Welcome to www.linknewnet.com.

Huawei Firewall Enterprise Dual Egress Firewall Load Configuration Example
Sep 23 , 2022 46

Case Study

      ---Huawei Enterprise dual firewall


Project Requirement:


        There are 2 channels internal network in the company,  FW1 and FW2 set as enterprise dual output firewall, internal network runs OSPF contract with firewall, output firewall works as load sharing,  Vlan 10 through AR1, Vlan 20 trough AR2. 


        Topology  as follow: 

Huawei-Enterprise.png

Related Devices:


Firewall:USG6000 Series

Router:AR2200 Series

Switch:S5700 Series


SW3 Dispose:


1、Create  VLAN

vlan batch 10 13 20 23

 

2、Dispose Interface

interface GigabitEthernet0/0/1

 port link-type access

 port default vlan 10

 stp edged-port enable

#

interface GigabitEthernet0/0/2

 port link-type access

 port default vlan 20

 stp edged-port enable

#

interface GigabitEthernet0/0/23

 port link-type access

 port default vlan 13

 stp edged-port enable

#

interface GigabitEthernet0/0/24

 port link-type access

 port default vlan 23

 stp edged-port enable


3、Dispose IP address and DHCP

dhcp enable

interface Vlanif10

 ip address 192.168.10.1 255.255.255.0

 dhcp select interface

 dhcp server excluded-ip-address 192.168.10.200 192.168.10.254

 dhcp server dns-list 114.114.114.114

#

interface Vlanif13

 ip address 13.0.0.3 255.255.255.0

#

interface Vlanif20

 ip address 192.168.20.1 255.255.255.0

 dhcp select interface

 dhcp server excluded-ip-address 192.168.20.200 192.168.20.254

 dhcp server dns-list 114.114.114.114

#

interface Vlanif23

 ip address 23.0.0.3 255.255.255.0

 

4、Dispose OSPF

ospf 10 router-id 3.3.3.3

 area 0.0.0.0

  network 192.168.10.1 0.0.0.0

  network 13.0.0.3 0.0.0.0

  network 192.168.20.1 0.0.0.0

  network 23.0.0.3 0.0.0.0

  network 3.3.3.3 0.0.0.0

 

FW1 Dispose

 

1、Dispose interface IP

interface Eth-Trunk12

 ip address 10.1.12.1 255.255.255.0

 truckport gigabitethernet 1/0/5 1/0/6

 service-manage ping permit

#

interface GigabitEthernet1/0/0

 undo shutdown

 ip address 100.1.11.1 255.255.255.0

  gateway 100.1.11.254

#

interface GigabitEthernet1/0/1

 undo shutdown

 ip address 100.1.12.1 255.255.255.0

 gateway 100.1.12.254

#

interface GigabitEthernet1/0/2

 undo shutdown

 ip address 13.0.0.1 255.255.255.0

 service-manage ping permit

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

 

2、Interface Zone

firewall zone trust

 set priority 85

 add interface GigabitEthernet0/0/0

 add interface GigabitEthernet1/0/2

#

firewall zone untrust

 set priority 5

 add interface GigabitEthernet1/0/0

 add interface GigabitEthernet1/0/1

#

firewall zone dmz

 set priority 50

 add interface Eth-Trunk12

 

3、Switch-on IP-LINK and Dispose

ip-link check enable

ip-link name isp1

 destination 3.3.3.3 interface GigabitEthernet1/0/0 mode icmp next-hop 100.1.11.254

ip-link name isp2

 destination 3.3.3.3 interface GigabitEthernet1/0/1 mode icmp next-hop 100.1.12.254

 

4、Dispose Default routing points to AR1 and combine to IP-LINK, Default routing enable and  switch to another link when error occur,

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 100.1.11.254 track ip-link isp1

 

5、Dispose safety strategy

security-policy

 rule name internet

  source-zone trust

  destination-zone untrust

  action permit

 rule name inside

  source-zone dmz

  source-zone local

  source-zone trust

  destination-zone dmz

  destination-zone local

  destination-zone trust

  service icmp

  service ospf

  action permit

#

 

6、Dispose OSPF

ospf 10 router-id 1.1.1.1

 default-route-advertise

 area 0.0.0.0

  network 1.1.1.1 0.0.0.0

  network 13.0.0.1 0.0.0.0

 

7、Dispose NAT Strategy

nat-policy

 rule name internet

  source-zone trust

  destination-zone untrust

  action source-nat easy-ip

#

8、Dispose PBR redirection VLAN20 to AR2 as load sharing,and combine to IP-LINK,Redirection enable and switch to another link when error occur,

policy-based-route

 rule name toisp2 1

  source-zone trust

  source-address address-set vlan20

  track ip-link isp2

  action pbr egress-interface GigabitEthernet1/0/1 next-hop 100.1.12.254

#

 

9、Output dispose vrrp, set analog interface 100.1.11.3 和100.1.12.3

interface GigabitEthernet1/0/0

 vrrp vrid 1 virtual-ip 100.1.11.3 active

#

interface GigabitEthernet1/0/1

 vrrp vrid 2 virtual-ip 100.1.12.3 standby

 

10、Start HRP,ensure the two firewall chatting chart synchronized

 hrp enable

 hrp interface Eth-Trunk12 remote 10.1.12.2

 hrp mirror session enable

 

 

FW2 dispose

 

1、dispose interface IP

interface Eth-Trunk12

 ip address 10.1.12.2 255.255.255.0

 truckport gigabitethernet 1/0/5 1/0/6

 service-manage ping permit

#

interface GigabitEthernet1/0/0

 undo shutdown

 ip address 100.1.11.2 255.255.255.0

  gateway 100.1.11.254

#

interface GigabitEthernet1/0/1

 undo shutdown

 ip address 100.1.12.2 255.255.255.0

 gateway 100.1.12.254

#

interface GigabitEthernet1/0/2

 undo shutdown

 ip address 23.0.0.2 255.255.255.0

 service-manage ping permit

#

interface LoopBack0

 ip address 2.2.2.2 255.255.255.255

 

