1.启动设备
2.配置IP地址
FW1配置:
3.给防火墙划分区域
[FW1]firewall zone trust
[FW1-zone-trust]add int g0/0/0
[FW1-zone-trust]q
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g0/0/1
4.配置路由条目
[FW1]ip route-static 0.0.0.0 0.0.0.0 100.0.0.2
5.配置NAT
[FW1]nat-policy interzone trust untrust outbound
[FW1-nat-policy-interzone-trust-untrust-outbound]policy 1
[FW1-nat-policy-interzone-trust-untrust-outbound-1]policy source 10.0.0.0 0.255.255.255
[FW1-nat-policy-interzone-trust-untrust-outbound-1]policy destination 192.168.1.0 0.0.0.255
[FW1-nat-policy-interzone-trust-untrust-outbound-1]action no-nat
[FW1-nat-policy-interzone-trust-untrust-outbound-1]q
[FW1-nat-policy-interzone-trust-untrust-outbound]policy 2
[FW1-nat-policy-interzone-trust-untrust-outbound-2]action source-nat
[FW1-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/1
[FW1-nat-policy-interzone-trust-untrust-outbound-2]q
[FW1-nat-policy-interzone-trust-untrust-outbound]q
6.创建IKE安全协议
[FW1]ike proposal 1
[FW1-ike-proposal-1]authentication-method pre-share
[FW1-ike-proposal-1]authentication-algorithm sha1
[FW1-ike-proposal-1]integrity-algorithm aes-xcbc-96
[FW1-ike-proposal-1]dh group2
[FW1-ike-proposal-1]q
7.配置IKEpeer对等体连接
[FW1]ike peer FW2
[FW1-ike-peer-fw2]pre-shared-key 666.wyjx
[FW1-ike-peer-fw2]remote-address 200.0.0.1
[FW1-ike-peer-fw2]ike-proposal 1
[FW1-ike-peer-fw2]q
8.配置IPSec安全协议
[FW1]ipsec proposal test
[FW1-ipsec-proposal-test]encapsulation-mode tunnel
[FW1-ipsec-proposal-test]transform esp
[FW1-ipsec-proposal-test]esp encryption-algorithm aes
[FW1-ipsec-proposal-test]esp authentication-algorithm sha1
[FW1-ipsec-proposal-test]q
9.创建ACL列表,监控流量
[FW1]acl 3000
[FW1-acl-adv-3000]rule permit ip source 10.0.0.0 0.255.255.255 destination 192.168.1.0 0.0.0.255
[FW1-acl-adv-3000]q
10.创建安全策略
[FW1]ipsec policy wyjx 1 isakmp
[FW1-ipsec-policy-isakmp-wyjx-1]ike-peer FW2
[FW1-ipsec-policy-isakmp-wyjx-1]proposal test
[FW1-ipsec-policy-isakmp-wyjx-1]security acl 3000
[FW1-ipsec-policy-isakmp-wyjx-1]q
11.在接口上引用安全策略
[FW1]int g0/0/1
[FW1-GigabitEthernet0/0/1]ipsec policy wyjx
[FW1-GigabitEthernet0/0/1]q
12.配置区域间安全策略
[FW1]policy interzone trust untrust outbound
[FW1-policy-interzone-trust-untrust-outbound]policy 1
[FW1-policy-interzone-trust-untrust-outbound-1]action permit
[FW1-policy-interzone-trust-untrust-outbound-1]q
[FW1-policy-interzone-trust-untrust-outbound]q
[FW1]policy interzone trust untrust inbound
[FW1-policy-interzone-trust-untrust-inbound]policy 1
[FW1-policy-interzone-trust-untrust-inbound-1]policy source 192.168.1.0 0.0.0.255
[FW1-policy-interzone-trust-untrust-inbound-1]policy destination 10.0.0.0 0.255.255.255
[FW1-policy-interzone-trust-untrust-inbound-1]action permit
[FW1-policy-interzone-trust-untrust-inbound-1]q
[FW1-policy-interzone-trust-untrust-inbound]q
[FW1]policy interzone local untrust inbound
[FW1-policy-interzone-local-untrust-inbound]policy 1
[FW1-policy-interzone-local-untrust-inbound-1]policy source 200.0.0.1 0
[FW1-policy-interzone-local-untrust-inbound-1]policy destination 100.0.0.1 0
[FW1-policy-interzone-local-untrust-inbound-1]action permit
FW2配置
1.给防火墙划分区域
[FW2]firewall zone trust
