< Home

Configuring Communication Between a Virtual System and the Public System Based on Routing Tables

Networking Requirements

As shown in Figure 1, the device is deployed between network A and the Internet. Virtual system vsysa functions as the gateway of network A to isolate and protect network A. The device connects to the Internet through the WAN interface GE0/0/1 of the public system.

You need to configure communication between vsysa and the public system based on routing tables so that network A and the Internet can communicate with each other.

Figure 1 Communication between a virtual system and the public system based on routing tables

Configuration Roadmap

The configuration roadmap is as follows:
  1. Enable the virtual system function, create virtual system vsysa, and allocate resources to it.
  2. Configure interfaces for the public system and vsysa, and add the interfaces to security zones.
  3. Configure routes in the public system and vsysa to divert traffic between network A and the Internet.
  4. Configure security policies in the public system and vsysa to permit the traffic between network A and the Internet.

Procedure

  1. Enable the virtual system function.

    <FW> system-view
[FW] vsys enable

  2. Create virtual system vsysa and allocate GE0/0/2 to it.

    [FW] vsys name vsysa
[FW-vsys-vsysa] assign interface GigabitEthernet 0/0/2
[FW-vsys-vsysa] quit

  3. Configure interfaces for the public system and add the interfaces to security zones.

    [FW] interface GigabitEthernet 0/0/1
[FW-GE0/0/1] ip address 1.1.1.1 24
[FW-GE0/0/1] quit
[FW] interface Virtual-if 0
[FW-Virtual-if0] ip address 172.16.0.1 24
[FW-Virtual-if0] quit
[FW] firewall zone trust
[FW-zone-trust] add interface Virtual-if 0
[FW-zone-trust] quit
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-zone-untrust] quit

  4. Configure routes in the public system.

    # Configure a route from the public system to the Internet to divert the forward traffic for network A to access the Internet or the return traffic for the Internet to access network A to the Internet. 1.1.1.1.254 is the next-hop address of the route from the public system to the Internet.

    [FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254

    # Configure a route from the public system to vsysa to divert the forward traffic for the Internet to access network A to vsysa.

    [FW] ip route-static 10.3.0.0 255.255.255.0 vpn-instance vsysa

  5. Configure security policies in the public system.

    # Configure a security policy for traffic from the Trust zone to the Untrust zone to permit traffic from network A to the Internet.

    [FW] security-policy
[FW-policy-security] rule name trust_to_untrust      
[FW-policy-security-rule-trust_to_untrust] source-zone trust   
[FW-policy-security-rule-trust_to_untrust] destination-zone untrust       
[FW-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24
[FW-policy-security-rule-trust_to_untrust] action permit    
[FW-policy-security-rule-trust_to_untrust] quit

    # Configure a security policy for traffic from the Untrust zone to the Trust zone to permit traffic from the Internet to network A.

    [FW-policy-security] rule name untrust_to_trust      
[FW-policy-security-rule-untrust_to_trust] source-zone untrust   
[FW-policy-security-rule-untrust_to_trust] destination-zone trust       
[FW-policy-security-rule-untrust_to_trust] destination-address 10.3.0.0 24       
[FW-policy-security-rule-untrust_to_trust] action permit    
[FW-policy-security-rule-untrust_to_trust] quit    
[FW-policy-security] quit

  6. Switch to the system view of vsysa.

    [FW] switch vsys vsysa
<FW-vsysa> system-view

  7. Configure interfaces for vsysa and add the interfaces to security zones.

    [FW-vsysa] interface GigabitEthernet 0/0/2
[FW-vsysa-GigabitEthernet0/0/2] ip address 10.3.0.1 24
[FW-vsysa-GigabitEthernet0/0/2] quit
[FW-vsysa] firewall zone trust
[FW-vsysa-zone-trust] add interface GigabitEthernet 0/0/2
[FW-vsysa-zone-trust] quit
[FW-vsysa] firewall zone untrust
[FW-vsysa-zone-untrust] add interface Virtual-if 1
[FW-vsysa-zone-untrust] quit

  8. Configure routes in vsysa.

    # Configure a route from vsysa to the public system to divert the forward traffic for network A to access the Internet to the public system.

    [FW-vsysa] ip route-static 0.0.0.0 0.0.0.0 public

    # Configure a route from vsysa to network A to divert the return traffic for network A to access the Internet or the forward traffic for the Internet to access network A to network A. 10.3.0.254 is the next-hop address of the route from vsysa to network A.

    [FW-vsysa] ip route-static 10.3.0.0 255.255.255.0 10.3.0.254

  9. Configure security policies in vsysa.

    # Configure a security policy for traffic from the Trust zone to the Untrust zone to permit traffic from network A to the Internet.

