW1-Ethernet 0/0/0]ip address 10.0.100.1 24 [FW1-Ethernet 0/0/0]interface Ethernet 2/0/0 [FW1-Ethernet 2/0/0]ip address 10.0.10.1 24 [FW1-Ethernet 2/0/0]interface vlanif 1 [FW1-Vlanf1]undo ip address [FW2-Ethernet 0/0/0]ip address 10.0.200.1 24 [FW2-Ethernet 0/0/0]interface Ethernet 2/0/0 [FW2-Ethernet 2/0/0]ip address 10.0.20.1 24 [FW2-Ethernet 2/0/0]interface vlanif 1 [FW2-Vlanf1]undo ip address [FW1]firewall zone untrust [FW1-zone-untrust]add interface Ethernet 2/0/0 [FW1-zone-untrust]undo add interface Ethernet0/0/0 [FW1-zone-untrust]quit [FW1]firewall zone trust [FW1-zone-trust]add interface Ethernet 0/0/0 [FW2]firewall zone untrust [FW2-zone-untrust]add interface Ethernet 2/0/0 [FW2-zone-untrust]undo add interface Ethernet0/0/0 [FW2-zone-untrust]quit [FW2]firewall zone trust [FW2-zone-trust]add interface Ethernet 0/0/0 步骤二:配置区域的安全过滤 [FW1]firewall packet-filter default permit interzone trust untrust//允许trust访untrust区域 [FW1]firewall packet-filter default permit interzone local untrust [FW2]firewall packet-filter default permit interzone trust untrust [FW2firewall packet-filter default permit interzone local untrust 步骤三:配置路由 [R1]ospf 1 [R1-ospf-1]area 0.0.0.0 [R1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255 - .可修编 . - - [R1-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 [R2]ospf 1 [R2-ospf-1]area 0.0.0.0 [R2-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255 [R2-ospf-1-area-0.0.0.0]network 10.0.12.0 0.0.0.255 [R2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255 [R3]ospf 1 [R3-ospf-1]area 0.0.0.0 [R3-ospf-1-area-0.0.0.0]network 10.0.23.0 0.0.0.255 [FW1]ospf 1 [FW1-ospf-1]area 0.0.0.0 [FW1-ospf-1-area-0.0.0.0]network 10.0.10.0 0.0.0.255 [FW2]ospf 1 [FW2-ospf-1]area 0.0.0.0 [FW2-ospf-1-area-0.0.0.0]network 10.0.20.0 0.0.0.255 步骤四:配置IPSec VPV [FW1]acl 3000 [FW1-cal-adv-3000]rule permit ip source 10.0.100.0 0.0.0.255 destination 10.0.200.0 0.0.0.255 [FW2]acl 3000 [FW2-cal-adv-3000]rule permit ip source 10.0.200.0 0.0.0.255 destination 10.0.200.0 0.0.0.255 [FW1]ip router-static 10.0.200.0 24 10.0.10.2 //配置静态路由 [FW2]ip router-static 10.0.100.0 24 10.0.20.2 [FW1]ipsec proposal tran1 [FW1-ipsec-proposal-tran1]encapsulation-mode tunnel [FW1-ipsec-proposal-tran1]transform sep [FW1-ipsec-proposal-tran1]esp authentication-algorithm sha1 //验证算法使用SHA1 [FW1-ipsec-proposal-tran1]esp encryption-algorithm des //加密算法为DES [FW2]ipsec proposal tranl [FW2-ipsec-proposal-tran1]encapsulation-mode tunnel [FW2-ipsec-proposal-tran1]transform sep [FW2-ipsec-proposal-tran1]esp authentication-algorithm sha1 [FW2-ipsec-proposal-tran1]esp encryption-algorithm des - .可修编 . - - [FW1]ike proposal 10 [FW1-ike-proposal-10]authentication-algorithm sha1 [FW1-ike-proposal-10]encryption-algorithm des [FW2]ike proposal 10 [FW2-ike-proposal-10]authentication-algorithm sha1 [FW2-ike-proposal-10]encryption-algorithm des [FW1]ike peer fw12 [FW1-ike-peer-fw12]ise-proposal 10 [FW1-ike-peer-fw12]remote-address 10.0.20.2 //配置IKE安全提议,定义对端IP地址和与共享密码 [FW1-ike-peer-fw12]pre-shared-key abcde [FW2]ike peer fw21 [FW2-ike-peer-fw21]ise-proposal 10 [FW2-ike-peer-fw21]remote-address 10.0.10.1 [FW2-ike-peer-fw21]pre-shared-key abcde 将ACL、IPSec安全提议及IKE对等体绑定 [FW1]ipsec policy map1 10 isakmp [FW1-ipsec-policy-map1-10]security acl 3000 [FW1-ipsec-policy-map1-10]proposal [FW1-ipsec-policy-map1-10]ike-peer fw12 [FW2]ipsec policy map1 10 isakmp [FW2-ipsec-policy-map1-10]security acl 3000 [FW2-ipsec-policy-map1-10]proposal [FW2-ipsec-policy-map1-10]ike-peer fw21 [FW1]interface Ethernet2/0/0 [FW1-Ethernet2/0/0]ipsec policy map1 //应用安全策略 [FW2]interface Ethernet2/0/0 [FW2-Ethernet2/0/0]ipsec policy map1 步骤五:配置GRE over IPSec VPN [FW2]interface tunnel 2 [FW2-Tunnel2]tunnel-protocol ger [FW2-Tunnel2]ip address 40.1.1.1 24 [FW2-Tunnel2]source 10.0.20.2 [FW2-Tunnel2]destination 10.0.23.3 [FW2-Tunnel2]firewall zone untrust - .可修编 . - - [FW2—zone-untrust]add interface Tunnel 2 [FW2]rip //配置RIP [FW2-rip-1]version 2 [FW2-rip-1]network 40.0.0.0 [R3]rip [R3-rip-1]version 2 [R3-rip-1]network 40.0.0.0 [R3-rip-1]network 10.0.0.0 配置安全策略,绑定新的ACL、IPSec安全提议 [R3]acl 3001 [R3-acl-adv-3001]rule permit gre source 10.0.23.3 0 destination 10.0.20.2 0 [R3-acl-adv-3001]quit [R3]ipsec policy map1 20 ikakmp [R3-ipsec-policy-ikakmp-map1-20]security acl 3001 [R3-ipsec-policy-ikakmp-map1-20]proposal tran1 [R3-ipsec-policy-ikakmp-map1-20]ike-peer r32 [FW2]acl 3003 [FW2-acl-adv-3003]rule permit gre source 10.0.20.2 0 destination 10.0.23.3 0 [FW2-acl-adv-3003]quit [FW2]ipsec policy map1 20 ikakmp [FW2-ipsec-policy-ikakmp-map1-20]security acl 3003 [FW2-ipsec-policy-ikakmp-map1-20]proposal tran1 [FW2-ipsec-policy-ikakmp-map1-20]ike-peer fw23 - .可修编 . 因篇幅问题不能全部显示,请点此查看更多更全内容