配置IPS vlan2 port e0/2
Vlan port e0/10
Vlan port e0/20
配置三層口跟地址 interfacel vlan-interface 2
Ip add 61.130.130.2 255.255.255.252
其他兩個端口配置一樣
Fw1 int eht0/0
Ip add 192.168.1.1 24
Int eth0/4
Ip add 61.130.130.1 30
配置路由表 下一跳地址 ip route-static 0.0.0.0 0 61.130.130.2
Firewall zone untrust
Add interface eth0/4
FW2配置
Int eth/0
Ip add 192.168.2.1 24
Int eth0/4
Ip add 61.130.130.5 30
嚇一跳 ip-route-static 0.0.0.0 0 61.130.130.6
加入區域
Firewall zone untrust
Add Interface eth/4
Firewall zone untrust
Add interface eth0/0
Firewall packet-filter default permit(FW3配置一樣)
Fw2配置隧道
Acl number 3000 match-oorder auto
Rule 10 permit ip source 192.168.2.0 destination 192.168.1.1 0.0.0.255
Rule 20 deny ip source any destmation any
安全區域
Ipsec proposal tran1
選擇隧道
Encapsulation-mode tunnel
選擇esp協議
Transform
Esp authentication-a lgrithm md5
Ipsec policy policy 10 manual (SA號)
隧道起始地址
Tunnel local 61.130.130.5
隧道結束地址
Tunnel remote 61.130.130.5
填寫SA
Sa spi inbound esp (SA號)
Sa string-key inbound esp ()
把接口地址放在配置上
Int eth0/4 ipsec policy policy1