H3C防火墙双机热备-主备方式-旁路部署

场景说明:防火墙旁挂核心交换机,核心交换机通过vrf区分公网和内网业务,只允许192.168.10.0/24访问公网。通过下联交换机模拟客户端。防火墙采用主备模式,由于复用链路,采用三层子接口终结vlan的方式进行部署,其中vlan11表示内网 vlan100表示公网,全网采用静态路由部署。

防火墙配置:

#
 version 7.1.064, Alpha 7164
#
 sysname FW-A
#
track 1 interface GigabitEthernet1/0/1
#
nat address-group 0 name SNAT
 address 100.1.1.1 100.1.1.254
#
interface GigabitEthernet1/0/1.11 //由于主备组网,需要指定主防火墙vrrp组为active
 ip address 10.0.11.2 255.255.255.248
 vrrp vrid 11 virtual-ip 10.0.11.1 active
 vlan-type dot1q vid 11
#
interface GigabitEthernet1/0/1.100 //由于主备组网,需要指定主防火墙vrrp组为active
 ip address 10.0.100.2 255.255.255.248
 vrrp vrid 100 virtual-ip 10.0.100.1 active
 vlan-type dot1q vid 100
#
interface GigabitEthernet1/0/23
 port link-mode route
 combo enable copper
 ip address 1.1.1.1 255.255.255.252
#
security-zone name Trust
 import interface GigabitEthernet1/0/1.11
#
security-zone name DMZ
 import interface GigabitEthernet1/0/23
#
security-zone name Untrust
 import interface GigabitEthernet1/0/1.100
#
 ip route-static 0.0.0.0 0 10.0.100.4
 ip route-static 192.168.0.0 16 10.0.11.4
#
nat global-policy
 rule name Trust_Untrust_SNAT
  source-zone Trust
  destination-zone Untrust
  source-ip subnet 192.168.10.0 24
  action snat address-group name SNAT
#
 ip http enable
 ip https enable
#
security-policy ip
 rule 0 name Trust_Untrust_Permit
  action pass
  source-zone Trust
  destination-zone Untrust
  source-ip-subnet 192.168.10.0 255.255.255.0
#
remote-backup group
 data-channel interface GigabitEthernet1/0/23
 delay-time 1
 track 1
 local-ip 1.1.1.1
 remote-ip 1.1.1.2
 device-role primary
#
return

实验结果:通过交换机模拟终端访问路由上公网地址200.1.1.1

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据