虚拟专用网络 VPN-HW-USG防火墙(V5)对接华为云配置指引:客户侧设备组网与基础配置假设

时间:2024-07-19 15:22:09

客户侧设备组网与基础配置假设

  1. 假定客户侧基础网络配置如下:

内网接口:GigabitEthernet1/0/0 所属zone为Trust,接口IP为10.0.0.1/30。

预进行加密传输的子网为172.16.10.0/24,172.16.20.0/24,172.16.30.0/24,所属zone为Trust。

外网接口:GigabitEthernet1/0/1 所属zone为Untrust,接口IP为22.22.22.22/24。

缺省路由:目标网段0.0.0.0/0 出接口GE1/0/1,下一跳为GE1/0/1的网关IP为22.22.22.1。

安全策略:Trust访问Untrust,源地址、目标地址及服务均为any,动作放行。

NAT策略:源地址为内网网段,目标地址为ANY,动作为EasyIP,即转换为接口IP。

  1. 基础配置命令行示意如下:
    interface GigabitEthernet1/0/0 
    ip address 10.0.0.1 255.255.255.252 
    # 
    interface GigabitEthernet1/0/1 
    ip address 22.22.22.22 255.255.255.0 
    # 
    ip route-static 0.0.0.0 0.0.0.0 22.22.22.1
    ip route-static 172.16.10.0 255.255.255.0 10.0.0.2
    ip route-static 172.16.20.0 255.255.255.0 10.0.0.2
    ip route-static 172.16.30.0 255.255.255.0 10.0.0.2 
    # 
    firewall zone trust 
    set priority 85 
    import interface GigabitEthernet1/0/0 
    # 
    firewall zone untrust 
    set priority 5
    import interface GigabitEthernet1/0/1 
    #
    ip address-set Customer-subnet172.16.10.0/24 type object 
    address 0 172.16.10.0 mask 24  
    # 
    ip address-set Customer-subnet172.16.20.0/24 type object 
    address 0 172.16.20.0 mask 24  
    # 
    ip address-set Customer-subnet172.16.30.0/24 type object 
    address 0 172.16.30.0 mask 24 
    # 
    security-policy 
    rule name Policy-Internet 
      policy logging 
      session logging 
      source-zone trust 
      destination-zone untrust 
      action permit 
    # 
    nat-policy 
    rule name Snat_Internet 
      source-zone trust 
      egress-interface GigabitEthernet1/0/1 
      action nat easy-ip
support.huaweicloud.com/admin-vpn/vpn_admin_0004.html