In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Topology Diagram:
# Firewall HA configuration:
1. Configure the address of the master / slave firewall interface and the vrrp group and enable the synchronization of the master / slave.
The configuration is as follows:
# FW1
Configure the interface address:
Interface GigabitEthernet1/0/1
Description BOTH
Undo shutdown
Ip address 10.10.0.1 255.255.255.0
Service-manage ping permit
#
Interface GigabitEthernet1/0/2
Description TO-UP
Undo shutdown
Ip address 1.1.1.2 255.255.255.0
Vrrp vrid 2 virtual-ip 1.1.1.1 active
Service-manage ping permit
Ipsec policy map1
#
Interface GigabitEthernet1/0/3
Description TO-DOWN
Undo shutdown
Ip address 10.3.0.3 255.255.255.0
Vrrp vrid 1 virtual-ip 10.3.0.2 active
Service-manage ping permit
# add the API to the specified area
Firewall zone trust
Set priority 85
Add interface GigabitEthernet1/0/3
#
Firewall zone untrust
Set priority 5
Add interface GigabitEthernet1/0/2
#
Firewall zone dmz
Set priority 50
Add interface GigabitEthernet1/0/1
# enable master / slave synchronization:
Hrp enable
Hrp interface GigabitEthernet1/0/1 remote 10.10.0.2
Hrp track interface GigabitEthernet1/0/1
Hrp track interface GigabitEthernet1/0/2
Hrp track interface GigabitEthernet1/0/3
# FW2
Configure the interface address:
Interface GigabitEthernet1/0/1
Undo shutdown
Ip address 10.10.0.2 255.255.255.0
Service-manage ping permit
#
Interface GigabitEthernet1/0/2
Undo shutdown
Ip address 1.1.1.3 255.255.255.0
Vrrp vrid 2 virtual-ip 1.1.1.1 standby
Service-manage ping permit
Ipsec policy map1
#
Interface GigabitEthernet1/0/3
Undo shutdown
Ip address 10.3.0.1 255.255.255.0
Vrrp vrid 1 virtual-ip 10.3.0.2 standby
Service-manage ping permit
# add the API to the specified area
Firewall zone trust
Set priority 85
Add interface GigabitEthernet1/0/3
#
Firewall zone untrust
Set priority 5
Add interface GigabitEthernet1/0/2
#
Firewall zone dmz
Set priority 50
Add interface GigabitEthernet1/0/1
# enable master / slave synchronization:
Hrp enable
Hrp interface GigabitEthernet1/0/1 remote 10.10.0.1
Hrp track interface GigabitEthernet1/0/1
Hrp track interface GigabitEthernet1/0/2
Hrp track interface GigabitEthernet1/0/3
The virtual IP address of the PS:VRRP group may not be on the same network segment as the actual physical address.
The configuration method is:
Vrrp vrid 1 virtual-ip 10.3.0.2 255.255.255.0 standby
That is, the virtual IP address of the same network segment does not need a write mask, and the virtual IP address of different network segment needs a write mask to configure.
two。 After the above configuration is completed, the firewall synchronization configuration is turned on.
# configure security policy and IPsec * *.
# configure security policy
Security-policy
Rule name 1 heartbeat strategy
Source-zone dmz
Source-zone local
Destination-zone dmz
Destination-zone local
Action permit
Rule name 2 * Interactive access Policy
Source-zone local
Source-zone trust
Destination-zone untrust
Source-address 1.1.1.0 mask 255.255.255.0
Source-address 10.3.0.0 mask 255.255.0.0
Destination-address 10.4.1.0 mask 255.255.255.0
Destination-address 4.4.4.0 mask 255.255.255.0
Action permit
Rule name 3 * Interactive response Strategy
Source-zone local
Source-zone untrust
Destination-zone local
Destination-zone trust
Source-address 4.4.4.0 mask 255.255.255.0
Destination-address 1.1.1.0 mask 255.255.255.0
Action permit
Ps: at this point, FW1 will receive the message encrypted by IPsec. The message S.IP and D.IP are the IP addresses at both ends of the tunnel. Strict security policy matching is required for policy configuration such as rule 3.
#
# configure IPsec:
#
Acl number 3000
Rule 5 permit ip source 10.3.0.0 0.0.0.255 destination 10.4.1.0 0.0.0.255
#
Ike proposal 10
Encryption-algorithm aes-256
Dh group14
Authentication-algorithm sha2-256
Authentication-method pre-share
Integrity-algorithm hmac-sha2-256
Prf hmac-sha2-256
#
Ike peer any
Pre-shared-key Admin@123
Ike-proposal 10
#
Ipsec proposal tran1
Esp authentication-algorithm sha2-256
Esp encryption-algorithm aes-256
#
Ipsec policy-template policy1 1 master uses policy template to establish *
Security acl 3000
Ike-peer any
Proposal tran1
#
Ipsec policy map1 10 isakmp template policy1
#
Interface GigabitEthernet1/0/2
Undo shutdown
Ip address 1.1.1.3 255.255.255.0
Vrrp vrid 2 virtual-ip 1.1.1.1 standby
Service-manage ping permit
Ipsec policy map1
#
3. Configure NAT policy
Configure the address pool
#
Nat address-group 1 0
Mode pat
Section 0 1.1.1.1 1.1.1.1
#
Configure the nat security policy:
#
Nat-policy
Rule name 1
Source-zone trust
Destination-zone untrust
Source-address 10.1.3.0 0.0.0.255
Source-address 10.3.0.0 mask 255.255.255.0
Destination-address 10.4.1.0 0.0.0.255
Destination-address 10.4.1.0 mask 255.255.255.0
Action no-nat
Rule name nat
Source-zone trust
Destination-zone untrust
Action source-nat address-group 1
#
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
