No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
HUAWEI USG Series Firewalls Interoperability Configuration Guide for VPN

This document provides the guide for configuring a Huawei firewall to use VPN to communicate with a non-Huawei device.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
CLI: Example for Accessing the Virtual System Network Using a Windows 7 PC Through an L2TP over IPSec Tunnel

CLI: Example for Accessing the Virtual System Network Using a Windows 7 PC Through an L2TP over IPSec Tunnel

This example describes how to access the virtual system network using a Windows 7 PC through an L2TP over IPSec tunnel.

Networking Requirements

As shown in Figure 3-11, only one public IP address is configured for FW_A. Different virtual systems (LNSs) establish L2TP over IPSec tunnels with the peer PC (LAC Client), equipped with the Windows 7 system, using the public IP address. The LAC Client and the LNS communicate with each other through a tunnel. Data is encapsulated using L2TP and then encrypted using IPSec. When IPSec policies are configured for the root system, they are applied to WAN interfaces of the root system to protect traffic of the virtual system and achieve secure access between the virtual system network and the peer PC.

Figure 3-11 Accessing the virtual system network using a Windows 7 PC through an L2TP over IPSec tunnel

Data Planning

Item

Data

FW_A

public (LNS)

WAN interface: GE1/0/1

IP address of the WAN interface: 1.1.1.1/24

Security zone of the WAN interface: Untrust

Private interface: public virtual interface Virtual-if0

Security zone of the LAN interface: Trust

Address pool

Address pool name: pool1

Range of addresses in the address pool: 100.1.1.2-100.1.1.100

User configuration

vsysa user:
  • User name: user0001@network_vsysa
  • Password: Hello@123
vsysb user:
  • User name: user0002@network_vsysb
  • Password: Hello@123

IPSec configuration

Security protocol: ESP

IKE verification algorithm: SHA1

IKE encryption algorithm: 3DES

ESP verification algorithm: SHA1

ESP encryption algorithm: 3DES

Local ID type: IP address

Local ID: 1.1.1.1

Peer ID type: any

Authentication mode: pre-shared key

Key type: multiple keys

Pre-shared keys:
  • vsysa: Admin@123
  • vsysb: Admin@456

vsysa

WAN interface: virtual interface Virtual-if1 of vsysa

Security zone of the WAN interface: Untrust

LAN interface: GE1/0/2

IP address of the LAN interface: 10.1.0.1/24

Private address range: 10.1.0.0/24

Security zone of the LAN interface: Trust

vsysb

WAN interface: virtual interface Virtual-if2 of vsysb

Security zone of the WAN interface: Untrust

LAN interface: GE1/0/4

IP address of the LAN interface: 10.2.0.1/24

Private address range: 10.2.0.0/24

Security zone of the LAN interface: Trust

LAC Client 1

Internet IP address: 1.1.1.1

User name: user0001@network_vsysa

Password: Hello@123

Pre-shared key: Admin@123

LAC Client 2

Internet IP address: 1.1.1.1

User name: user0002@network_vsysb

Password: Hello@123

Pre-shared key: Admin@456

Configuration Principles

Principles for configuring vsysb and LAC Client 2 are similar. This section describes how to configure the system to enable multiple virtual systems to establish an IPSec VPN tunnel with the peer gateway by sharing a public IP address using vsysa and LAC Client 1 as an example. For details about the configuration of vsysb and LAC Client 2, see the configuration of vsysa and LAC Client 1.

  1. In the root system, create virtual system vsysa and allocate resources to the virtual system.
  2. In the root system, configure the interface, route, and security policy.
  3. In vsysa, configure the interface, route, and security policy.
  4. In the root system, configure the address pool, authentication domain, and user.
  5. In the root system, configure an L2TP over IPSec tunnel and bind the IPSec policies with vsysa.
  6. On LAC Client 1, configure VPN connection parameters. Ensure that the parameters match those configured for FW_A.

Procedure

  • Configure FW_A.
    1. Enable the virtual system.