    [FW-vsysa] security-policy
[FW-vsysa-policy-security] rule name vsysa_trust_to_untrust      
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] source-zone trust   
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] destination-zone untrust    
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] source-address 10.3.0.0 24
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] action permit    
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] quit

    # Configure a security policy for traffic from the Untrust zone to the Trust zone to permit traffic from the Internet to network A.

    [FW-vsysa-policy-security] rule name vsysa_untrust_to_trust      
[FW-vsysa-policy-security-rule-vsysa_untrust_to_trust] source-zone untrust   
[FW-vsysa-policy-security-rule-vsysa_untrust_to_trust] destination-zone trust
[FW-vsysa-policy-security-rule-vsysa_untrust_to_trust] destination-address 10.3.0.0 24
[FW-vsysa-policy-security-rule-vsysa_untrust_to_trust] action permit    
[FW-vsysa-policy-security-rule-vsysa_untrust_to_trust] quit    
[FW-vsysa-policy-security] quit

Verifying the Configuration

  • A user on network A can access the Internet. In addition, the following sessions are created in vsysa and the public system.

    3.3.3.3 is the IP address of the server on the Internet accessed by the user on network A. 10.3.0.2 is the IP address of the user host on network A.

    Sessions in the public system:

    <FW> display firewall session table verbose destination global 3.3.3.3 
 Current Total Sessions : 1
 icmp  VPN: public --> public  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: trust --> untrust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: Virtual-if0  
 Interface: GigabitEthernet 0/0/1  NextHop: 1.1.1.254  MAC: xxxx-xxxx-xxxx 
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.0.2:43999 --> 3.3.3.3:2048 PolicyName: trust_to_untrust

    Sessions in vsysa:

    <FW> display firewall session table verbose vsys vsysa destination global 3.3.3.3
 Current Total Sessions : 1
 icmp  VPN: vsysa --> public  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: trust --> untrust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: GigabitEthernet 0/0/2  
 Interface: Virtual-if1  NextHop: 0.0.0.0
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.0.2:43999 --> 3.3.3.3:2048 PolicyName: vsysa_trust_to_untrust
  • A user on the Internet can access network A. In addition, the following sessions are created in vsysa and the public system.

    10.3.0.3 is the IP address of the server on network A accessed by the user on the Internet. 2.2.2.2 is the IP address of the user host on the Internet.

    Sessions in the public system:

    <FW> display firewall session table verbose destination global 10.3.0.3 
 Current Total Sessions : 1
 icmp  VPN: public --> vsysa  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: untrust --> trust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: GigabitEthernet 0/0/1  
 Interface: Virtual-if0  NextHop: 0.0.0.0 
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 2.2.2.2:2048 --> 10.3.0.3:43999 PolicyName: untrust_to_trust

    Sessions in vsysa:

    <FW> display firewall session table verbose vsys vsysa destination global 10.3.0.3
 Current Total Sessions : 1
 icmp  VPN: vsysa --> vsysa  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: untrust --> trust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: Virtual-if1  
 Interface: GigabitEthernet 0/0/2  NextHop: 10.3.0.254  MAC: xxxx-xxxx-xxxx 
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 2.2.2.2:2048 --> 10.3.0.3:43999 PolicyName: vsysa_untrust_to_trust

Configuration Scripts

  • Public system (public)
    #
 sysname FW
#
 vsys enable 
#
vsys name vsysa 1 
 assign interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0  
# 
interface Virtual-if0  
 ip address 172.16.0.1 255.255.255.0       
# 
firewall zone trust 
 set priority 85  
 add interface Virtual-if0 
#
firewall zone untrust     
 set priority 5   
 add interface GigabitEthernet0/0/1
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
 ip route-static 10.3.0.0 255.255.255.0 vpn-instance vsysa
#
security-policy  
 rule name trust_to_untrust
  source-zone trust   
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  action permit
 rule name untrust_to_trust
  source-zone untrust   
  destination-zone trust
  destination-address 10.3.0.0 mask 255.255.255.0
  action permit 
#
return
  • Virtual system (vsysa)
    #
interface GigabitEthernet0/0/2
 ip address 10.3.0.1 255.255.255.0   
# 
interface Virtual-if 1  
 ip address 172.16.1.1 255.255.255.0       
#
firewall zone trust
 set priority 85  
 add interface GigabitEthernet0/0/2   
#
firewall zone untrust 
set priority 5   
 add interface Virtual-if1      
#
 ip route-static 0.0.0.0 0.0.0.0 public
 ip route-static 10.3.0.0 255.255.255.0 10.3.0.254
#
security-policy   
 rule name vsysa_trust_to_untrust
  source-zone trust   
  destination-zone untrust    
  source-address 10.3.0.0 mask 255.255.255.0
  action permit
 rule name vsysa_untrust_to_trust
  source-zone untrust   
  destination-zone trust
  destination-address 10.3.0.0 mask 255.255.255.0
  action permit     
#
return
Parent Topic: Enabling Communication Between Virtual Systems
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >