Gre封装
在防火墙上连 云时,可以用g0/0/0
在防火墙上不连 云时,一定不用0/0/0 !!!!!!!!!
交换机什么都不配置。
FW2:
interface GigabitEthernet0/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 1.1.1.1 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
tunnel-protocol gre
source 1.1.1.1
destination 1.1.1.2
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface Tunnel0
ip route-static 192.168.2.0 255.255.255.0 Tunnel0
security-policy
default action permit
FW1:
interface GigabitEthernet0/0/0
undo shutdown
ip address 1.1.1.2 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.2.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
tunnel-protocol gre
source 1.1.1.2
destination 1.1.1.1
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
add interface Tunnel0
ip route-static 192.168.1.0 255.255.255.0 Tunnel0
把所有的策略都打开:
security-policy
default action permit
FW2:
把大的策略关闭,此时是ping不通的;
则写明细策略,会ping通
security-policy
rule name trust_untrust
source-zone trust
destination-zone untrust
source-address 192.168.1.0 mask 255.255.255.0
destination-address 192.168.2.0 mask 255.255.255.0
service icmp
action permit
rule name untrust_local
source-zone untrust
destination-zone local
source-address 1.1.1.0 mask 255.255.255.0
destination-address 1.1.1.0 mask 255.255.255.0
service gre
service icmp
action permit
FW1:
把大的策略关闭,此时是ping不通的;
则写明细策略,会ping通
同FW2一样,写成明细策略
GRE也可以使用动态协议。比如:ospf