配置IPS vlan2 port e0/2
Vlan port e0/10
Vlan port e0/20
配置三层口跟地址 interfacel vlan-interface 2
Ip add 61.130.130.2 255.255.255.252
其他两个端口配置一样
Fw1 int eht0/0
Ip add 192.168.1.1 24
Int eth0/4
Ip add 61.130.130.1 30
配置路由表 下一跳地址 ip route-static 0.0.0.0 0 61.130.130.2
Firewall zone untrust
Add interface eth0/4
FW2配置
Int eth/0
Ip add 192.168.2.1 24
Int eth0/4
Ip add 61.130.130.5 30
吓一跳 ip-route-static 0.0.0.0 0 61.130.130.6
加入区域
Firewall zone untrust
Add Interface eth/4
Firewall zone untrust
Add interface eth0/0
Firewall packet-filter default permit(FW3配置一样)
Fw2配置隧道
Acl number 3000 match-oorder auto
Rule 10 permit ip source 192.168.2.0 destination 192.168.1.1 0.0.0.255
Rule 20 deny ip source any destmation any
安全区域
Ipsec proposal tran1
选择隧道
Encapsulation-mode tunnel
选择esp协议
Transform
Esp authentication-a lgrithm md5
Ipsec policy policy 10 manual (SA号)
隧道起始地址
Tunnel local 61.130.130.5
隧道结束地址
Tunnel remote 61.130.130.5
填写SA
Sa spi inbound esp (SA号)
Sa string-key inbound esp ()
把接口地址放在配置上
Int eth0/4 ipsec policy policy1