< Home

Configuring Communication Between Two Virtual Systems Across Another Virtual System

Networking Requirements

As shown in Figure 1, the device is deployed between network A and network B. Virtual systems vsysa and vsysb function as network A's gateway and network B's gateway respectively to isolate and protect their respective network. The device connects to a LAN through GE0/0/1 of vsysc.

You need to configure communication between vsysa and vsysb across vsysc so that networks A and B can communicate with each other. In addition, you need to configure communication between vsysa and vsysc and between vsysb and vsysc so that networks A and B can access the LAN.

Figure 1 Communication between two virtual systems across another virtual system

Configuration Roadmap

The configuration roadmap is as follows:
  1. Enable the virtual system function and configure the extended communication mode.
  2. Create virtual systems vsysa, vsysb, and vsysc and allocate resources to them.
  3. Configure interfaces for vsysa, vsysb, and vsysc, and add the interfaces to security zones.
  4. Configure routes in the public system to divert traffic between network A and network B and traffic for networks A and B to access the LAN.
  5. Configure routes in the vsysa, vsysb, and vsysc to divert traffic sent from the device to network A, network B, and the LAN.
  6. Configure security policies in vsysa, vsysb, and vsysc to permit the traffic between network A and network B and the traffic for networks A and B to access the LAN.

Procedure

  1. Enable the virtual system function.

    <FW> system-view
[FW] vsys enable

  2. Configure the extended communication mode.

    [FW] firewall forward cross-vsys extended

  3. Create virtual systems and allocate resources to them.

    # Create virtual system vsysa and allocate an interface to it.

    [FW] vsys name vsysa
[FW-vsys-vsysa] assign interface GigabitEthernet 0/0/2
[FW-vsys-vsysa] quit

    # Create virtual system vsysb and allocate an interface to it.

    [FW] vsys name vsysb
[FW-vsys-vsysb] assign interface GigabitEthernet 0/0/3
[FW-vsys-vsysb] quit

    # Create virtual system vsysc and allocate an interface to it.

    [FW] vsys name vsysc
[FW-vsys-vsysc] assign interface GigabitEthernet 0/0/1
[FW-vsys-vsysc] quit

  4. Add the virtual interface Virtual-if0 to a security zone.

    [FW] firewall zone trust
[FW-zone-trust] add interface Virtual-if 0
[FW-zone-trust] quit

  5. Configure routes in the public system.

    # Configure a route from vsysa to vsysc to divert the forward traffic for network A to access network B to vsysc.

    [FW] ip route-static vpn-instance vsysa 10.3.1.0 255.255.255.0 vpn-instance vsysc

    # Configure a route from vsysa to vsysc to divert the forward traffic for network A to access the LAN to vsysc.

    [FW] ip route-static vpn-instance vsysa 10.1.0.0 255.255.255.0 vpn-instance vsysc

    # Configure a route from vsysb to vsysc to divert the forward traffic for network B to access network A to vsysc.

    [FW] ip route-static vpn-instance vsysb 10.3.0.0 255.255.255.0 vpn-instance vsysc

    # Configure a route from vsysb to vsysc to divert the forward traffic for network B to access the LAN to vsysc.

    [FW] ip route-static vpn-instance vsysb 10.1.0.0 255.255.255.0 vpn-instance vsysc

    # Configure a route from vsysc to vsysa to divert the forward traffic for network B to access network A to vsysa.

    [FW] ip route-static vpn-instance vsysc 10.3.0.0 255.255.255.0 vpn-instance vsysa

    # Configure a route from vsysc to vsysb to divert the forward traffic for network A to access network B to vsysb.

    [FW] ip route-static vpn-instance vsysc 10.3.1.0 255.255.255.0 vpn-instance vsysb

  6. Switch to the system view of vsysa.

    [FW] switch vsys vsysa
<FW-vsysa> system-view

  7. Configure interfaces for vsysa and add the interfaces to security zones.

    [FW-vsysa] interface GigabitEthernet 0/0/2
[FW-vsysa-GigabitEthernet0/0/2] ip address 10.3.0.1 24
[FW-vsysa-GigabitEthernet0/0/2] quit
[FW-vsysa] firewall zone trust
[FW-vsysa-zone-trust] add interface GigabitEthernet 0/0/2
[FW-vsysa-zone-trust] quit
[FW-vsysa] firewall zone untrust
[FW-vsysa-zone-untrust] add interface Virtual-if 1
[FW-vsysa-zone-untrust] quit

  8. Configure a route in vsysa.

    Configure a route from vsysa to network A to divert the forward traffic for network B to access network A and the return traffic for network A to access network B or the LAN to network A. 10.3.0.254 is the next-hop address of the route from vsysa to network A.

