SecPath防火墙双机备份典型配置
一、 组网需求:
两台SecPath500F防火墙部署在Internet出口,通过做双机热备实现冗余备份。
二、 组网图
SecPath500F_1:Version 3.40, Release 1606;
SecPath500F_2:Version 3.40, Release 1606。
三、 配置信息
1. SecPath500F_1的主要配置
#
sysname Secpath500F_1
#
firewall packet-filter enable
firewall packet-filter default permit
#
undo connection-limit enable
connection-limit default deny
connection-limit default amount upper-limit 50 lower-limit 20
#
vrrp ping-enable //启用VRRP的ping功能
#
firewall statistic system enable
#
radius scheme system
#
domain system
#
acl number 3000
description NAT
rule 0 permit ip source 192.168.1.0 0.0.0.255
rule 1 permit ip source 192.168.2.0 0.0.0.255
rule 2 permit ip source 192.168.3.0 0.0.0.255
rule 3 permit ip source 192.168.4.0 0.0.0.255
rule 4 permit ip source 192.168.5.0 0.0.0.255
rule 5 permit ip source 192.168.15.0 0.0.0.255
rule 6 permit ip source 192.168.14.0 0.0.0.255
rule 7 permit ip source 192.168.13.0 0.0.0.255
rule 8 permit ip source 192.168.12.0 0.0.0.255
rule 9 permit ip source 192.168.11.0 0.0.0.255
rule 10 deny ip
#
interface Aux0
async mode flow
#
interface GigabitEthernet0/0
description WAN
ip address 202.38.1.253 255.255.255.0
vrrp vrid 2 virtual-ip 202.38.1.252 //配置VRRP组2的虚IP
vrrp vrid 2 priority 110 //配置VRRP组2的优先级
vrrp vrid 2 track GigabitEthernet0/1 reduced 20 //配置VRRP组2的track属性
nat outbound 3000
#
interface GigabitEthernet0/1
description LAN
ip address 172.16.1.253 255.255.255.0
vrrp vrid 1 virtual-ip 172.16.1.252 //配置VRRP组1的虚IP
vrrp vrid 1 priority 110 //配置VRRP组1的优先级
vrrp vrid 1 track GigabitEthernet0/0 reduced 20 //配置VRRP组1的track属性
#
interface Encrypt2/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface GigabitEthernet0/1
set priority 85
#
firewall zone untrust
add interface GigabitEthernet0/0
set priority 5
#
firewallZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 202.38.1.1 preference 60
ip route-static 192.168.0.0 255.255.0.0 172.16.1.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
2. SecPath500F_2的主要配置
#
sysname SecPath500F_2
#
firewall packet-filter enable
firewall packet-filter default permit
#
undo connection-limit enable
connection-limit default deny
connection-limit default amount upper-limit 50 lower-limit 20
#
vrrp ping-enable //启用VRRP的ping功能
#
firewall statistic system enable
#
radius scheme system
#
domain system
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255
rule 1 permit ip source 192.168.2.0 0.0.0.255
rule 2 permit ip source 192.168.3.0 0.0.0.255
rule 3 permit ip source 192.168.4.0 0.0.0.255
rule 4 permit ip source 192.168.5.0 0.0.0.255
rule 5 permit ip source 192.168.15.0 0.0.0.255
rule 6 permit ip source 192.168.14.0 0.0.0.255
rule 7 permit ip source 192.168.13.0 0.0.0.255
rule 8 permit ip source 192.168.12.0 0.0.0.255
rule 9 permit ip source 192.168.11.0 0.0.0.255
rule 10 deny ip
#
interface Aux0
async mode flow
#
interface GigabitEthernet0/0
description WAN
ip address 202.38.1.254 255.255.255.0
vrrp vrid 2 virtual-ip 202.38.1.252 //配置VRRP组2的虚IP
vrrp vrid 2 track GigabitEthernet0/1 reduced 20 //配置VRRP组2的track属性
nat outbound 3000
#
interface GigabitEthernet0/1
ip address 172.16.1.254 255.255.255.0
vrrp vrid 1 virtual-ip 172.16.1.252 //配置VRRP组1的虚IP
vrrp vrid 1 track Gigabit0/0 reduced 20 //配置VRRP组1的track属性
#
interface Encrypt2/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface GigabitEthernet0/1
set priority 85
#
firewall zone untrust
add interface GigabitEthernet0/0
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#ll interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 202.38.1.1 preference 60
ip route-static 192.168.0.0 255.255.0.0 172.16.1.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
四、 配置关键点
1. 缺省情况下,用户不能使用ping命令ping通备份组的虚拟IP地址;如果安全网关上已经建立了备份组,系统将不允许再进行本配置来设定虚拟IP地址是否可以使用ping命令ping通。
2. 优先级的取值范围为0到255(数值越大表明优先级越高),缺省情况下,优先级的取值范围为100。
3. 缺省方式是抢占方式,延迟时间为0。
4. 缺省认证方式为不进行认证。
5. 缺省情况下,adver-interval的值是1秒,取值范围从1到255。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作