      <sysname> system-view
[sysname] sysname FW_A
[FW_A] vsys enable

    2. Create virtual system vsysa and allocate resources.

      # Configure resource class r1, and set the number of assured IPSec tunnels and maximum number of IPSec tunnels.

      [FW_A] resource-class r1
[FW_A-resource-class-r1] resource-item-limit ipsec-tunnel reserved-number 10 maximum 500
[FW_A-resource-class-r1] quit

      # Create virtual system vsysa.

      [FW_A] vsys name vsysa
[FW_A-vsys-vsysa] assign interface GigabitEthernet 1/0/2
[FW_A-vsys-vsysa] assign resource-class r1
[FW_A-vsys-vsysa] quit

    3. In the root system, configure parameters of interface GE1/0/1 and virtual interface Virtual-if0.

      # Configure interface GE1/0/1.

      [FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet 1/0/1] ip address 1.1.1.1 255.255.255.0
[FW_A-GigabitEthernet 1/0/1] quit

      # Configure virtual interface Virtual-if0.

      [FW_A] interface Virtual-if0
[FW_A-Virtual-if0] ip address 172.16.0.1 255.255.255.0
[FW_A-Virtual-if0] quit

    4. Add the interfaces to the corresponding security zones in the root system.

      # Add virtual interface Virtual-if0 to the Trust zone.

      [FW_A] firewall zone trust
[FW_A-zone-trust] add interface Virtual-if0
[FW_A-zone-trust] quit

      # Add GE1/0/1 to the Untrust zone.

      [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 1/0/1
[FW_A-zone-untrust] quit

    5. In the root system, configure a default route destined for the Internet. Assume that the next-hop IP address of FW_A is 1.1.1.2.

      [FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2

    6. Configure interzone security policies in the root system.

      # Configure a security policy for the access between the Trust zone and the Untrust zone, and allow intranet users to access the Internet.

      [FW_A] security-policy
[FW_A-policy-security] rule name to_internet
[FW_A-policy-security-rule-sec_policy_1] source-zone trust
[FW_A-policy-security-rule-sec_policy_1] destination-zone untrust
[FW_A-policy-security-rule-sec_policy_1] action permit
[FW_A-policy-security-rule-sec_policy_1] quit

      You can configure strict security policies for IP addresses of intranet users. Therefore, when configuring security policies in the root system, you do not need to specify the address range.

      # Configure the security policy for the access between the Local zone and the Untrust zone, and allow FW_A to establish an IPSec tunnel with the peer device.

      [FW_A-policy-security] rule name sec_policy_1
[FW_A-policy-security-rule-sec_policy_3] source-zone local
[FW_A-policy-security-rule-sec_policy_3] destination-zone untrust
[FW_A-policy-security-rule-sec_policy_3] source-address 1.1.1.1 mask 255.255.255.255
[FW_A-policy-security-rule-sec_policy_3] action permit
[FW_A-policy-security-rule-sec_policy_3] quit

      # Configure the security policy for the access between the Untrust zone and the Local zone, and allow the peer device to establish an IPSec tunnel with FW_A.

      [FW_A-policy-security] rule name sec_policy_2
[FW_A-policy-security-rule-sec_policy_4] source-zone untrust
[FW_A-policy-security-rule-sec_policy_4] destination-zone local
[FW_A-policy-security-rule-sec_policy_4] destination-address 1.1.1.1 mask 255.255.255.255
[FW_A-policy-security-rule-sec_policy_4] action permit
[FW_A-policy-security-rule-sec_policy_4] quit
[FW_A-policy-security] quit

      The Local-Untrust interzone policy controls whether IKE negotiation packets can pass through the FW. This policy can use the source and destination addresses, protocol, or port as the matching condition. In this example, the source and destination addresses are used as the matching condition. To use the protocol or port as the matching condition, you need to enable ESP, port 500 for UDP (port 4500 also in NAT traversal scenarios) and port 1701 for UDP.