    [FW-vsysa] ip route-static 10.3.0.0 255.255.255.0 10.3.0.254

  9. Configure security policies in vsysa.

    # Configure a security policy for traffic from the Trust zone to the Untrust zone to permit traffic from network A to network B or the LAN.

    [FW-vsysa] security-policy
[FW-vsysa-policy-security] rule name vsysa_trust_to_untrust      
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] source-zone trust   
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] destination-zone untrust    
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] source-address 10.3.0.0 24
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] destination-address 10.3.1.0 24   
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] destination-address 10.1.0.0 24   
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] action permit    
[FW-vsysa-policy-security-rule-vsysa_trust_to_untrust] quit

    # Configure a security policy for traffic from the Untrust zone to the Trust zone to permit traffic from network B to network A.

    [FW-vsysa-policy-security] rule name vsysa_untrust_to_trust      
[FW-vsysa-policy-security-rule-vsysa_untrust_to_trust] source-zone untrust   
[FW-vsysa-policy-security-rule-vsysa_untrust_to_trust] destination-zone trust
[FW-vsysa-policy-security-rule-vsysa_untrust_to_trust] source-address 10.3.1.0 24   
[FW-vsysa-policy-security-rule-vsysa_untrust_to_trust] destination-address 10.3.0.0 24
[FW-vsysa-policy-security-rule-vsysa_untrust_to_trust] action permit    
[FW-vsysa-policy-security-rule-vsysa_untrust_to_trust] quit    
[FW-vsysa-policy-security] quit

  10. Switch to the system view of vsysb.

    [FW-vsysa] quit
<FW-vsysa> quit  
[FW] switch vsys vsysb
<FW-vsysb> system-view

  11. Configure interfaces for vsysb and add the interfaces to security zones.

    [FW-vsysb] interface GigabitEthernet 0/0/3
[FW-vsysb-GigabitEthernet0/0/3] ip address 10.3.1.1 24
[FW-vsysb-GigabitEthernet0/0/3] quit
[FW-vsysb] interface Virtual-if 2
[FW-vsysb-Virtual-if2] ip address 172.16.2.1 24
[FW-vsysb-Virtual-if2] quit
[FW-vsysb] firewall zone trust
[FW-vsysb-zone-trust] add interface GigabitEthernet 0/0/3
[FW-vsysb-zone-trust] quit
[FW-vsysb] firewall zone untrust
[FW-vsysb-zone-untrust] add interface Virtual-if 2
[FW-vsysb-zone-untrust] quit

  12. Configure a route in vsysb.

    Configure a route from vsysb to network B to divert the forward traffic for network A to access network B and the return traffic for network B to access network A or the LAN to network A. 10.3.1.254 is the next-hop address of the route from vsysb to network B.

    [FW-vsysb] ip route-static 10.3.1.0 255.255.255.0 10.3.1.254

  13. Configure security policies in vsysb.

    # Configure a security policy for traffic from the Trust zone to the Untrust zone to permit traffic from network B to network A or the LAN.

    [FW-vsysb] security-policy
[FW-vsysb-policy-security] rule name vsysb_trust_to_untrust      
[FW-vsysb-policy-security-rule-vsysb_trust_to_untrust] source-zone trust   
[FW-vsysb-policy-security-rule-vsysb_trust_to_untrust] destination-zone untrust    
[FW-vsysb-policy-security-rule-vsysb_trust_to_untrust] source-address 10.3.1.0 24
[FW-vsysb-policy-security-rule-vsysb_trust_to_untrust] destination-address 10.3.0.0 24
[FW-vsysb-policy-security-rule-vsysb_trust_to_untrust] destination-address 10.1.0.0 24
[FW-vsysb-policy-security-rule-vsysb_trust_to_untrust] action permit    
[FW-vsysb-policy-security-rule-vsysb_trust_to_untrust] quit

    # Configure a security policy for traffic from the Untrust zone to the Trust zone to permit traffic from network A to network B.

    [FW-vsysb-policy-security] rule name vsysb_untrust_to_trust      
[FW-vsysb-policy-security-rule-vsysb_untrust_to_trust] source-zone untrust   
[FW-vsysb-policy-security-rule-vsysb_untrust_to_trust] destination-zone trust
[FW-vsysb-policy-security-rule-vsysb_untrust_to_trust] source-address 10.3.0.0 24   
[FW-vsysb-policy-security-rule-vsysb_untrust_to_trust] destination-address 10.3.1.0 24
[FW-vsysb-policy-security-rule-vsysb_untrust_to_trust] action permit    
[FW-vsysb-policy-security-rule-vsysb_untrust_to_trust] quit    
[FW-vsysb-policy-security] quit

  14. Switch to the system view of vsysc.

    [FW-vsysb] quit
<FW-vsysb> quit  
[FW] switch vsys vsysc
<FW-vsysc> system-view

  15. Configure interfaces for vsysc and add the interfaces to security zones.

    [FW-vsysc] interface GigabitEthernet 0/0/1
[FW-vsysc-GigabitEthernet0/0/1] ip address 10.1.0.1 24
[FW-vsysc-GigabitEthernet0/0/1] quit
[FW-vsysc] interface Virtual-if 3
[FW-vsysc-Virtual-if2] ip address 172.16.3.1 24
[FW-vsysc-Virtual-if2] quit
[FW-vsysc] firewall zone trust
[FW-vsysc-zone-trust] add interface GigabitEthernet 0/0/1
[FW-vsysc-zone-trust] quit
[FW-vsysc] firewall zone untrust
[FW-vsysc-zone-untrust] add interface Virtual-if 3
[FW-vsysc-zone-untrust] quit

  16. Configure a route in vsysc.

    Configure a route from vsysc to the LAN to divert the forward traffic for networks A and B to access the LAN to the LAN. 10.1.0.254 is the next-hop address of the route from vsysc to the LAN.

    [FW-vsysc] ip route-static 10.1.0.0 255.255.255.0 10.1.0.254

  17. Configure security policies in vsysc.

    Configure a security policy for traffic from the Untrust zone to the Trust zone to permit traffic from networks A and B to the LAN.

    [FW-vsysc] security-policy
[FW-vsysc-policy-security] rule name vsysc_untrust_to_trust      
[FW-vsysc-policy-security-rule-vsysc_untrust_to_trust] source-zone untrust   
[FW-vsysc-policy-security-rule-vsysc_untrust_to_trust] destination-zone trust       
[FW-vsysc-policy-security-rule-vsysc_untrust_to_trust] source-address 10.3.0.0 24
[FW-vsysc-policy-security-rule-vsysc_untrust_to_trust] source-address 10.3.1.0 24
[FW-vsysc-policy-security-rule-vsysc_untrust_to_trust] destination-address 10.1.0.0 24  
[FW-vsysc-policy-security-rule-vsysc_untrust_to_trust] action permit    
[FW-vsysc-policy-security-rule-vsysc_untrust_to_trust] quit

Verifying the Configuration

  • A user on network A can access network B and the LAN. In addition, the following sessions are created in vsysa, vsysb, and vsysc.

    10.3.1.3 is the IP address of the server on network B accessed by the user on network A. 10.1.0.3 is the IP address of the server on the LAN accessed by the user on network A. 10.3.0.2 is the IP address of the user host on network A.

