CLI: Example for Configuring an IP Static Route
This example describes how to configure the default gateway on hosts on a small IPv4 network and how to configure the default route and static routes on the FW.
Networking Requirements
Figure 1 shows the IP addresses and masks of each FW interface and host. Static routes must be configured to ensure the communication between any two hosts.
Item |
Data |
|---|---|
| FW_A | Interface: GigabitEthernet 0/0/1 IP address: 10.1.5.1/24 Security zone: Trust |
Interface: GigabitEthernet 0/0/2 IP address: 10.1.1.1/24 Security zone: Untrust |
|
| FW_B | Interface: GigabitEthernet 0/0/1 IP address: 10.1.5.2/24 Security zone: Untrust |
Interface: GigabitEthernet 0/0/2 IP address: 10.1.4.5/30 Security zone: Trust |
|
Interface: GigabitEthernet 0/0/3 IP address: 10.1.2.1/24 Security zone: DMZ |
|
| FW_C | Interface: GigabitEthernet 0/0/1 IP address: 10.1.4.6/30 Security zone: Trust |
Interface: GigabitEthernet 0/0/2 IP address: 10.1.3.1/24 Security zone: Untrust |
Configuration Roadmap
Perform the following procedures to configure IPv4 static routes:
- Specify interface addresses for the FWs.
- Configure the default route and static routes on the FW.
- Configure the default gateway on the hosts.
Procedure
- Configure FW_A.
# Configure IP addresses for the interfaces and assign the interfaces to security zones.
<FW_A> system-view [FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ip address 10.1.5.1 255.255.255.0 [FW_A-GigabitEthernet0/0/1] quit [FW_A] interface GigabitEthernet 0/0/2 [FW_A-GigabitEthernet0/0/2] ip address 10.1.1.1 255.255.255.0 [FW_A-GigabitEthernet0/0/2] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/1 [FW_A-zone-trust] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 0/0/2 [FW_A-zone-untrust] quit
# Configure security policies from FW_A to FW_B and FW_C.
[FW_A] security-policy [FW_A-security-policy] rule name sec_policy_1 [FW_A-security-policy-sec_policy_1] source-address 10.1.1.0 mask 255.255.255.0 [FW_A-security-policy-sec_policy_1] destination-address 10.1.2.0 mask 255.255.255.0 [FW_A-security-policy-sec_policy_1] destination-address 10.1.3.0 mask 255.255.255.0 [FW_A-security-policy-sec_policy_1] source-zone untrust [FW_A-security-policy-sec_policy_1] destination-zone trust [FW_A-security-policy-sec_policy_1] action permit [FW_A-security-policy-sec_policy_1] quit [FW_A-security-policy] rule name sec_policy_2 [FW_A-security-policy-sec_policy_2] source-address 10.1.2.0 mask 255.255.255.0 [FW_A-security-policy-sec_policy_2] source-address 10.1.3.0 mask 255.255.255.0 [FW_A-security-policy-sec_policy_2] destination-address 10.1.1.0 mask 255.255.255.0 [FW_A-security-policy-sec_policy_2] source-zone trust [FW_A-security-policy-sec_policy_2] destination-zone untrust [FW_A-security-policy-sec_policy_2] action permit [FW_A-security-policy-sec_policy_2] quit [FW_A-security-policy] quit
# Configure the default route.
[FW_A] ip route-static 0.0.0.0 0.0.0.0 10.1.5.2 - Configure FW_B.
# Configure IP addresses for the interfaces and assign the interfaces to security zones.
<FW_B> system-view [FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] ip address 10.1.5.2 255.255.255.0 [FW_B-GigabitEthernet0/0/1] quit [FW_B] interface GigabitEthernet 0/0/2 [FW_B-GigabitEthernet0/0/2] ip address 10.1.4.5 255.255.255.252 [FW_B-GigabitEthernet0/0/2] quit [FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] ip address 10.1.2.1 255.255.255.0 [FW_B-GigabitEthernet0/0/3] quit [FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 0/0/2 [FW_B-zone-trust] quit [FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_B-zone-untrust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 0/0/3 [FW_B-zone-dmz] quit
