HQ FW Configuration
=====================
config system interface
edit "port1"
set mode static
set ip 172.16.200.1 255.255.255.0
set allowaccess http https ping
set alias WAN
next
edit "port2"
set ip 10.1.100.10 255.255.255.0
set allowaccess ping https http
set alias LAN
next
end
!
config router static
edit 1
set gateway 172.16.200.2
set device "port1"
set dst 0.0.0.0 0.0.0.0
next
end
Configure the IPsec phase1-interface.
=====================================
!
config vpn ipsec phase1-interface
edit "TO_BRANCH"
set interface "port1"
set peertype any
set proposal des-md5 des-sha1
set remote-gw 172.16.202.1
set psksecret Sample
next
end
Configure the IPsec phase2-interface.
=====================================
config vpn ipsec phase2-interface
edit "TO_BRANCH"
set phase1name "TO_BRANCH"
set proposal des-md5
set auto-negotiate enable
next
end
static route for subnet Reacahbility
====================================
config router static
edit 2
set dst 172.16.101.0 255.255.255.0
set device "TO_BRANCH"
next
edit 3
set dst 172.16.101.0 255.255.255.0
set blackhole enable
set distance 254
next
end
Add objects
===========
!
config firewall address
edit 172.16.101.0
set subnet 172.16.101.0/24
end
!
config firewall address
edit 10.1.100.0
set subnet 10.1.100.0/24
end
Policy
======
config firewall policy
edit 1
set name "internet"
set srcintf "any"
set dstintf "any"
set srcaddr "any"
set dstaddr "any"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "inbound"
set srcintf "TO_BRANCH"
set dstintf "port2"
set srcaddr "172.16.101.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set name "outbound"
set srcintf "port2"
set dstintf "TO_BRANCH"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
end
Branch FW Configuration
====================
config system interface
edit "port1"
set mode static
set ip 172.16.202.1 255.255.255.0
set allowaccess http https ping
set alias WAN
next
end
config system interface
edit "port2"
set ip 172.16.101.10 255.255.255.0
set allowaccess ping
set alias LAN
next
end
!
config router static
edit 1
set gateway 172.16.202.2
set device "port1"
set dst 0.0.0.0 0.0.0.0
next
end
IPSEC VPN Config
================
Configure the IPsec phase1-interface.
====================================
config vpn ipsec phase1-interface
edit "TO_HQ"
set interface "port1"
set peertype any
set proposal des-md5 des-sha1
set remote-gw 172.16.200.1
set psksecret Sample
next
end
Configure the IPsec phase2-interface
====================================
config vpn ipsec phase2-interface
edit "TO_HQ"
set phase1name "TO_HQ"
set proposal des-md5
set auto-negotiate enable
next
end
static route for subnet
=======================
config router static
edit 2
set dst 10.1.100.0 255.255.255.0
set device "TO_HQ"
next
edit 3
set dst 10.1.100.0 255.255.255.0
set blackhole enable
set distance 254
next
end
Add objects
===========
!
config firewall address
edit 172.16.101.0
set subnet 172.16.101.0/24
end
!
config firewall address
edit 10.1.100.0
set subnet 10.1.100.0/24
end
Policy
======
config firewall policy
edit 1
set name "internet"
set srcintf "any"
set dstintf "any"
set srcaddr "any"
set dstaddr "any"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "inbound"
set srcintf "TO_HQ"
set dstintf "port2"
set srcaddr "10.1.100.0"
set dstaddr "172.16.101.0"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set name "outbound"
set srcintf "port2"
set dstintf "TO_HQ"
set srcaddr "172.16.101.0"
set dstaddr "10.1.100.0"
set action accept
set schedule "always"
set service "ALL"
next
end
No comments:
Post a Comment