    Sessions in vsysa:

    <FW> display firewall session table verbose vsys vsysa
 Current Total Sessions : 2
 icmp  VPN: vsysa --> vsysc  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: trust --> untrust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: GigabitEthernet 0/0/2  
 Interface: Virtual-if1  NextHop: 0.0.0.0 
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.0.2:43999 --> 10.3.1.3:2048 PolicyName: vsysa_trust_to_untrust

 icmp  VPN: vsysa --> vsysc  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: trust --> untrust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: GigabitEthernet 0/0/2
 Interface: Virtual-if1  NextHop: 0.0.0.0
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.0.2:43999 --> 10.1.0.3:2048 PolicyName: vsysa_trust_to_untrust

    Sessions in vsysb:

    <FW> display firewall session table verbose vsys vsysb destination global 10.3.1.3 
 Current Total Sessions : 1
 icmp  VPN: vsysb --> vsysb  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: untrust --> trust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: Virtual-if2 
 Interface: GigabitEthernet 0/0/3  NextHop: 10.3.1.254  MAC: xxxx-xxxx-xxxx 
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.0.2:43999 --> 10.3.1.3:2048 PolicyName: vsysb_untrust_to_trust

    Sessions in vsysc:

    <FW> display firewall session table verbose vsys vsysc
 Current Total Sessions : 2
 icmp  VPN: vsysc --> vsysb  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: untrust --> untrust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: Virtual-if3 
 Interface: Virtual-if3  NextHop: 0.0.0.0 
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.0.2:43999 --> 10.3.1.3:2048 PolicyName: -

 icmp  VPN: vsysc --> vsysc  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: untrust --> trust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: Virtual-if3 
 Interface: GigabitEthernet 0/0/1  NextHop: 10.1.0.254  MAC: xxxx-xxxx-xxxx 
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.0.2:43999 --> 10.1.0.3:2048 PolicyName: vsysc_untrust_to_trust
  • A user on network B can access network A and the LAN. In addition, the following sessions are created in vsysa, vsysb, and vsysc.

    10.3.0.3 is the IP address of the server on network A accessed by the user on network B. 10.1.0.3 is the IP address of the server on the LAN accessed by the user on network B. 10.3.1.2 is the IP address of the user host on network B.

    Sessions in vsysa:

    <FW> display firewall session table verbose vsys vsysa destination global 10.3.0.3 
 Current Total Sessions : 1
 icmp  VPN: vsysa --> vsysa  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: untrust --> trust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: Virtual-if1 
 Interface: GigabitEthernet 0/0/2  NextHop: 10.3.0.254  MAC: xxxx-xxxx-xxxx 
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.1.2:43999 --> 10.3.0.3:2048 PolicyName: vsysa_untrust_to_trust

    Sessions in vsysb:

    <FW> display firewall session table verbose vsys vsysb
 Current Total Sessions : 2
 icmp  VPN: vsysb --> vsysc  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: trust --> untrust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: GigabitEthernet 0/0/3 
 Interface: Virtual-if2  NextHop: 0.0.0.0
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.1.2:43999 --> 10.3.0.3:2048 PolicyName: vsysb_trust_to_untrust

 icmp  VPN: vsysb --> vsysc  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: trust --> untrust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: GigabitEthernet 0/0/3 
 Interface: Virtual-if2  NextHop: 0.0.0.0 
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.1.2:43999 --> 10.1.0.3:2048 PolicyName: vsysb_trust_to_untrust

    Sessions in vsysc:

    <FW> display firewall session table verbose vsys vsysc
 Current Total Sessions : 2
 icmp  VPN: vsysc --> vsysa  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: untrust --> untrust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: Virtual-if3  
 Interface: Virtual-if3  NextHop: 0.0.0.0 
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.1.2:43999 --> 10.3.0.3:2048 PolicyName: -

 icmp  VPN: vsysc --> vsysc  ID: xxxxxxxxxxxxxxxxxxxxxx 
 Zone: untrust --> trust  TTL: xx:xx:xx  Left: xx:xx:xx 
 Recv Interface: Virtual-if3  
 Interface: GigabitEthernet 0/0/1  NextHop: 10.1.0.254  MAC: xxxx-xxxx-xxxx 
 <--packets: xxx bytes: xxx --> packets: xxx bytes: xxx 
 10.3.1.2:43999 --> 10.1.0.3:2048 PolicyName: vsysc_untrust_to_trust

