安全产品那些事儿-H3C F1060防火墙路由模式典型组网配置案例(RIP)
组网说明:
本案例采用H3C HCL模拟器的F1060防火墙来模拟防火墙路由模式的典型部署。为了实现PC之间能够相互通信,因此需要分别在R1、R2、FW1采用三层互联,同时FW1采用路由模式,最终实现PC之间能够相互PING通。
配置过程:
1、按照网络拓扑图正确配置IP地址
2、R1、FW1、R2之间采用三层互联
3、R1、FW1、R2之间采用RIP路由协议实现互通。
配置过程:
R1:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname R1
[R1]int gi 0/0
[R1-GigabitEthernet0/0]ip address 192.168.1.1 24
[R1-GigabitEthernet0/0]quit
[R1]int gi 0/1
[R1-GigabitEthernet0/1]des <connect to FW1>
[R1-GigabitEthernet0/1]ip address 10.0.0.1 30
[R1-GigabitEthernet0/1]quit
[R1]int loopback 0
[R1-LoopBack0]ip address 1.1.1.1 32
[R1-LoopBack0]quit
[R1]rip
[R1-rip-1]version 2
[R1-rip-1]network 10.0.0.0
[R1-rip-1]network 1.0.0.0
[R1-rip-1]network 192.168.1.0
[R1-rip-1]quit
R2:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname R2
[R2]int gi 0/0
[R2-GigabitEthernet0/0]ip address 172.16.1.1 24
[R2-GigabitEthernet0/0]quit
[R2]int gi 0/1
[R2-GigabitEthernet0/1]des <connect to FW1>
[R2-GigabitEthernet0/1]ip address 10.0.0.5 30
[R2-GigabitEthernet0/1]quit
[R2]int loopback 0
[R2-LoopBack0]ip address 3.3.3.3 32
[R2-LoopBack0]quit
[R2]rip
[R2-rip-1]version 2
[R2-rip-1]network 10.0.0.0
[R2-rip-1]network 3.0.0.0
[R2-rip-1]network 172.16.1.0
[R2-rip-1]quit
FW1:
<H3C>sys
System View: return to User View with Ctrl+Z.
[H3C]sysname FW1
配置ACL,联动域间策略并放通。
[FW1]acl basic 2002
[FW1-acl-ipv4-basic-2002]rule 0 permit source any
[FW1-acl-ipv4-basic-2002]quit
[FW1]
[FW1]zone-pair security source trust destination untrust
[FW1-zone-pair-security-Trust-Untrust]packet-filter 2002
[FW1-zone-pair-security-Trust-Untrust]quit
[FW1]
[FW1]zone-pair security source untrust destination trust
[FW1-zone-pair-security-Untrust-Trust]packet-filter 2002
[FW1-zone-pair-security-Untrust-Trust]quit
[FW1]
[FW1]zone-pair security source trust destination local
[FW1-zone-pair-security-Trust-Local]packet-filter 2002
[FW1-zone-pair-security-Trust-Local]quit
[FW1]
[FW1]zone-pair security source local destination trust
[FW1-zone-pair-security-Local-Trust]packet-filter 2002
[FW1-zone-pair-security-Local-Trust]quit
[FW1]
[FW1]zone-pair security source untrust destination local
[FW1-zone-pair-security-Untrust-Local]packet-filter 2002
[FW1-zone-pair-security-Untrust-Local]quit
[FW1]
[FW1]zone-pair security source local destination untrust
[FW1-zone-pair-security-Local-Untrust]packet-filter 2002
[FW1-zone-pair-security-Local-Untrust]quit
[FW1]
[FW1]zone-pair security source trust destination trust
[FW1-zone-pair-security-Trust-Trust]packet-filter 2002
[FW1-zone-pair-security-Trust-Trust]quit
[FW1]
[FW1]zone-pair security source untrust destination untrust
[FW1-zone-pair-security-Untrust-Untrust]packet-filter 2002
[FW1-zone-pair-security-Untrust-Untrust]quit
[FW1]int loopback 0
[FW1-LoopBack0]ip address 2.2.2.2 32
[FW1-LoopBack0]quit
[FW1]int gi 1/0/2
[FW1-GigabitEthernet1/0/2]des <connect to R1>
[FW1-GigabitEthernet1/0/2]ip address 10.0.0.2 30
[FW1-GigabitEthernet1/0/2]quit
[FW1]int gi 1/0/3
[FW1-GigabitEthernet1/0/3]des <connect to R2>
[FW1-GigabitEthernet1/0/3]ip address 10.0.0.6 30
[FW1-GigabitEthernet1/0/3]quit
[FW1]security-zone name Trust
[FW1-security-zone-Trust]import interface GigabitEthernet 1/0/2
[FW1-security-zone-Trust]import interface loopback 0
[FW1-security-zone-Trust]quit
[FW1]security-zone name Untrust
[FW1-security-zone-Untrust]import interface GigabitEthernet 1/0/3
[FW1-security-zone-Untrust]quit
[FW1]rip
[FW1-rip-1]version 2
[FW1-rip-1]network 10.0.0.0
[FW1-rip-1]network 2.0.0.0
[FW1-rip-1]quit
测试:
PC都填写IP地址:
PC之间可以相互PING通:
分别查看R1、R2、FW1的路由表:
至此,F1060路由模式典型组网配置案例(RIP)已完成!
排版 | NCVT CSTA
图片 | NCVT CSTA
文案 | NCVT CSTA
原文始发于微信公众号(NCVT CSTA):安全产品那些事儿-H3C F1060防火墙路由模式典型组网配置案例(RIP)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论