一、实验目的及拓扑
实验目的:防火墙FW1及虚拟墙VFR_A和VRF_B分别连接外网、内网服务器端和内网客户端,将内网服务器通过nat server向外网宣告,使外网能够访问服务器端,同时内网也能够访问服务器,网络拓扑及接口地址规划如下:
二、基本配置
1、接口地址配置:防火墙接口地址外网为.12,内网虚拟墙侧均为.254,内网PC1和server均为.10,外网PC为.105,如图所示配置相应接口地址及终端地址
2、新建虚拟系统并将防火墙各接口分配规划如下:
vsys enable
resource-class r0
vsys name VFR_A 1
assign interface GigabitEthernet1/0/1
assign resource-class r0
vsys name VRF_B 2
assign interface GigabitEthernet1/0/2
FW1dis ip vpn-instance int
Total VPN-Instances configured : 4
VPN-Instance Name and ID : VFR_A, 1
Interface Number : 2
Interface list : GigabitEthernet1/0/1,
Virtual-if1
VPN-Instance Name and ID : VFR_B, 3
Interface Number : 1
Interface list : Virtual-if3
VPN-Instance Name and ID : VRF_B, 2
Interface Number : 2
Interface list : GigabitEthernet1/0/2,
Virtual-if2
VPN-Instance Name and ID : default, 21
Interface Number : 1
Interface list : GigabitEthernet0/0/0
3、防火墙各接口区域规划如下:
FW1dis zone
local
priority is 100
interface of the zone is (0):
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
Virtual-if0
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/0
dmz
priority is 50
interface of the zone is (0):
vpn-instance VFR_A local
priority is 100
interface of the zone is (0):
vpn-instance VFR_A trust
priority is 85
interface of the zone is (0):
vpn-instance VFR_A untrust
priority is 5
interface of the zone is (1):
Virtual-if1
vpn-instance VFR_A dmz
priority is 50
interface of the zone is (1):
GigabitEthernet1/0/1
vpn-instance VRF_B local
priority is 100
interface of the zone is (0):
vpn-instance VRF_B trust
priority is 85
interface of the zone is (1):
GigabitEthernet1/0/2
vpn-instance VRF_B untrust
priority is 5
interface of the zone is (1):
Virtual-if2
vpn-instance VRF_B dmz
priority is 50
interface of the zone is (0):
vpn-instance VFR_B local
priority is 100
interface of the zone is (0):
vpn-instance VFR_B trust
priority is 85
interface of the zone is (0):
vpn-instance VFR_B untrust
priority is 5
interface of the zone is (0):
vpn-instance VFR_B dmz
priority is 50
interface of the zone is (0):
三、详细配置
1、路由配置:
在根系统上配置路由使外网能够访问内网服务器端、使内网客户端访问内网服务器端,使内网能够访问外网
ip route-static 0.0.0.0 0.0.0.0 100.1.121.1
ip route-static 192.168.13.0 255.255.255.0 vpn-instance VFR_A
ip route-static 192.168.14.0 255.255.255.0 vpn-instance VRF_B
在两个虚拟系统设置路由使其能够访问根系统
ip route-static 0.0.0.0 0.0.0.0 public
2、安全策略配置
根系统
FW1-policy-securitydis th
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name INT_TO_SER
source-zone untrust
destination-zone trust
source-address 100.1.15.0 mask 255.255.255.0
destination-address 192.168.13.0 mask 255.255.255.0
action permit
虚拟系统连接服务器端
security-policy
rule name OUT_TO_DMZ
source-zone untrust
destination-zone dmz
source-address 192.168.14.0 mask 255.255.255.0
destination-address 192.168.13.0 mask 255.255.255.0
action permit
rule name INT_TO_SER
source-zone untrust
destination-zone dmz
source-address 100.1.15.0 mask 255.255.255.0
destination-address 192.168.13.0 mask 255.255.255.0
action permit
rule name LOCAL_TO_ANY
source-zone local
action permit
3、nat server配置
nat server 1 global 100.1.121.100 inside 192.168.13.10 no-reverse
四、结果验证
内网pc访问服务器
PC>tracert 192.168.13.10
traceroute to 192.168.13.10, 8 hops max
(ICMP), press Ctrl+C to stop
1 * * *
2 * * *
3 192.168.13.10 <1 ms <1 ms 16 ms
外网pc访问服务器
PC>tracert 100.1.121.100
traceroute to 100.1.121.100, 8 hops max
(ICMP), press Ctrl+C to stop
1 100.1.15.1 32 ms 47 ms 46 ms
2 100.1.121.12 63 ms 62 ms 63 ms
3 * * *
4 100.1.121.100 78 ms 63 ms 62 ms