[FW2-zone-trust]add int g0/0/0
[FW2-zone-trust]q
[FW2]firewall zone untrust
[FW2-zone-untrust]add int g0/0/1
2.配置路由条目
[FW2]ip route-static 0.0.0.0 0.0.0.0 200.0.0.2
3. 配置NAT
[FW2]nat-policy interzone trust untrust outbound
[FW2-nat-policy-interzone-trust-untrust-outbound]policy 1
[FW2-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.1.0 0.0.0.255
[FW2-nat-policy-interzone-trust-untrust-outbound-1]policy destination 10.0.0.0 0.255.255.255
[FW2-nat-policy-interzone-trust-untrust-outbound-1]action no-nat
[FW2-nat-policy-interzone-trust-untrust-outbound-1]q
[FW2-nat-policy-interzone-trust-untrust-outbound]policy 2
[FW2-nat-policy-interzone-trust-untrust-outbound-2]action source-nat
[FW2-nat-policy-interzone-trust-untrust-outbound-2]easy-ip g0/0/1
[FW2-nat-policy-interzone-trust-untrust-outbound-2]q
[FW2-nat-policy-interzone-trust-untrust-outbound]q
4. 创建IKE安全协议
[FW2]ike proposal 1
[FW2-ike-proposal-1]authentication-method pre-share
[FW2-ike-proposal-1]authentication-algorithm sha1
[FW2-ike-proposal-1]integrity-algorithm aes-xcbc-96
[FW2-ike-proposal-1]dh group2
[FW2-ike-proposal-1]q
5. 配置IKEpeer对等体连接
[FW2]ike peer FW1
[FW2-ike-peer-fw1]pre-shared-key 666.wyjx
[FW2-ike-peer-fw1]remote-address 100.0.0.1
[FW2-ike-peer-fw1]ike-proposal 1
[FW2-ike-peer-fw1]q
6. 配置IPSec安全协议
[FW2]ipsec proposal test
[FW2-ipsec-proposal-test]encapsulation-mode tunnel
[FW2-ipsec-proposal-test]transform esp
[FW2-ipsec-proposal-test]esp encryption-algorithm aes
[FW2-ipsec-proposal-test]esp authentication-algorithm sha1
[FW2-ipsec-proposal-test]q
7. 创建ACL列表,监控流量
[FW2]acl 3000
[FW2-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 10.0.0.0 0.255.255.255
[FW2-acl-adv-3000]q
8. 创建安全策略
[FW2]ipsec policy wyjx 1 isakmp
[FW2-ipsec-policy-isakmp-wyjx-1]ike-peer FW1
[FW2-ipsec-policy-isakmp-wyjx-1]proposal test
[FW2-ipsec-policy-isakmp-wyjx-1]security acl 3000
[FW2-ipsec-policy-isakmp-wyjx-1]q
9. 在接口上引用安全策略
[FW2]int g0/0/1
[FW2-GigabitEthernet0/0/1]ipsec policy wyjx
[FW2-GigabitEthernet0/0/1]q
10. 配置区域间安全策略
[FW2]policy interzone trust untrust outbound
[FW2-policy-interzone-trust-untrust-outbound]policy 1
[FW2-policy-interzone-trust-untrust-outbound-1]action permit
[FW2-policy-interzone-trust-untrust-outbound-1]q
[FW2-policy-interzone-trust-untrust-outbound]q
[FW2]policy interzone trust untrust inbound
[FW2-policy-interzone-trust-untrust-inbound]policy 1
[FW2-policy-interzone-trust-untrust-inbound-1]policy source 10.0.0.0 0.255.255.255
[FW2-policy-interzone-trust-untrust-inbound-1]policy destination 192.168.1.0 0.0.0.255
[FW2-policy-interzone-trust-untrust-inbound-1]action permit
[FW2-policy-interzone-trust-untrust-inbound-1]q
[FW2-policy-interzone-trust-untrust-inbound]q
[FW2]policy interzone local untrust inbound
[FW2-policy-interzone-local-untrust-inbound]policy 1
[FW2-policy-interzone-local-untrust-inbound-1]policy source 100.0.0.1 0
[FW2-policy-interzone-local-untrust-inbound-1]policy destination 200.0.0.1 0
[FW2-policy-interzone-local-untrust-inbound-1]action permit
启动HTTP服务器
验证:
Client1可以ping通HTTP服务器
Client1可以访问到HTTP服务器
抓取FW2的G0/0/1端口,Client1pingHTTP服务器看包为ESP