    7. In vsysa, configure parameters of interface GE1/0/2 and virtual interface Virtual-if1.

      # Configure interface GE1/0/2.

      [FW_A] switch vsys vsysa
<FW_A-vsysa> system-view
[FW_A-vsysa] interface GigabitEthernet 1/0/2
[FW_A-vsysa-GigabitEthernet 1/0/2] ip address 10.1.0.1 255.255.255.0
[FW_A-vsysa-GigabitEthernet 1/0/2] quit

      # Configure virtual interface Virtual-if1.

      [FW_A-vsysa] interface Virtual-if1
[FW_A-vsysa-Virtual-if1] ip address 172.16.1.1 255.255.255.0
[FW_A-vsysa-Virtual-if1] quit

    8. Add the interfaces to the corresponding security zones in vsysa.

      # Add GE1/0/2 to the Trust zone.

      [FW_A-vsysa] firewall zone trust
[FW_A-vsysa-zone-trust] add interface GigabitEthernet 1/0/2
[FW_A-vsysa-zone-trust] quit

      # Add virtual interface Virtual-if1 to the Untrust zone.

      [FW_A-vsysa] firewall zone untrust
[FW_A-vsysa-zone-untrust] add interface Virtual-if1
[FW_A-vsysa-zone-untrust] quit

    9. Configure routes in vsysa to guide Internet access traffic from employees in vsysa to the root system.

      In this example, the network topology and routing configuration are simplified. If vsysa only needs to communicate with the Internet, set Destination Address/Mask to 0.0.0.0 0.0.0.0. That is, all packets are sent to the root system. In practice, for accurate routing information, Destination Address/Mask should be set to a specific Internet address range that the intranet users are allowed to access. Incorrect routing configurations may interrupt the communications of the private networks connected to vsysa.

      [FW_A-vsysa] ip route-static 0.0.0.0 0.0.0.0 public

    10. Configure an interzone security policy in vsysa.

      # Configure an interzone security policy for the access between the Trust zone and the Untrust zone, and allow users in network A to access resources of LCA Client 1.

      [FW_A-vsysa] security-policy
[FW_A-vsysa-policy-security] rule name sec_policy_1
[FW_A-vsysa-policy-security-rule-sec_policy_1] source-zone trust
[FW_A-vsysa-policy-security-rule-sec_policy_1] destination-zone untrust
[FW_A-vsysa-policy-security-rule-sec_policy_1] source-address 10.1.0.0 mask 255.255.255.0
[FW_A-vsysa-policy-security-rule-sec_policy_1] destination-address range 100.1.1.2 100.1.1.100
[FW_A-vsysa-policy-security-rule-sec_policy_1] action permit
[FW_A-vsysa-policy-security-rule-sec_policy_1] quit

      # Configure an interzone security policy for the access between the Untrust zone and the Trust zone, and allow LCA Client 1 to access resources of network A.

      [FW_A-vsysa-policy-security] rule name sec_policy_2
[FW_A-vsysa-policy-security-rule-sec_policy_2] source-zone untrust
[FW_A-vsysa-policy-security-rule-sec_policy_2] destination-zone trust
[FW_A-vsysa-policy-security-rule-sec_policy_2] source-address range 100.1.1.2 100.1.1.100
[FW_A-vsysa-policy-security-rule-sec_policy_2] destination-address 10.1.0.0 mask 255.255.255.0
[FW_A-vsysa-policy-security-rule-sec_policy_2] action permit
[FW_A-vsysa-policy-security-rule-sec_policy_2] quit
[FW_A-vsysa-policy-security] quit

    11. In the root system, configure the L2TP access user and authentication policy.

      1. Return to the root system.
        [FW_A-vsysa] return
<FW_A> system-view
      2. Configure the user address pool.
        [FW_A] ip pool pool1
[FW_A-pool-pool1] section 0 100.1.1.2 100.1.1.100
[FW_A-pool-pool1] quit
      3. Configure an authentication scheme.
        [FW_A] aaa
[FW_A-aaa] authentication-scheme scheme0
[FW_A-aaa-authen-scheme0] authentication-mode local
[FW_A-aaa-authen-scheme0] quit
      4. Configure a service scheme for access users.
        [FW_A-aaa] service-scheme l2tp
[FW_A-aaa-service-l2tp] ip-pool pool1
[FW_A-aaa-service-l2tp] quit
      5. Configure an authentication domain and reference the authentication scheme and the service scheme for access users.
        [FW_A-aaa] domain network_vsysa
[FW_A-aaa-domain-network_vsysa] service-type l2tp
[FW_A-aaa-domain-network_vsysa] authentication-scheme scheme0
[FW_A-aaa-domain-network_vsysa] service-scheme l2tp
[FW_A-aaa-domain-network_vsysa] reference user current-domain
[FW_A-aaa-domain-network_vsysa] quit
[FW_A-aaa] quit
      6. Configure an access user.
        [FW_A] user-manage user user0001 domain network_vsysa
[FW_A-localuser-user0001@network_vsysa] password Hello@123
[FW_A-localuser-user0001@network_vsysa] quit