Configuration Scripts

  • Public system (public)
    #
 sysname FW
#
 vsys enable 
#
 firewall forward cross-vsys extended
#
vsys name vsysa 1 
 assign interface GigabitEthernet0/0/2
#
vsys name vsysb 2 
 assign interface GigabitEthernet0/0/3
#
vsys name vsysc 3 
 assign interface GigabitEthernet0/0/1
# 
interface Virtual-if 0  
 ip address 172.16.0.1 255.255.255.0       
# 
firewall zone trust 
 set priority 85  
 add interface Virtual-if0 
#
 ip route-static vpn-instance vsysa 10.3.1.0 255.255.255.0 vpn-instance vsysc
 ip route-static vpn-instance vsysa 10.1.0.0 255.255.255.0 vpn-instance vsysc
 ip route-static vpn-instance vsysb 10.3.0.0 255.255.255.0 vpn-instance vsysc
 ip route-static vpn-instance vsysb 10.1.0.0 255.255.255.0 vpn-instance vsysc
 ip route-static vpn-instance vsysc 10.3.0.0 255.255.255.0 vpn-instance vsysa
 ip route-static vpn-instance vsysc 10.3.1.0 255.255.255.0 vpn-instance vsysb
#
return
  • Virtual system (vsysa)
    #
interface GigabitEthernet0/0/2  
 ip address 10.3.0.1 255.255.255.0   
# 
interface Virtual-if 1  
 ip address 172.16.1.1 255.255.255.0       
#
firewall zone trust
 set priority 85  
 add interface GigabitEthernet0/0/2     
#
firewall zone untrust 
set priority 5   
 add interface Virtual-if1      
#
 ip route-static 10.3.0.0 255.255.255.0 10.3.0.254
#
security-policy
 rule name vsysa_trust_to_untrust
  source-zone trust   
  destination-zone untrust    
  source-address 10.3.0.0 24
  destination-address 10.3.1.0 mask 255.255.255.0   
  destination-address 10.1.0.0 mask 255.255.255.0   
  action permit    
 rule name vsysa_untrust_to_trust
  source-zone untrust   
  destination-zone trust
  source-address 10.3.1.0 mask 255.255.255.0   
  destination-address 10.3.0.0 mask 255.255.255.0
  action permit    
#
return
  • Virtual system (vsysb)
    #
interface GigabitEthernet0/0/3  
 ip address 10.3.1.1 255.255.255.0   
# 
interface Virtual-if 2  
 ip address 172.16.2.1 255.255.255.0       
#
firewall zone trust
 set priority 85  
 add interface GigabitEthernet0/0/3     
#
firewall zone untrust 
set priority 5   
 add interface Virtual-if2      
#
 ip route-static 10.3.1.0 255.255.255.0 10.3.1.254
#
security-policy
 rule name vsysb_trust_to_untrust
  source-zone trust   
  destination-zone untrust    
  source-address 10.3.1.0 mask 255.255.255.0
  destination-address 10.3.0.0 mask 255.255.255.0
  destination-address 10.1.0.0 mask 255.255.255.0
  action permit    
 rule name vsysb_untrust_to_trust
  source-zone untrust   
  destination-zone trust
  source-address 10.3.0.0 mask 255.255.255.0   
  destination-address 10.3.1.0 mask 255.255.255.0
  action permit  
#
return
  • Virtual system (vsysc)
    #
interface GigabitEthernet0/0/1  
 ip address 10.1.0.1 255.255.255.0   
# 
interface Virtual-if 3  
 ip address 172.16.3.1 255.255.255.0       
#
firewall zone trust
 set priority 85  
 add interface GigabitEthernet0/0/1     
#
firewall zone untrust 
set priority 5   
 add interface Virtual-if3      
#
 ip route-static 10.1.0.0 255.255.255.0 10.1.0.254
#
security-policy
 rule name vsysc_untrust_to_trust
  source-zone untrust   
  destination-zone trust
  source-address 10.3.0.0 mask 255.255.255.0
  source-address 10.3.1.0 mask 255.255.255.0
  destination-address 10.1.0.0 mask 255.255.255.0  
  action permit
#
return
Parent Topic: Enabling Communication Between Virtual Systems
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic