配置IP地址
[FW4-GigabitEthernet1/0/1]ip add 40.1.1.1 24
[FW4-GigabitEthernet1/0/0]ip add 10.1.1.1 24
[FW5-GigabitEthernet1/0/1]ip add 40.1.1.2 24
[FW5-GigabitEthernet1/0/0]ip add 10.1.2.2 24
将接口加入相关区域
[FW4]firewall zone trust
[FW4-zone-trust]add interface GigabitEthernet 1/0/0
[FW4]firewall zone untrust
[FW4-zone-untrust]add interface GigabitEthernet 1/0/1
[FW4]firewall zone dmz
[FW4-zone-dmz]add interface Tunnel 1
[FW5]firewall zone trust
[FW5-zone-trust]add interface GigabitEthernet1/0/0
[FW5]firewall zone untrust
[FW5-zone-untrust]add interface GigabitEthernet 1/0/1
[FW5]firewall zone dmz
[FW5-zone-dmz]add interface Tunnel 1
放行相关服务
[FW4-GigabitEthernet1/0/1]service-manage ping permit
[FW4-GigabitEthernet1/0/0]service-manage ping permit
[FW5-GigabitEthernet1/0/1]service-manage ping permit
[FW5-GigabitEthernet1/0/0]service-manage ping permit
配置GRE隧道接口
[FW4]int Tunnel 1
[FW4-Tunnel1]ip add 172.16.2.1 30
[FW4-Tunnel1]tunnel-protocol gre
[FW4-Tunnel1]source 40.1.1.1
[FW4-Tunnel1]destination 40.1.1.2
[FW5]interface Tunnel 1
[FW5-Tunnel1]ip add 172.16.2.2 30
[FW5-Tunnel1]tunnel-protocol gre
[FW5-Tunnel1]source 40.1.1.2
[FW5-Tunnel1]destination 40.1.1.1
配置到对端的路由
[FW4]ip route-static 10.1.2.0 24 Tunnel 1
[FW5]ip route-static 10.1.1.0 24 Tunnel 1
配置安全策略
[FW4]security-policy
[FW4-policy-security]rule name gre1 //允许网段互访
[FW4-policy-security-rule-gre1]source-zone trust
[FW4-policy-security-rule-gre1]destination-zone dmz
[FW4-policy-security-rule-gre1]source-address 10.1.1.0 24
[FW4-policy-security-rule-gre1]destination-address 10.1.2.0 24
[FW4-policy-security-rule-gre1]action permit
[FW4-policy-security-rule-gre]rule name gre2
[FW4-policy-security-rule-gre2]source-zone dmz
[FW4-policy-security-rule-gre2]destination-zone trust
[FW4-policy-security-rule-gre2]source-address 10.1.2.0 24
[FW4-policy-security-rule-gre2]destination-address 10.1.1.0 24
[FW4-policy-security-rule-gre2]action permit
[FW4-policy-security]rule name gre3 //放行封装后的gre报文
[FW4-policy-security-rule-gre3]source-zone
[FW4-policy-security-rule-gre3]source-zone local untrust
[FW4-policy-security-rule-gre3]destination-zone local untrust
[FW4-policy-security-rule-gre3]service gre
[FW4-policy-security-rule-gre3]action permit
[FW5]security-policy
[FW5-policy-security]rule name gre1
[FW5-policy-security-rule-gre1]source-zone trust
[FW5-policy-security-rule-gre1]destination-zone dmz
[FW5-policy-security-rule-gre1]source-address 10.1.2.0 24
[FW5-policy-security-rule-gre1]destination-address 10.1.1.0 24
[FW5-policy-security-rule-gre1]action permit
[FW5-policy-security]rule name gre2
[FW5-policy-security-rule-gre2]source-zone dmz
[FW5-policy-security-rule-gre2]destination-zone trust
[FW5-policy-security-rule-gre2]source-address 10.1.1.0 24
[FW5-policy-security-rule-gre2]destination-address 10.1.2.0 24
[FW5-policy-security-rule-gre2]action permit
[FW5-policy-security]rule name gre3
[FW5-policy-security-rule-gre3]source-zone local untrust
[FW5-policy-security-rule-gre3]destination-zone local untrust
[FW5-policy-security-rule-gre3]service gre
[FW5-policy-security-rule-gre3]action permit
验证
PC1 ping server1时在FW4的G1/0/1口抓包