# Configure security policies from FW_B to FW_A and FW_C.
[FW_B] security-policy [FW_B-security-policy] rule name sec_policy_1 [FW_B-security-policy-sec_policy_1] source-address 10.1.2.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_1] destination-address 10.1.1.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_1] source-zone dmz [FW_B-security-policy-sec_policy_1] destination-zone untrust [FW_B-security-policy-sec_policy_1] action permit [FW_B-security-policy-sec_policy_1] quit [FW_B-security-policy] rule name sec_policy_2 [FW_B-security-policy-sec_policy_2] source-address 10.1.1.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_2] destination-address 10.1.2.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_2] source-zone untrust [FW_B-security-policy-sec_policy_2] destination-zone dmz [FW_B-security-policy-sec_policy_2] action permit [FW_B-security-policy-sec_policy_2] quit [FW_B-security-policy] rule name sec_policy_3 [FW_B-security-policy-sec_policy_3] source-address 10.1.2.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_3] destination-address 10.1.3.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_3] source-zone dmz [FW_B-security-policy-sec_policy_3] destination-zone trust [FW_B-security-policy-sec_policy_3] action permit [FW_B-security-policy-sec_policy_3] quit [FW_B-security-policy] rule name sec_policy_4 [FW_B-security-policy-sec_policy_4] source-address 10.1.3.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_4] destination-address 10.1.2.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_4] source-zone trust [FW_B-security-policy-sec_policy_4] destination-zone dmz [FW_B-security-policy-sec_policy_4] action permit [FW_B-security-policy-sec_policy_4] quit [FW_B-security-policy] rule name sec_policy_5 [FW_B-security-policy-sec_policy_5] source-address 10.1.1.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_5] destination-address 10.1.3.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_5] source-zone untrust [FW_B-security-policy-sec_policy_5] destination-zone trust [FW_B-security-policy-sec_policy_5] action permit [FW_B-security-policy-sec_policy_5] quit [FW_B-security-policy] rule name sec_policy_6 [FW_B-security-policy-sec_policy_6] source-address 10.1.3.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_6] destination-address 10.1.1.0 mask 255.255.255.0 [FW_B-security-policy-sec_policy_6] source-zone trust [FW_B-security-policy-sec_policy_6] destination-zone untrust [FW_B-security-policy-sec_policy_6] action permit [FW_B-security-policy-sec_policy_6] quit [FW_B-security-policy] quit
# Configure two static routes on the FW_B.
[FW_B] ip route-static 10.1.1.0 255.255.255.0 10.1.5.1 [FW_B] ip route-static 10.1.3.0 255.255.255.0 10.1.4.6
- Configure FW_C.
# Configure IP addresses for the interfaces and assign the interfaces to security zones.
<FW_C> system-view [FW_C] interface GigabitEthernet 0/0/1 [FW_C-GigabitEthernet0/0/1] ip address 10.1.4.6 255.255.255.252 [FW_C-GigabitEthernet0/0/1] quit [FW_C] interface GigabitEthernet 0/0/2 [FW_C-GigabitEthernet0/0/2] ip address 10.1.3.1 255.255.255.0 [FW_C-GigabitEthernet0/0/2] quit [FW_C] firewall zone trust [FW_C-zone-trust] add interface GigabitEthernet 0/0/1 [FW_C-zone-trust] quit [FW_C] firewall zone untrust [FW_C-zone-untrust] add interface GigabitEthernet 0/0/2 [FW_C-zone-untrust] quit
# Configure security policies from FW_C to FW_A and FW_B.
[FW_C] security-policy [FW_C-security-policy] rule name sec_policy_1 [FW_C-security-policy-sec_policy_1] source-address 10.1.3.0 mask 255.255.255.0 [FW_C-security-policy-sec_policy_1] destination-address 10.1.1.0 mask 255.255.255.0 [FW_C-security-policy-sec_policy_1] destination-address 10.1.2.0 mask 255.255.255.0 [FW_C-security-policy-sec_policy_1] source-zone untrust [FW_C-security-policy-sec_policy_1] destination-zone trust [FW_C-security-policy-sec_policy_1] action permit [FW_C-security-policy-sec_policy_1] quit [FW_C-security-policy] rule name sec_policy_2 [FW_C-security-policy-sec_policy_2] source-address 10.1.1.0 mask 255.255.255.0 [FW_C-security-policy-sec_policy_2] source-address 10.1.2.0 mask 255.255.255.0 [FW_C-security-policy-sec_policy_2] destination-address 10.1.3.0 mask 255.255.255.0 [FW_C-security-policy-sec_policy_2] source-zone trust [FW_C-security-policy-sec_policy_2] destination-zone untrust [FW_C-security-policy-sec_policy_2] action permit [FW_C-security-policy-sec_policy_2] quit [FW_C-security-policy] quit
# Configure the default route.
[FW_C] ip route-static 0.0.0.0 0.0.0.0 10.1.4.5 - Configuring the host.
