1.FW1配置
配置各接口加入相关区域
[FW1]firewall zone trust
[FW1-zone-trust]add interface GigabitEthernet 1/0/1
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/4
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface g1/0/3
[FW1-GigabitEthernet1/0/1]service-manage ping permit
配置备份组,并加入到状态为Active的VGMP管理组
[FW1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.1.2.3 24 active
[FW1-GigabitEthernet1/0/4]vrrp vrid 1 virtual-ip 2.2.2.1 24 active
指定心跳口
[FW1]hrp interface g1/0/3 remote 30.1.1.2
配置trust和untrust间的转发策略
[FW1]security-policy
[FW1-policy-security]rule name policy_sec
[FW1-policy-security-rule-policy_sec]source-zone trust
[FW1-policy-security-rule-policy_sec]destination-zone untrust
[FW1-policy-security-rule-policy_sec]action permit
启用HRP功能
[FW1]hrp enable
2.FW2的配置
配置各接口加入相关区域
[FW2]firewall zone trust
[FW2-zone-trust]add interface g1/0/1
[FW2]firewall zone untrust
[FW2-zone-untrust]add interface g1/0/4
[FW2]firewall zone dmz
[FW2-zone-dmz]add interface g1/0/3
[FW2-GigabitEthernet1/0/1]service-manage ping permit
配置备份组,并加入到状态为standby的VGMP管理组
[FW2-GigabitEthernet1/0/4]vrrp vrid 1 virtual-ip 2.2.2.1 24 standby
[FW2-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.1.2.3 24 standby
指定心跳口
[FW2]hrp interface g1/0/3 remote 30.1.1.1
配置trust和untrust间的转发策略
[FW2]security-policy
[FW2-policy-security]rule name policy_sec
[FW2-policy-security-rule-policy_sec]source-zone trust
[FW2-policy-security-rule-policy_sec]destination-zone untrust
[FW2-policy-security-rule-policy_sec]action permit
启用HRP备份功能
[FW2]hrp enable
- 配置NAT策略(esay-ip),只需要在主设备上配置即可
HRP_M[FW1]nat-policy
HRP_M[FW1-policy-nat]rule name to_internet
HRP_M[FW1-policy-nat-rule-to_internet]destination-zone untrust
HRP_M[FW1-policy-nat-rule-to_internet]source-zone trust
HRP_M[FW1-policy-nat-rule-to_internet]action source-nat easy-ip
4.验证配置
查看当前HRP状态
PC1 ping 虚拟地址10.1.2.3时,查看防火墙会话表项
PC1 ping PC2时,分别在两个防火墙上查看会话表项,看到带remote标记的会话,表示双机热备配置成功
关闭FW1 上G1/0/1和G1/0/4接口后查看会话表项
