华为防火墙GRE Over IPSec混合NAT场景配置案例来啦
<p>实验拓扑如下:</p><p><img src="data/attachment/forum/202511/30/131931dsf5cgkg5gmnrg33.png" alt="image.png" title="image.png" /></p>
<p>FW1配置:</p>
<pre><code>interface Tunnel0
ip address 10.1.0.12 255.255.255.0
tunnel-protocol gre
source GigabitEthernet1/0/1
destination 155.1.131.13
ospf enable 1 area 0.0.0.0
#
dis zone
trust
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/0
#
untrust
interface of the zone is (1):
GigabitEthernet1/0/1
#
dmz
interface of the zone is (1):
Tunnel0
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 50
service protocol udp destination-port 500
action permit
rule name OUT_TO_IN
source-zone dmz
destination-zone trust
source-address 10.1.13.0 mask 255.255.255.0
destination-address 10.1.12.0 mask 255.255.255.0
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone dmz
source-address 10.1.12.0 mask 255.255.255.0
destination-address 10.1.13.0 mask 255.255.255.0
action permit
rule name IN_TO_Internet
source-zone trust
destination-zone untrust
source-address 10.1.12.0 mask 255.255.255.0
action permit
#
ospf 1 router-id 150.1.1.1
area 0.0.0.0
#
interface GigabitEthernet1/0/0
ip address 10.1.12.12 255.255.255.0
ospf enable 1 area 0.0.0.0
#
nat-policy
rule name EASY_IP
source-zone trust
destination-zone untrust
source-address 10.1.12.0 mask 255.255.255.0
action source-nat easy-ip
</code></pre>
<p>FW2配置:</p>
<pre><code>interface Tunnel0
ip address 10.1.0.13 255.255.255.0
tunnel-protocol gre
source GigabitEthernet1/0/1
destination 155.1.121.12
ospf enable 1 area 0.0.0.0
#
trust
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/0
#
untrust
interface of the zone is (1):
GigabitEthernet1/0/1
#
dmz
interface of the zone is (1):
Tunnel0
#
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol 50
service protocol udp destination-port 500
action permit
rule name OUT_TO_IN
source-zone dmz
destination-zone trust
source-address 10.1.12.0 mask 255.255.255.0
destination-address 10.1.13.0 mask 255.255.255.0
action permit
rule name IN_TO_OUT
source-zone trust
destination-zone dmz
source-address 10.1.13.0 mask 255.255.255.0
destination-address 10.1.12.0 mask 255.255.255.0
action permit
#
ospf 1 router-id 150.1.3.3
area 0.0.0.0
#
interface GigabitEthernet1/0/0
ip address 10.1.13.13 255.255.255.0
ospf enable 1 area 0.0.0.0
</code></pre>
<p>验证及测试</p>
<pre><code>#dis ike sa//IKE SA联盟
2024-04-03 03:41:01.800
IKE SA information :
Conn-ID Peer VPN Flag(
s) PhaseRemoteTypeRemoteID
------------------------------------------------------------------------------------
7 155.1.131.13:500 RD|ST
|A v2:2 IP 155.1.131.13
4 155.1.131.13:500 RD|ST
|A v2:1 IP 155.1.131.13
Number of IKE SA : 2
------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONENEG--NEGOTIATING
dis ipsec sa//IPSEC SA联盟
2024-04-03 03:41:03.950
ipsec sa information:
===============================
Interface: GigabitEthernet1/0/1
===============================
-----------------------------
IPSec policy name: "LAN_MAP"
Sequence number: 10
Acl group : 3000
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 7
Encapsulation mode: Transport
Holding time : 0d 0h 8m 30s
Tunnel local : 155.1.121.12:500
Tunnel remote : 155.1.131.13:500
Flow source : 155.1.121.0/255.255.255.0 47/0-65535
Flow destination: 155.1.131.0/255.255.255.0 47/0-65535
SPI: 195662205 (0xba9917d)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 10485755/3094
Max sent sequence-number: 68
UDP encapsulation used for NAT traversal: N
SA encrypted packets (number/bytes): 67/6124
SPI: 198173290 (0xbcfe26a)
Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
SA remaining key duration (kilobytes/sec): 10485756/3094
Max received sequence-number: 64
UDP encapsulation used for NAT traversal: N
SA decrypted packets (number/bytes): 54/4980
Anti-replay : Enable
Anti-replay window size: 1024
#
PC>ping 10.1.13.10 //测试
Ping 10.1.13.10: 32 data bytes, Press Ctrl_C to break
From 10.1.13.10: bytes=32 seq=2 ttl=126 time=31 ms
--- 10.1.13.10 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/39/47 ms
PC>ping 150.1.1.1
Ping 150.1.1.1: 32 data bytes, Press Ctrl_C to break
From 150.1.1.1: bytes=32 seq=1 ttl=254 time=16 ms
--- 150.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/9/16 ms
</code></pre>
页:
[1]