防火墙实例：配置基于静态路由的GRE隧道-CFANZ编程社区

FW1和FW2通过Internet相连，两者公网路由可达。10.1.1.0/24和10.1.2.0/24是两个私有的IP网络段，通过在两台FW之间建立GRE隧道实现两个私有IP网络互联

防火墙实例：配置基于静态路由的GRE隧道_安全域

实验规划表

设施	配置方式	详情
[FW1]	接口配置	接口:GigabitEthernet 1/0/1 ip:1.1.1.1/24 安全域：untrust[非信任区域]
	接口配置	接口:GigabitEthernet 1/0/2 ip:10.1.1.1/24 安全域：trust[信任区域]
	GRE配置	接口名称：Tunnel 1 ip:172.16.1.1/24 源地址：1.1.1.1/24 目的地址：5.5.5.5/24 安全域:dmz[非军事化区域] 隧道识别关键字：123456
[FW2]	接口配置	接口:GigabitEthernet 1/0/1 ip:5.5.5.5/24 安全域：untrust[非信任区域]
	接口配置	接口:GigabitEthernet 1/0/2 ip:10.1.2.1/24 安全域：trust[信任区域]
	GRE配置	接口名称：Tunnel 1 ip:172.16.1.2/24 源地址：5.5.5.5/24 目的地址：1.1.1.1/24 安全域:dmz[非军事化区域] 隧道识别关键字：123456

配置FW1

#配置ip及安全域
[FW1]interface GigabitEthernet 1/0/1
[FW1-GigabitEthernet1/0/1]ip address 1.1.1.1 24
[FW1-GigabitEthernet1/0/1]quit
[FW1]interface GigabitEthernet 1/0/2
[FW1-GigabitEthernet1/0/2]ip address 10.1.1.1 24
[FW1-GigabitEthernet1/0/2]quit
#配置安全域
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface GigabitEthernet 1/0/1
[FW1-zone-untrust]quit
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/2
[FW1-zone-trust]quit
#配置tunnel的封装及配置ip地址安全域
[FW1]interface Tunnel 1
FW1-Tunnel1]tunnel-protocol gre 
[FW1-Tunnel1]source 1.1.1.1
[FW1-Tunnel1]destination 5.5.5.5
[FW1-Tunnel1]gre key cipher 123456
[FW1-Tunnel1]ip address 172.16.1.1 24
[FW1-Tunnel1]quit
[FW1]firewall zone dmz 
[FW1-zone-dmz]add interface Tunnel 1
[FW1-zone-dmz]quit 
#配置路由,将需要经过GRE隧道传输的流量引入到GRE隧道中
[FW1]ip route-static 10.1.2.0 24 Tunnel 1
#配置域间安全策略
#配置Trust域和DMZ的域间安全策略，允许封装前的报文通过域间安全策略
[FW1]security-policy
[FW1-policy-security]rule name policy1
[FW1-policy-security-rule-policy1]source-zone trust dmz 
[FW1-policy-security-rule-policy1]destination-zone dmz trust
[FW1-policy-security-rule-policy1]action permit
[FW1-policy-security-rule-policy1]quit
[FW1-policy-security]quit
#配置Local和Untrust的域间安全策略，允许封装后的GRE报文通过域间安全策略
[FW1]security-policy
[FW1-policy-security]rule name policy2
[FW1-policy-security-rule-policy2]source-zone local untrust
[FW1-policy-security-rule-policy2]destination-zone untrust local
[FW1-policy-security-rule-policy2]service gre
[FW1-policy-security-rule-policy2]action permit
[FW1-policy-security-rule-policy2]quit
#配置去往10.1.2.0路由下一跳为172.16.1.2
[FW1]ip route-static 10.1.2.0 24 172.16.1.2

配置FW2

#配置ip及安全域
[FW2]interface GigabitEthernet 1/0/1
[FW2-GigabitEthernet1/0/1]ip address 5.5.5.5 24
[FW2-GigabitEthernet1/0/1]quit
[FW2]interface GigabitEthernet 1/0/2
[FW2-GigabitEthernet1/0/2]ip address 10.1.2.1 24
[FW2-GigabitEthernet1/0/2]quit
#配置安全域
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface GigabitEthernet 1/0/1
[FW2-zone-untrust]quit
[FW2]firewall zone trust
[FW2-zone-trust]add interface GigabitEthernet 1/0/2
[FW2-zone-trust]quit
#配置tunnel的封装及配置ip地址安全域
[FW2]interface Tunnel 1
[FW2-Tunnel1]tunnel-protocol gre 
[FW2-Tunnel1]source 5.5.5.5
[FW2-Tunnel1]destination 1.1.1.1
[FW2-Tunnel1]gre key cipher 123456
[FW2-Tunnel1]ip address 172.16.1.2 24
[FW2-Tunnel1]quit
[FW2]firewall zone dmz 
[FW2-zone-dmz]add interface Tunnel 1
[FW2-zone-dmz]quit 
#配置路由,将需要经过GRE隧道传输的流量引入到GRE隧道中
[FW2]ip route-static 10.1.1.0 24 Tunnel 1
#配置域间安全策略
#配置Trust域和DMZ的域间安全策略，允许封装前的报文通过域间安全策略
[FW2]security-policy
[FW2-policy-security]rule name policy1
[FW2-policy-security-rule-policy1]source-zone trust dmz 
[FW2-policy-security-rule-policy1]destination-zone dmz trust
[FW2-policy-security-rule-policy1]action permit
[FW2-policy-security-rule-policy1]quit
[FW2-policy-security]quit
#配置Local和Untrust的域间安全策略，允许封装后的GRE报文通过域间安全策略
[FW2]security-policy
[FW2-policy-security]rule name policy2
[FW2-policy-security-rule-policy2]source-zone local untrust
[FW2-policy-security-rule-policy2]destination-zone untrust local
[FW2-policy-security-rule-policy2]service gre
[FW2-policy-security-rule-policy2]action permit
[FW2-policy-security-rule-policy2]quit
#配置去往10.1.1.0路由下一跳为172.16.1.1
[FW2]ip route-static 10.1.1.0 24 172.16.1.1

配置Internet

[Huawei]sysname Internet
[Internet]interface GigabitEthernet 0/0/1
[Internet-GigabitEthernet0/0/1]ip address 1.1.1.254 24
[Internet-GigabitEthernet0/0/1]quit
[Internet]interface GigabitEthernet 0/0/2
[Internet-GigabitEthernet0/0/2]ip address 5.5.5.254 24
[Internet-GigabitEthernet0/0/2]quit

结果验证

#在FW1上查看路由表可以看见去往10.1.2.0的出接口为Tunnel 1
[FW1]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 10       Routes : 11       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   1.1.1.254       GigabitEthernet
1/0/1
        1.1.1.0/24  Direct  0    0           D   1.1.1.1         GigabitEthernet
1/0/1
        1.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
1/0/1
       10.1.1.0/24  Direct  0    0           D   10.1.1.1        GigabitEthernet
1/0/2
       10.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
1/0/2
       10.1.2.0/24  Static  60   0           D   172.16.1.1      Tunnel1
                    Static  60   0          RD   172.16.1.2      Tunnel1
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
     172.16.1.0/24  Direct  0    0           D   172.16.1.1      Tunnel1
     172.16.1.1/32  Direct  0    0           D   127.0.0.1       Tunnel1