网络安全实验06 部署防火墙主备备份双机热备,提高网络可靠性
网络安全实验06 部署防火墙主备备份双机热备,提高网络可靠性
90后小陈老师
发布于 2024-04-19 10:01:39
发布于 2024-04-19 10:01:39
建议使用电脑查看,手机可能某些代码显示不了
用户名:admin
密码:Admin@123
新密码:Huawei@123
步骤1:配置防火墙网络的基本参数
(1)配置防火墙接口IP地址
防火墙A
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.2.0.2 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.3.0.2 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.10.0.1 255.255.255.252
防火墙B(这里咱们可以直接修改A的配置然后粘贴到防火墙B中运行即可)
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.2.0.3 255.255.255.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.3.0.3 255.255.255.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.10.0.2 255.255.255.252(2)将接口加入安全区域
防火墙A
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/3
防火墙B
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/3
(3)设置默认路由
防火墙A、B
ip route-static 0.0.0.0 0 1.1.1.10步骤2:配置双击热备主备备份
(1)配置VRRP备份组(防火墙A设置为active,防火墙B设置为standby)
防火墙A
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.2.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.1 active
防火墙B
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.2.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.1 standby
(2)指定心跳接口并启用双击热备功能
防火墙A
hrp inter g 1/0/3 remote 10.10.0.2
hrp enable防火墙B
hrp inter g 1/0/3 remote 10.10.0.1
hrp enable步骤3:配置安全策略(只需配置防火墙A,策略会自动备份到防火墙B中)
security-policy
rule name trust_to_untrust
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
action permit步骤4:配置NAT(只需配置防火墙A,策略会自动备份到防火墙B中)
(1)配置NAT地址池
nat address-group group01 0
mode pat
route enable
section 0 1.1.1.11 1.1.1.20(2)配置NAT策略
nat-policy
rule name trust_to_untrust
source-zone trust
destination-zone untrust
source-address 10.3.0.0 mask 255.255.255.0
action source-nat address-group group01步骤5:配置路由器
(1)配置路由器R1的接口IP地址
interface GigabitEthernet0/0/0
ip address 1.1.1.10 255.255.255.0
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
(2)配置默认路由
ip route-static 10.3.0.0 24 1.1.1.1步骤6:配置交换机和内网终端
(1)配置交换机VLAN
交换机1(vlan 3)
vlan batch 3
interface GigabitEthernet0/0/1
port link-type access
port default vlan 3
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 3
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 3
交换机2(vlan 2)
vlan batch 2
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 2(2)配置内网主机的网络参数
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2024-04-01,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读