2、Interface zone

firewall zone trust

 set priority 85

 add interface GigabitEthernet0/0/0

 add interface GigabitEthernet1/0/2

#

firewall zone untrust

 set priority 5

 add interface GigabitEthernet1/0/0

 add interface GigabitEthernet1/0/1

#

firewall zone dmz

 set priority 50

 add interface Eth-Trunk12

 

3、Start IP-LINK and dispose

ip-link check enable

ip-link name isp1

 destination 3.3.3.3 interface GigabitEthernet1/0/0 mode icmp next-hop 100.1.11.254

ip-link name isp2

 destination 3.3.3.3 interface GigabitEthernet1/0/1 mode icmp next-hop 100.1.12.254

 

4、Dispose default routing and points to AR1 and combine to IP-LINK,Default routing enable and switch to another link when error occurs,

ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/0 100.1.11.254 track ip-link isp1

 

5、Dispose Safety Strategy

security-policy

 rule name internet

  source-zone trust

  destination-zone untrust

  action permit

 rule name inside

  source-zone dmz

  source-zone local

  source-zone trust

  destination-zone dmz

  destination-zone local

  destination-zone trust

  service icmp

  service ospf

  action permit

#

 

6、Dispose OSPF

ospf 10 router-id 2.2.2.2

 default-route-advertise

 area 0.0.0.0

  network 2.2.2.2 0.0.0.0

  network 23.0.0.2 0.0.0.0

 

7、Dispose NAT Strategy

nat-policy

 rule name internet

  source-zone trust

  destination-zone untrust

  action source-nat easy-ip

#


8、Dispose PBR Redirection VLAN20 to AR2 as load sharing,and combine to IP-LINK,Redirection  enable and switch to another link when error occurs,

 policy-based-route

 rule name toisp2 1

  source-zone trust

  source-address address-set vlan20

  track ip-link isp2

  action pbr egress-interface GigabitEthernet1/0/1 next-hop 100.1.12.254

#

 

9、Output dispose vrrp, set analog interface 100.1.11.3 和100.1.12.3

interface GigabitEthernet1/0/0

 vrrp vrid 1 virtual-ip 100.1.11.3 standby

#

interface GigabitEthernet1/0/1

 vrrp vrid 2 virtual-ip 100.1.12.3 active

 

10、Start HRP,ensure twp firewall chatting chat synchronized

 hrp enable

 hrp interface Eth-Trunk12 remote 10.1.12.1

 hrp mirror session enable

 

Dual firewall setting L2TP&IPSEC


Dispose as follow:

Configuration-Example.png

FW1


No need to explain too clear about interface and zone here, 


1、Dispose and synchronized chatting chart


hrp interface Eth-Trunk12 remote 10.1.12.2

hrp mirror session enable

hrp enable


2、Dispose Safety zone.

Allow tunnel flow:


 rule name untrust_local

  source-zone untrust

  destination-zone local

  destination-address 10.1.1.3 mask 255.255.255.255

  action permit

 rule name VPN

  source-zone untrust

  destination-zone trust

  destination-address address-set neiwang

  action permit

 

3、Dispose admin user

Graphic Create

 

4、Dispose L2TP&IPSEC

 

Dispose encode flow

acl number 3000

 rule 5 permit udp source-port eq 1701

 

Dispose IPSEC Suggestions

ipsec proposal prop25815354029

 encapsulation-mode auto

 esp authentication-algorithm sha2-256

 esp encryption-algorithm aes-256

 

Dispose IKE Suggestions

ike proposal 1

 encryption-algorithm aes-256

 dh group14

 authentication-algorithm sha2-256

 authentication-method pre-share

 integrity-algorithm hmac-sha2-256

 prf hmac-sha2-256

 

Dipose IKE

ike peer ike258153540293

 exchange-mode auto

 pre-shared-key %^%#vHz}X2hmkWAE[x.+(R9OUK8fG-~)):#E$<0jc!r9%^%#

 ike-proposal 1

 remote-id-type none

 dpd type periodic

 ike negotiate compatible

 

Dipose IPSEC Strategy

ipsec policy-template tpl258153540293 1

 security acl 3000

 ike-peer ike258153540293

 proposal prop25815354029

 tunnel local 10.1.1.3

 alias zon

 sa duration traffic-based 10485760

 sa duration time-based 3600

 scenario point-to-multi-point l2tp-user-access

 

 

Dispose application IPSEC strategy

ipsec policy ipsec2581535397 10000 isakmp template tpl258153540293

 

Dispose VPN link address

ip pool server

 section 0 172.16.10.10 172.16.10.100

 excluded-ip-address 172.16.10.10

 dns-list 114.114.114.114

 

Dispose L2TP

l2tp-group default-lns

 allow l2tp virtual-template 0

#

interface Virtual-Template0

 ppp authentication-mode chap pap

 remote service-scheme l2tpScheme_1661412940479

 ip address 172.16.10.10 255.255.255.255

 alias L2TP_LNS_0

 undo service-manage enable

 

5、Interface Application

interface GigabitEthernet1/0/0

 ipsec policy ipsec2581535397

 

FW2


1、Configure the heartbeat synchronization session table

hrp interface Eth-Trunk12 remote 10.1.12.2

hrp mirror session enable

hrp enable


2、Configure heartbeat synchronization safety zone and L2TP&IPSEC configuration 

No more extra explanation here.


Related Blogs

Quote
Contact
Top