Configure the default gateways of the host PC1, PC2, and PC3 to 10.1.1.1, 10.1.2.1, and 10.1.3.1 respectively. (The specific configuration command varies with host system. The configuration details are not mentioned in this section.)
- Verify the configuration.
# Display the IP routing table of the FW_A.
<FW_A> display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 0.0.0.0/0 Static 60 0 D 10.1.5.2 GigabitEthernet0/0/1 10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet0/0/2 10.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.1.5.0/24 Direct 0 0 D 10.1.5.1 GigabitEthernet0/0/1 10.1.5.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# Verify connectivity by using the ping command.
<FW_A> ping 10.1.3.1 PING 10.1.3.1: 56 data bytes, press CTRL_C to break Reply from 10.1.3.1: bytes=56 Sequence=1 ttl=254 time=62 ms Reply from 10.1.3.1: bytes=56 Sequence=2 ttl=254 time=63 ms Reply from 10.1.3.1: bytes=56 Sequence=3 ttl=254 time=63 ms Reply from 10.1.3.1: bytes=56 Sequence=4 ttl=254 time=62 ms Reply from 10.1.3.1: bytes=56 Sequence=5 ttl=254 time=62 ms --- 10.1.3.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/62/63 ms# Verify connectivity by using the tracert command.
<FW_A> tracert 10.1.3.1 traceroute to 10.1.3.1(10.1.3.1), max hops: 30 ,packet length: 40,press CTRL_C to break 1 10.1.5.2 31 ms 32 ms 31 ms 2 10.1.4.6 62 ms 63 ms 62 ms
Configuration Scripts
Configuration script for FW_A:
# sysname FW_A # interface GigabitEthernet0/0/1 undo shutdown ip address 10.1.5.1 255.255.255.0 # interface GigabitEthernet0/0/2 undo shutdown ip address 10.1.1.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/2# ip route-static 0.0.0.0 0.0.0.0 10.1.5.2 # security-policy rule name sec_policy_1 source-zone untrust destination-zone trust source-address 10.1.1.0 24 destination-address 10.1.2.0 24 destination-address 10.1.3.0 24 action permit rule name sec_policy_2 source-zone trust destination-zone untrust source-address 10.1.2.0 24 source-address 10.1.3.0 24 destination-address 10.1.1.0 24 action permit # return
Configuration script for FW_B:
# sysname FW_B # interface GigabitEthernet0/0/1 undo shutdown ip address 10.1.5.2 255.255.255.0 # interface GigabitEthernet0/0/2 undo shutdown ip address 10.1.4.5 255.255.255.252 # interface GigabitEthernet0/0/3 undo shutdown ip address 10.1.2.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/2 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/3 # ip route-static 10.1.1.0 255.255.255.0 10.1.5.1 ip route-static 10.1.3.0 255.255.255.0 10.1.4.6 # security-policy rule name sec_policy_1 source-zone dmz destination-zone untrust source-address 10.1.2.0 24 destination-address 10.1.1.0 24 action permit rule name sec_policy_2 source-zone trust destination-zone dmz source-address 10.1.1.0 24 destination-address 10.1.2.0 24 action permit rule name sec_policy_3 source-zone dmz destination-zone trust source-address 10.1.2.0 24 destination-address 10.1.3.0 24 action permit rule name sec_policy_4 source-zone trust destination-zone dmz source-address 10.1.3.0 24 destination-address 10.1.2.0 24 action permit rule name sec_policy_5 source-zone untrust destination-zone trust source-address 10.1.1.0 24 destination-address 10.1.3.0 24 action permit rule name sec_policy_6 source-zone trust destination-zone untrust source-address 10.1.3.0 24 destination-address 10.1.1.0 24 action permit # return
Configuration script for FW_C:
# sysname FW_C # interface GigabitEthernet0/0/1 undo shutdown ip address 10.1.4.6 255.255.255.252 # interface GigabitEthernet0/0/2 undo shutdown ip address 10.1.3.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/2 # ip route-static 0.0.0.0 0.0.0.0 10.1.4.5 # security-policy rule name sec_policy_1 source-zone untrust destination-zone trust source-address 10.1.3.0 24 destination-address 10.1.1.0 24 destination-address 10.1.2.0 24 action permit rule name sec_policy_2 source-zone trust destination-zone untrust source-address 10.1.1.0 24 source-address 10.1.2.0 24 destination-address 10.1.3.0 24 action permit # return