虚拟专用网络 VPN-HW-USG防火墙(V5)对接华为云配置指引:客户侧设备组网与基础配置假设
客户侧设备组网与基础配置假设
- 假定客户侧基础网络配置如下:
内网接口:GigabitEthernet1/0/0 所属zone为Trust,接口IP为10.0.0.1/30。
预进行加密传输的子网为172.16.10.0/24,172.16.20.0/24,172.16.30.0/24,所属zone为Trust。
外网接口:GigabitEthernet1/0/1 所属zone为Untrust,接口IP为22.22.22.22/24。
缺省路由:目标网段0.0.0.0/0 出接口GE1/0/1,下一跳为GE1/0/1的网关IP为22.22.22.1。
安全策略:Trust访问Untrust,源地址、目标地址及服务均为any,动作放行。
NAT策略:源地址为内网网段,目标地址为ANY,动作为EasyIP,即转换为接口IP。
- 基础配置命令行示意如下:
interface GigabitEthernet1/0/0 ip address 10.0.0.1 255.255.255.252 # interface GigabitEthernet1/0/1 ip address 22.22.22.22 255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 22.22.22.1 ip route-static 172.16.10.0 255.255.255.0 10.0.0.2 ip route-static 172.16.20.0 255.255.255.0 10.0.0.2 ip route-static 172.16.30.0 255.255.255.0 10.0.0.2 # firewall zone trust set priority 85 import interface GigabitEthernet1/0/0 # firewall zone untrust set priority 5 import interface GigabitEthernet1/0/1 # ip address-set Customer-subnet172.16.10.0/24 type object address 0 172.16.10.0 mask 24 # ip address-set Customer-subnet172.16.20.0/24 type object address 0 172.16.20.0 mask 24 # ip address-set Customer-subnet172.16.30.0/24 type object address 0 172.16.30.0 mask 24 # security-policy rule name Policy-Internet policy logging session logging source-zone trust destination-zone untrust action permit # nat-policy rule name Snat_Internet source-zone trust egress-interface GigabitEthernet1/0/1 action nat easy-ip