CLI: Configuring Intranet Users of Virtual Systems to Access the Internet Through Independent WAN Interfaces of the Virtual Systems

Networking Requirements

As shown in Figure 1, the device is deployed as a Layer 3 gateway between the intranet and Internet. The intranet is divided into two independent LANs: network A and network B, which are isolated from each other and cannot communicate with each other.

User hosts on network A access the Internet through the independent WAN interface GE0/0/1 of vsysa, and user hosts on network B access the Internet through the independent WAN interface GE0/0/2 of vsysb. On network A, only some user hosts can access the Internet. On network B, all user hosts can access the Internet. In addition, source NAT is performed in the two virtual systems separately to translate the source IP addresses of the packets from the intranet to the Internet into the public IP addresses of the device. In this way, the intranet IP addresses are hidden.

Figure 1 Configuring intranet users of virtual systems to access the Internet through independent WAN interfaces of the virtual systems

Item	Data	Description
vsysa	Virtual system name: vsysa WAN interface: GE0/0/1 WAN interface IP address: 10.1.1.8/24 Security zone to which the WAN interface belongs: untrust LAN interface: GE0/0/3 LAN interface IP address: 10.3.0.1/24 Private IP address range: 10.3.0.0/24 Security zone to which the LAN interface belongs: trust IP addresses allowed to access the Internet: 10.3.0.2 to 10.3.0.10	-
vsysb	Virtual system name: vsysb WAN interface: GE0/0/2 WAN interface IP address: 10.1.1.9/24 Security zone to which the WAN interface belongs: untrust LAN interface: GE0/0/4 LAN interface IP address: 10.3.1.1/24 Private IP address range: 10.3.1.0/24 Security zone to which the LAN interface belongs: trust	-
Resource class	Resource class name: r1 Guaranteed number of IPv4 sessions: 10000 Maximum number of IPv4 sessions: 50000 Guaranteed number of policies: 300 Guaranteed total bandwidth: 20 Mbit/s	In this example, networks A and B have similar service resource usage requirements and therefore are allocated the same virtual system resources.

Item

Data

Description

vsysa

Virtual system name: vsysa

WAN interface: GE0/0/1

WAN interface IP address: 10.1.1.8/24

Security zone to which the WAN interface belongs: untrust

LAN interface: GE0/0/3

LAN interface IP address: 10.3.0.1/24

Private IP address range: 10.3.0.0/24

Security zone to which the LAN interface belongs: trust

IP addresses allowed to access the Internet: 10.3.0.2 to 10.3.0.10

vsysb

Virtual system name: vsysb

WAN interface: GE0/0/2

WAN interface IP address: 10.1.1.9/24

Security zone to which the WAN interface belongs: untrust

LAN interface: GE0/0/4

LAN interface IP address: 10.3.1.1/24

Private IP address range: 10.3.1.0/24

Security zone to which the LAN interface belongs: trust

Resource class

Resource class name: r1

Guaranteed number of IPv4 sessions: 10000

Maximum number of IPv4 sessions: 50000

Guaranteed number of policies: 300

Guaranteed total bandwidth: 20 Mbit/s

In this example, networks A and B have similar service resource usage requirements and therefore are allocated the same virtual system resources.

Configuration Roadmap

The configuration roadmap is as follows:

Enable the virtual system function.
Configure resource classes based on service requirements, create virtual systems vsysa and vsysb in the public system, and allocate resources to the virtual systems.
Configure interfaces for vsysa and vsysb, and add the interfaces to security zones.
Configure routes in vsysa and vsysb to divert traffic from networks A and B to the Internet.
Configure security policies in vsysa and vsysb based on service requirements to permit traffic from user hosts on networks A and B to the Internet.
Configure source NAT policies in vsysa and vsysb to translate the source IP addresses of the packets from the intranet to the Internet into the IP addresses of the independent WAN interfaces of the virtual systems.