    12. Configure L2TP in the root system.

      1. Enable the L2TP function.
        [FW_A] l2tp enable
      2. Configure a domain separator.

        Configure a suffix separator when the user name contains a domain name, so that the FW abstracts the user name using the suffix separator. For example, when you log in to the system as user@domain, the FW abstracts user as the user in the domain.

        [FW_A] l2tp domain suffix-separator @
      3. Configure virtual interface template Virtual-Template 1 and add it to the Untrust zone.

        The IP address of the virtual-template interface cannot overlap the address pool or replicate the IP addresses of other interfaces. You can set any IP address except the mentioned ones.

        [FW_A] interface Virtual-Template 1
[FW_A-Virtual-Template1] ppp authentication-mode chap pap
[FW_A-Virtual-Template1] remote service-scheme l2tp
[FW_A-Virtual-Template1] ip address 100.1.1.1 255.255.255.255
[FW_A-Virtual-Template1] quit
        [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface Virtual-Template 1
[FW_A-zone-untrust] quit
      4. Create an L2TP group, bind the virtual interface template, and disable tunnel verification.

        Because the LAC Client uses deliver-attached L2TP client to dial up, it does not support tunnel verification. Therefore, you need to disable tunnel verification on the FW.

        Because the peer tunnel name cannot be set, use default L2TP group default-lns.

        [FW_A] l2tp-group default-lns
[FW_A-l2tp-default-lns] allow l2tp virtual-template 1 domain network_vsysa
[FW_A-l2tp-default-lns] undo tunnel authentication
[FW_A-l2tp-default-lns] quit

    13. In the root system, configure an IPSec policy and apply it to the interface.

      1. Configure the IPSec security proposal.
        [FW_A] ipsec proposal tran1
[FW_A-ipsec-proposal-tran1] encapsulation-mode auto
[FW_A-ipsec-proposal-tran1] esp authentication-algorithm sha1
[FW_A-ipsec-proposal-tran1] esp encryption-algorithm 3des
[FW_A-ipsec-proposal-tran1] quit
      2. Configure an IKE proposal.
        [FW_A] ike proposal 1
[FW_A-ike-proposal-1] encryption-algorithm 3des
[FW_A-ike-proposal-1] authentication-algorithm sha1
[FW_A-ike-proposal-1] authentication-method pre-share
[FW_A-ike-proposal-1] integrity-algorithm hmac-sha1-96
[FW_A-ike-proposal-1] prf hmac-sha1
[FW_A-ike-proposal-1] dh group2
[FW_A-ike-proposal-1] quit
      3. Create an IKE user table, enter the IKE user table view, and configure user vsysa.
        [FW_A] ike user-table 1
[FW_A-ike-user-table-1] user l2tp_over_ipsec_vsysa
[FW_A-ike-user-table-1-l2tp_over_ipsec_vsysa] pre-shared-key Admin@123
[FW_A-ike-user-table-1-l2tp_over_ipsec_vsysa] vpn-instance-traffic name vsysa
[FW_A-ike-user-table-1-l2tp_over_ipsec_vsysa] quit
[FW_A-ike-user-table-1] quit
      4. Configure an IKE peer.
        [FW_A] ike peer a
[FW_A-ike-peer-a] ike-proposal 1
[FW_A-ike-peer-a] local-id 1.1.1.1
[FW_A-ike-peer-a] user-table 1
[FW_A-ike-peer-a] quit
      5. Create an IPSec policy template and enter the policy template view.
        [FW_A] ipsec policy-template template1 1
[FW_A-ipsec-policy-template-template1-1] ike-peer a
[FW_A-ipsec-policy-template-template1-1] proposal tran1
[FW_A-ipsec-policy-template-template1-1] quit
      6. Reference the policy template in the IPSec policy.
        [FW_A] ipsec policy ipsec1 1 isakmp template template1
      7. Apply IPsec policy group ipsec1 to interface GigabitEthernet 1/0/1.
        [FW_A] interface GigabitEthernet 1/0/1
[FW_A-GigabitEthernet 1/0/1] ipsec policy ipsec1
[FW_A-GigabitEthernet 1/0/1] quit

  • Configure routes for an internal server of network A.

    The internal server of network A can communicate with LAC Client 1 only when a route destined to the user address pool is configured. The next-hop address of the route must destine for the intranet interface address of vsysa.

  • Configure VPN connection parameters for LAC Client 1.
    1. View the IPSec service state and ensure that the IPSec service is enabled.

      1. In Start > Run, run the services.msc command, and click OK. The Services page is displayed.
      2. In the Name column, ensure that IPsec Policy Agent is in the Started state. If IPsec Policy Agent is not in the Started state, right-click IPsec Policy Agent and select Properties. Set Startup type to Automatic and click Apply. Then, select Start in Service type.
      3. Close the Services page.

    2. Create an L2TP over IPSec connection.

    3. After configuration, use software of LAC Client 1 to dial up. The dialing is successful.

Verification

  1. Use software of LAC Client 1 to dial up. The dialing is successful.
  2. On LAC Client 1, an address in network segment 100.1.1.2/24-100.1.1.100/24 is allocated, and LAC Client 1 can successfully access intranet server resources of vsysa.
  3. After a VPN user goes online, run the display l2tp tunnel command in the root system of FW_A. The tunnel is successfully established.
    <FW_A> display l2tp tunnel
 Total tunnel = 1                                                               
 LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName                 
 1        1         3.3.3.3          1701   1        -
  4. In the root system of FW_A, run the display l2tp session command. The session connection is successfully established.
    <FW_A> display l2tp session
L2TP::Total Session: 1

  LocalSID  RemoteSID  LocalTID   RemoteTID  UserID  UserName    VpnInstance
 ------------------------------------------------------------------------------
  1         2688       1          11800      30629   user0001                  
 ------------------------------------------------------------------------------
  Total 1, 1 printed
  5. In the root system of FW_A, run the display ike sa and display ipsec sa brief commands. The IKE and IPSec tunnels are successfully established.
    <FW_A> display ike sa      
                                                                                
Ike sa information :                                                            
    Conn-ID       Peer            VPN            Flag(s)                Phase
  ------------------------------------------------------------------------------
    16777239      3.3.3.3                        RD|ST|A                v2:2
    16777232      3.3.3.3                        RD|ST|A                v2:1
                                                                                
  Number of SA entries  : 2                                                     
                                                                                
  Number of SA entries of all cpu : 2                                           
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

    <FW_A> display ipsec sa biref      
Current ipsec sa num:2

Spu board slot 1, cpu 0 ipsec sa information:                                   
Number of SAs:2                                                   
Src Address     Dst Address     SPI         VPN   Protocol  Algorithm                  
------------------------------------------------------------------------------  
3.3.3.3         1.1.1.1         1826317110        ESP       E:3DES A:SHA1-96       
1.1.1.1         3.3.3.3         209587142         ESP       E:3DES A:SHA1-96

Configuration Scripts

The configuration script of FW_A root system is as follows:

#
sysname FW_A
#
 l2tp enable
 l2tp domain suffix-separator @
#
vsys enable
#
resource-class r1
 resource-item-limit ipsec-tunnel reserved-number 10 maximum 500 
#
vsys name vsysa 1
 assign interface GigabitEthernet 1/0/2
 assign resource-class r1
#
vsys name vsysb 2
 assign interface GigabitEthernet1/0/3
 assign resource-class r1
#
ipsec proposal tran1
 encapsulation-mode auto
 esp authentication-algorithm sha1 
 esp encryption-algorithm 3des 
#
ike proposal 1
 encryption-algorithm 3des 
 dh group2 
 authentication-algorithm sha1 
 authentication-method pre-share
 integrity-algorithm hmac-sha1-96 
 prf hmac-sha1 
#
ike user-table 1
 user l2tp_over_ipsec_vsysa
  pre-shared-key %^%#KdY"Ac_06J"\KzUi_Bl>5zI}Gse+~>zba6#8q%xU%^%#
  vpn-instance-traffic name vsysa
 user l2tp_over_ipsec_vsysb
  pre-shared-key %^%#zWlRJ$]-I3o7!2+0]uA:C<%<2e3L:$V|\tS(.+9)%^%#
  vpn-instance-traffic name vsysb
#
ike peer a
 ike-proposal 1
 local-id 1.1.1.1
 user-table 1
#
ipsec policy-template template1 1
 ike-peer a
 proposal tran1
#
ipsec policy ipsec1 1 isakmp template template1
#
ip pool pool1
 section 0 100.1.1.2 100.1.1.100
#
aaa
 service-scheme l2tp
  ip-pool pool1
 domain network_vsysa
  authentication-scheme scheme0
  service-scheme l2tp
  service-type l2tp
  internet-access mode password
  reference user current-domain
 domain network_vsysb
  authentication-scheme scheme0
  service-scheme l2tp
  service-type l2tp
  internet-access mode password
  reference user current-domain
#
interface Virtual-Template1
 ppp authentication-mode chap pap
 remote service-scheme l2tp
 ip address 100.1.1.1 255.255.255.255
#
interface GigabitEthernet 1/0/1
 ip address 1.1.1.1 255.255.255.0
 ipsec policy ipsec1
#
interface GigabitEthernet 1/0/2
 ip binding vpn-instance vsysa
 ip address 10.1.0.1 255.255.255.0
#
interface GigabitEthernet1/0/3
 ip binding vpn-instance vsysb
 ip address 10.2.0.1 255.255.255.0
#
interface Virtual-if0
 ip address 172.16.0.1 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.1 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface Virtual-if0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 1/0/1
 add interface Virtual-Template1
#
l2tp-group default-lns
 undo tunnel authentication
 allow l2tp virtual-template 1 domain network_vsysa
 allow l2tp virtual-template 1 domain network_vsysb
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.2
#
security-policy
 rule name to_internet
  source-zone trust
  action permit
 rule name sec_policy_1
  source-zone local
  destination-zone untrust
  source-address 1.1.1.1 mask 255.255.255.255
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.1 mask 255.255.255.255
  action permit
#
return

The following user/group configuration is saved in the database and is not shown in the profile.
user-manage user user0001 domain network_vsysa
 password *********
user-manage user user0002 domain network_vsysb
 password *********

The configuration script of vsysa of the FW_A is as follows:

#
switch vsys vsysa 
#
interface GigabitEthernet 1/0/2
 ip binding vpn-instance vsysa
 ip address 10.1.0.1 255.255.255.0
#
interface Virtual-if1
 ip address 172.16.1.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 1/0/2
#
firewall zone untrust
 set priority 5
 add interface Virtual-if1
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.1.0.0 mask 255.255.255.0
  destination-address range 100.1.1.2 100.1.1.100
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address range 100.1.1.2 100.1.1.100
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 public
#
return

The configuration script of vsysb of the FW_A is as follows:

#
switch vsys vsysb 
#
interface GigabitEthernet1/0/3
 ip binding vpn-instance vsysb
 ip address 10.2.0.1 255.255.255.0
#
interface Virtual-if2
 ip address 172.16.2.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet1/0/3
#
firewall zone untrust
 set priority 5
 add interface Virtual-if2
#
security-policy
 rule name sec_policy_1
  source-zone trust
  destination-zone untrust
  source-address 10.2.0.0 mask 255.255.255.0
  destination-address range 100.1.1.2 100.1.1.100
  action permit
 rule name sec_policy_2
  source-zone untrust
  destination-zone trust
  source-address range 100.2.1.2 100.1.1.100
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit
#
ip route-static 0.0.0.0 0.0.0.0 public
#
return
Translation
简体中文
Download
Updated: 2023-09-12

Document ID: EDOC1000154805

Views: 266584

Downloads: 5055

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :