配置FW_A。
a.配置接口的IP地址,并将接口加入安全区域。 system-view
sysname\] sysname FW_A \[FW_A\] interface GigabitEthernet 1/0/1 \[FW_A-GigabitEthernet1/0/1\] ip address 1.1.1.1 24 \[FW_A-GigabitEthernet1/0/1\] quit \[FW_A\] interface GigabitEthernet 1/0/2 \[FW_A-GigabitEthernet1/0/2\] ip address 10.1.1.1 24 \[FW_A-GigabitEthernet1/0/2\] quit \[FW_A\] interface Tunnel 1 \[FW_A-Tunnel1\] ip address 172.16.2.1 24 \[FW_A-Tunnel1\] quit \[FW_A\] firewall zone untrust \[FW_A-zone-untrust\] add interface GigabitEthernet 1/0/1 \[FW_A-zone-untrust\] quit \[FW_A\] firewall zone trust \[FW_A-zone-trust\] add interface GigabitEthernet 1/0/2 \[FW_A-zone-trust\] quit \[FW_A\] firewall zone dmz \[FW_A-zone-dmz\] add interface tunnel 1 \[FW_A-zone-dmz\] quit b.配置路由,将需要经过GRE隧道传输的流量引入到GRE隧道中。 \[FW_A\] ip route-static 10.1.2.0 24 Tunnel1 不用静态用ospf也可以 network发布隧道地址和内网地址 \[FW_A\] ip route-static 0.0.0.0 0 1.1.1.2 c.配置Tunnel接口的封装参数。\[FW_A\] interface Tunnel 1 \[FW_A-Tunnel1\] tunnel-protocol gre \[FW_A-Tunnel1\] source 1.1.1.1 \[FW_A-Tunnel1\] destination 5.5.5.5 \[FW_A-Tunnel1\] gre key cipher 123456 //gre连接验证 \[FW_A-Tunnel1\] keepalive //验证对端是否存活,避免数据流量黑洞 d.配置域间安全策略。 配置Trust域和DMZ的域间安全策略,允许封装前的报文通过域间安全策略。 \[FW_A\] security-policy \[FW_A-policy-security\] rule name policy1 \[FW_A-policy-security-rule-policy1\] source-zone trust dmz \[FW_A-policy-security-rule-policy1\] destination-zone dmz trust \[FW_A-policy-security-rule-policy1\] action permit \[FW_A-policy-security-rule-policy1\] quit 配置Local和Untrust的域间安全策略,允许封装后的GRE报文通过域间安全策略。 \[FW_A-policy-security\] rule name policy2 \[FW_A-policy-security-rule-policy2\] source-zone local untrust \[FW_A-policy-security-rule-policy2\] destination-zone untrust local \[FW_A-policy-security-rule-policy2\] service gre \[FW_A-policy-security-rule-policy2\] action permit \[FW_A-policy-security-rule-policy2\] quit 2.配置FW_B。 a.配置接口的IP地址,并将接口加入安全区域。 system-view \[sysname\] sysname FW_B \[FW_B\] interface GigabitEthernet 1/0/1 \[FW_B-GigabitEthernet1/0/1\] ip address 5.5.5.5 24 \[FW_B-GigabitEthernet1/0/1\] quit \[FW_B\] interface GigabitEthernet 1/0/2 \[FW_B-GigabitEthernet1/0/2\] ip address 10.1.2.1 24 \[FW_B-GigabitEthernet1/0/2\] quit \[FW_B\] interface Tunnel 1 \[FW_B-Tunnel1\] ip address 172.16.2.2 24 \[FW_B-Tunnel1\] quit \[FW_B\] firewall zone untrust \[FW_B-zone-untrust\] add interface GigabitEthernet 1/0/1 \[FW_B-zone-untrust\] quit \[FW_B\] firewall zone trust \[FW_B-zone-trust\] add interface GigabitEthernet 1/0/2 \[FW_B-zone-trust\] quit \[FW_B\] firewall zone dmz \[FW_B-zone-dmz\] add interface tunnel 1 \[FW_B-zone-dmz\] quit b.配置路由,将需要经过GRE隧道传输的流量引入到GRE隧道中。 \[FW_B\] ip route-static 10.1.1.0 24 Tunnel1 \[FW_A\] ip route-static 0.0.0.0 0 5.5.5.1 c.配置Tunnel接口的封装参数。\[FW_B\] interface Tunnel 1 \[FW_B-Tunnel1\] tunnel-protocol gre \[FW_B-Tunnel1\] source 5.5.5.5 \[FW_B-Tunnel1\] destination 1.1.1.1 \[FW_B-Tunnel1\] gre key cipher 123456 \[FW_B-Tunnel1\] quit d.配置域间安全策略。 配置Trust域和DMZ的域间安全策略,允许封装前的报文通过域间安全策略。 \[FW_B\] security-policy \[FW_B-policy-security\] rule name policy1 \[FW_B-policy-security-rule-policy1\] source-zone trust dmz \[FW_B-policy-security-rule-policy1\] destination-zone dmz trust \[FW_B-policy-security-rule-policy1\] action permit \[FW_B-policy-security-rule-policy1\] quit 配置Local和Untrust的域间安全策略,允许封装后的GRE报文通过域间安全策略。 \[FW_B-policy-security\] rule name policy2 \[FW_B-policy-security-rule-policy2\] source-zone local untrust \[FW_B-policy-security-rule-policy2\] destination-zone untrust local \[FW_B-policy-security-rule-policy2\] service gre \[FW_B-policy-security-rule-policy2\] action permit \[FW_B-policy-security-rule-policy2\] quit