Procedure

Enable the virtual system function.
```
<FW> system-view
[FW] vsys enable
```

Configure a resource class.

[FW] resource-class r1
[FW-resource-class-r1] resource-item-limit session reserved-number 10000 maximum 50000
[FW-resource-class-r1] resource-item-limit policy reserved-number 300
[FW-resource-class-r1] resource-item-limit bandwidth 20 entire
[FW-resource-class-r1] quit

Create virtual systems and allocate resources to them.

# Create virtual system vsysa and allocate resources to it.

[FW] vsys name vsysa
[FW-vsys-vsysa] assign resource-class r1
[FW-vsys-vsysa] assign interface GigabitEthernet 0/0/1
[FW-vsys-vsysa] assign interface GigabitEthernet 0/0/3
[FW-vsys-vsysa] assign global-ip 10.1.1.8 10.1.1.8 exclusive
[FW-vsys-vsysa] quit

# Create virtual system vsysb and allocate resources to it.

[FW] vsys name vsysb
[FW-vsys-vsysb] assign resource-class r1
[FW-vsys-vsysb] assign interface GigabitEthernet 0/0/2
[FW-vsys-vsysb] assign interface GigabitEthernet 0/0/4
[FW-vsys-vsysb] assign global-ip 10.1.1.9 10.1.1.9 exclusive
[FW-vsys-vsysb] quit

Switch to the system view of vsysa.

[FW] switch vsys vsysa
<FW-vsysa> system-view

Configure interfaces for vsysa and add the interfaces to security zones.

[FW-vsysa] interface GigabitEthernet 0/0/1
[FW-vsysa-GigabitEthernet0/0/1] ip address 10.1.1.8 24
[FW-vsysa-GigabitEthernet0/0/1] quit
[FW-vsysa] interface GigabitEthernet 0/0/3
[FW-vsysa-GigabitEthernet0/0/3] ip address 10.3.0.1 24
[FW-vsysa-GigabitEthernet0/0/3] quit
[FW-vsysa] firewall zone trust
[FW-vsysa-zone-trust] add interface GigabitEthernet 0/0/3
[FW-vsysa-zone-trust] quit
[FW-vsysa] firewall zone untrust
[FW-vsysa-zone-untrust] add interface GigabitEthernet 0/0/1
[FW-vsysa-zone-untrust] quit

Configure a static route from network A to the Internet.
```
[FW-vsysa] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
```

Configure security policies for the traffic from network A to the Internet.

# Allow user hosts in the IP address range of 10.3.0.2 to 10.3.0.10 on network A to access the Internet.

[FW-vsysa] security-policy
[FW-vsysa-policy-security] rule name to_internet_allow   
[FW-vsysa-policy-security-rule-to_internet_allow] source-zone trust
[FW-vsysa-policy-security-rule-to_internet_allow] destination-zone untrust 
[FW-vsysa-policy-security-rule-to_internet_allow] source-address range 10.3.0.2 10.3.0.10
[FW-vsysa-policy-security-rule-to_internet_allow] action permit 
[FW-vsysa-policy-security-rule-to_internet_allow] quit

# Forbid user hosts that are not in the IP address range of 10.3.0.2 to 10.3.0.10 on network A from accessing the Internet.

[FW-vsysa-policy-security] rule name to_internet_block       
[FW-vsysa-policy-security-rule-to_internet_block] source-zone trust   
[FW-vsysa-policy-security-rule-to_internet_block] destination-zone untrust
[FW-vsysa-policy-security-rule-to_internet_block] action deny       
[FW-vsysa-policy-security-rule-to_internet_block] quit       
[FW-vsysa-policy-security] quit

Configure a source NAT policy to translate the source IP addresses of the packets from network A to the Internet into the IP address of the independent WAN interface GE0/0/1 of vsysa.

