防火墙虚拟系统共用公网接口
两个虚拟系统相互独立,共用一个公网接口访问互联网。
[fw1]vsys enable #启用防火墙虚拟系统
[fw1]vsys name VRF_A #创建虚拟系统VRF_A
[fw1-vsys-VRF_A]assign interface g1/0/1 #给虚拟系统VRF_A分配接口
[fw1-vsys-VRF_A]quit
[fw1]vsys name VRF_B #创建虚拟系统VRF_B
[fw1-vsys-VRF_B]assign interface g1/0/2 #给虚拟系统VRF_B分配接口
[fw1-vsys-VRF_B]quit
---------------------------------------------------------------------------------
[fw1]switch vsys VRF_A #切换到VRF_A
<fw1-VRF_A>sys
#配置接口ip地址
[fw1-VRF_A]interface g1/0/1
[fw1-VRF_A-GigabitEthernet1/0/1]ip ad 10.1.1.1 24
#配置接口区域
[fw1-VRF_A]firewall zone trust
[fw1-VRF_A-zone-trust]add interface g1/0/1
[fw1-VRF_A]firewall zone untrust
[fw1-VRF_A-zone-untrust]add interface Virtual-if 1
#配置安全策略
[fw1-VRF_A-policy-security]rule name in_to_out
[fw1-VRF_A-policy-security-rule-in_to_out]source-zone trust
[fw1-VRF_A-policy-security-rule-in_to_out]destination-zone untrust
[fw1-VRF_A-policy-security-rule-in_to_out]source-address 10.1.1.0 24
[fw1-VRF_A-policy-security-rule-in_to_out]action permit
#配置缺省路由
[fw1-VRF_A]ip route-static 0.0.0.0 0 public
---------------------------------------------------------------------------------
#VRF_B配置与VRF_A类似
[fw1]switch vsys VRF_B
<fw1-VRF_B>sys
[fw1-VRF_B]int g1/0/2
[fw1-VRF_B-GigabitEthernet1/0/2]ip ad 10.1.2.1 24
[fw1-VRF_B]firewall zone trust
[fw1-VRF_B-zone-trust]add interface g1/0/2
[fw1-VRF_B]firewall zone untrust
[fw1-VRF_B-zone-untrust]add interface Virtual-if 2
[fw1-VRF_B]security-policy
[fw1-VRF_B-policy-security-rule-in_to_out]source-zone trust
[fw1-VRF_B-policy-security-rule-in_to_out]destination-zone untrust
[fw1-VRF_B-policy-security-rule-in_to_out]source-address 10.1.2.0 24
[fw1-VRF_B-policy-security-rule-in_to_out]action permit
[fw1-VRF_B]ip route-static 0.0.0.0 0 public
---------------------------------------------------------------------------------
#公共防火墙配置
[fw1]int g1/0/0
[fw1-GigabitEthernet1/0/0]ip ad 200.1.1.1 30
#配置接口区域
[fw1]firewall zone trust
[fw1-zone-trust]add interface Virtual-if 0
[fw1]firewall zone untrust
[fw1-zone-untrust]add interface g1/0/0
#配置安全策略
[fw1-policy-security]rule name in_to_out
[fw1-policy-security-rule-in_to_out]source-zone trust
[fw1-policy-security-rule-in_to_out]destination-zone untrust
[fw1-policy-security-rule-in_to_out]source-address 10.1.0.0 16
[fw1-policy-security-rule-in_to_out]action permit
#配置nat策略
[fw1]nat-policy
[fw1-policy-nat]rule name internet
[fw1-policy-nat-rule-internet]source-zone trust
[fw1-policy-nat-rule-internet]destination-zone untrust
[fw1-policy-nat-rule-internet]source-address 10.1.0.0 16
[fw1-policy-nat-rule-internet]action source-nat easy-ip
#配置缺省路由
[fw1]ip route-static 0.0.0.0 0 200.1.1.1
实验效果:
内网互访配置
#VRF_B增加策略(VRF_A做同样的配置)
[fw1-VRF_B-policy-security]rule name a<->b
[fw1-VRF_B-policy-security-rule-a<->b]source-zone trust untrust
[fw1-VRF_B-policy-security-rule-a<->b]destination-zone trust untrust
[fw1-VRF_B-policy-security-rule-a<->b]source-address 10.1.1.0 24
[fw1-VRF_B-policy-security-rule-a<->b]source-address 10.1.2.0 24
[fw1-VRF_B-policy-security-rule-a<->b]destination-address 10.1.1.0 24
[fw1-VRF_B-policy-security-rule-a<->b]destination-address 10.1.2.0 24
[fw1-VRF_B-policy-security-rule-a<->b]action permit
#公共防火墙增加两条去往内网的静态路由
[fw1]ip route-static 10.1.1.0 24 vpn-instance VRF_A
[fw1]ip route-static 10.1.2.0 24 vpn-instance VRF_B
实验效果: