虚拟专用网络 VPN-H3C-SecPath防火墙(V7)对接华为云配置指引:客户侧设备组网与基础配置假设

时间：2023-11-01 16:19:17

虚拟专用网络 VPN

客户侧设备组网与基础配置假设

假定客户侧基础网络配置如下：
- 内网接口：GigabitEthernet1/0/0 所属zone为Trust，接口IP为10.0.0.1/30。
- 预进行加密传输的子网为172.16.10.0/24，172.16.20.0/24，172.16.30.0/24，所属zone为Trust。
- 外网接口：GigabitEthernet1/0/1 所属zone为Untrust，接口IP为22.22.22.22/24。
- 缺省路由：目标网段0.0.0.0/0 出接口GE1/0/1，下一跳为GE1/0/1的网关IP为22.22.22.1。
- 安全策略：Trust访问Untrust，源地址、目标地址及服务均为any，动作放行。
- NAT策略：源地址为内网网段，目标地址为ANY，动作为EasyIP，即转换为接口IP。

基础配置命令行示意如下：

interface GigabitEthernet1/0/0 ip address 10.0.0.1 255.255.255.252 # interface GigabitEthernet1/0/1 ip address 22.22.22.22 255.255.255.0 # ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 22.22.22.1ip route-static 172.16.10.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2ip route-static 172.16.20.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2ip route-static 172.16.30.0 255.255.255.0 0 GigabitEthernet1/0/0 10.0.0.2 # security-zone name Trust import interface GigabitEthernet1/0/0 # security-zone name Untrust import interface GigabitEthernet1/0/1 # security-policy ip rule 0 name Policy-Internet   action pass    logging enable   counting enable   source-zone Trust   destination-zone Untrust # object-group ip address Customer-subnet172.16.10.0/240 network subnet 172.16.10.0 255.255.255.0 # object-group ip address Customer-subnet172.16.20.0/240 network subnet 172.16.20.0 255.255.255.0 # object-group ip address Customer-subnet172.16.30.0/240 network subnet 172.16.30.0 255.255.255.0 # nat policy rule name Snat_Internet   source-ip Customer-subnet172.16.10.0/24  source-ip Customer-subnet172.16.20.0/24  source-ip Customer-subnet172.16.30.0/24  outbound-interface GigabitEthernet1/0/1   action easy-ip port-preserved

上一篇：虚拟专用网络 VPN-H3C-SecPath防火墙(V7)对接华为云配置指引:华为云配置信息说明

下一篇：虚拟专用网络 VPN-H3C-SecPath防火墙(V7)对接华为云配置指引:IPsec配置指引