配置FW_A各接口的IP地址(记得开管理功能 service-manage enable)
interface GigabitEthernet1/0/0
ip address 10.2.0.1 255.255.255.0
service-manage enable
service-manage all permit
interface GigabitEthernet1/0/5
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage all permit
#
interface GigabitEthernet1/0/6
ip address 10.10.0.1 255.255.255.0
service-manage enable
service-manage all permit
配置FW_B各接口的IP地址(记得开管理功能 service-manage enable)
interface GigabitEthernet1/0/0
undo shutdown
ip address 10.2.0.2 255.255.255.0
interface GigabitEthernet1/0/5
undo shutdown
ip address 10.3.0.2 255.255.255.0
interface GigabitEthernet1/0/6
undo shutdown
ip address 10.10.0.2 255.255.255.0
将FW_A各接口加入相应的安全区域
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/5
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/6
将FW_B各接口加入相应的安全区域(同FW_A一样)
在FW_A上配置一条缺省路由
ip route-static 0.0.0.0 0.0.0.0 10.2.0.10
在FW_B上配置一条缺省路由(同FW_A一样)
在FW_A上行业务接口GE1/0/0上配置VRRP备份组1,并设置其状态为Active
interface GigabitEthernet1/0/0
vrrp vrid 1 virtual-ip 10.2.0.100 active
在FW_A下行业务接口GE1/0/5上配置VRRP备份组2,并设置其状态为Active
interface GigabitEthernet1/0/5
vrrp vrid 2 virtual-ip 10.3.0.100 active
在FW_B上行业务接口GE1/0/0上配置VRRP备份组1,并设置其状态为Standby
interface GigabitEthernet1/0/0
vrrp vrid 1 virtual-ip 10.2.0.100 standby
在FW_B下行业务接口GE1/0/5上配置VRRP备份组2,并设置其状态为Standby
interface GigabitEthernet1/0/5
vrrp vrid 2 virtual-ip 10.3.0.100 standby
在FW_A上指定心跳口并启用双机热备功能。
hrp enable
hrp interface GigabitEthernet1/0/6 remote 10.10.0.2(对端防火墙接口地址)
在FW_B上指定心跳口并启用双机热备功能。
[FW_B]hrp int g1/0/6 remote 10.10.0.1
[FW_A]hrp enable
给R1配地址做静态
interface GigabitEthernet0/0/0
ip address 1.1.1.1 255.255.255.0
ip route-static 10.2.0.0 255.255.255.0 1.1.1.10
在LSW1配置vlan
interface Vlanif10
ip address 10.2.0.10 255.255.255.0
#
interface Vlanif100
ip address 1.1.1.10 255.255.255.0
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 100
在LSW2配置trunk口(所有接口)
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
在FW_A上配置安全策略。双机热备状态成功建立后,FW_A的安全策略配置会自动备份到FW_B上
配置安全策略,允许内网用户访问Internet
FW_A
HRP_M[FW_A]security-policy (+B)
HRP_M[FW_A-policy-security]rule name permit_trust_untrust (+B)
HRP_M[FW_A-policy-security-rule-permit_trust_untrust]source-zone untrust (+B)
HRP_M[FW_A-policy-security-rule-permit_trust_untrust]destination-zone trust (+B)
HRP_M[FW_A-policy-security-rule-permit_trust_untrust]action permit (+B)
FW_B
在B上备份设备已经进不去安全策略模式了
Dis cur查看(可以看到刚才创建的策略已经同步了)
rule name permit_trust_untrust
source-zone untrust
destination-zone trust
action permit
在FW_A上配置NAT策略。双机热备状态成功建立后,FW_A的NAT策略配置会自动备份到FW_B上
nat-policy
rule name AB
source-zone untrust
destination-zone trust
action source-nat easy-ip