[FW-vsysa] nat-policy
[FW-vsysa-policy-nat] rule name nat1
[FW-vsysa-policy-nat-rule-nat1] source-zone trust
[FW-vsysa-policy-nat-rule-nat1] egress-interface GigabitEthernet 0/0/1
[FW-vsysa-policy-nat-rule-nat1] source-address range 10.3.0.2 10.3.0.10
[FW-vsysa-policy-nat-rule-nat1] action source-nat easy-ip
[FW-vsysa-policy-nat-rule-nat1] quit
[FW-vsysa-policy-nat] quit

Switch to the system view of vsysb.

[FW-vsysa] quit
<FW-vsysa> quit  
[FW] switch vsys vsysb
<FW-vsysb> system-view

Configure interfaces for vsysb and add the interfaces to security zones.

[FW-vsysb] interface GigabitEthernet 0/0/2
[FW-vsysb-GigabitEthernet0/0/2] ip address 10.1.1.9 24
[FW-vsysb-GigabitEthernet0/0/2] quit
[FW-vsysb] interface GigabitEthernet 0/0/4
[FW-vsysb-GigabitEthernet0/0/4] ip address 10.3.1.1 24
[FW-vsysb-GigabitEthernet0/0/4] quit
[FW-vsysb] firewall zone trust
[FW-vsysb-zone-trust] add interface GigabitEthernet 0/0/4
[FW-vsysb-zone-trust] quit
[FW-vsysb] firewall zone untrust
[FW-vsysb-zone-untrust] add interface GigabitEthernet 0/0/2
[FW-vsysb-zone-untrust] quit

Configure a static route from network B to the Internet.
```
[FW-vsysb] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
```

Configure a security policy for the traffic from network B to the Internet to allow all user hosts on network B to access the Internet.

[FW-vsysb] security-policy
[FW-vsysb-policy-security] rule name to_internet_allow
[FW-vsysb-policy-security-rule-to_internet_allow] source-zone trust
[FW-vsysb-policy-security-rule-to_internet_allow] destination-zone untrust
[FW-vsysb-policy-security-rule-to_internet_allow] source-address 10.3.1.0 24
[FW-vsysb-policy-security-rule-to_internet_allow] action permit
[FW-vsysb-policy-security-rule-to_internet_allow] quit
[FW-vsysb-policy-security] quit

Configure a source NAT policy to translate the source IP addresses of the packets from network B to the Internet into the IP address of the independent WAN interface GE0/0/2 of vsysb.

[FW-vsysb] nat-policy
[FW-vsysb-policy-nat] rule name nat1
[FW-vsysb-policy-nat-rule-nat1] source-zone trust
[FW-vsysb-policy-nat-rule-nat1] egress-interface GigabitEthernet 0/0/2
[FW-vsysb-policy-nat-rule-nat1] action source-nat easy-ip
[FW-vsysb-policy-nat-rule-nat1] quit
[FW-vsysb-policy-nat] quit

Verifying the Configuration

User hosts in the IP address range of 10.3.0.2 to 10.3.0.10 on network A can access the Internet, but other user hosts cannot.
All user hosts on network B can access the Internet.

Configuration Scripts

Public system

#
 sysname FW
# 
 vsys enable 
# 
resource-class r1    
 resource-item-limit session reserved-number 10000 maximum 50000
 resource-item-limit policy reserved-number 300      
 resource-item-limit bandwidth 20 entire 
# 
vsys name vsysa 1    
 assign resource-class r1      
 assign interface GigabitEthernet0/0/1
 assign interface GigabitEthernet0/0/3
 assign global-ip 10.1.1.8 10.1.1.8 exclusive
#  
vsys name vsysb 2    
 assign resource-class r1
 assign interface GigabitEthernet0/0/2
 assign interface GigabitEthernet0/0/4
 assign global-ip 10.1.1.9 10.1.1.9 exclusive
#  
return

Virtual system (vsysa)

#
interface GigabitEthernet0/0/1
 ip address 10.1.1.8 255.255.255.0
# 
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
#  
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/3
#  
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/1
#  
 ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#  
security-policy      
 rule name to_internet_allow   
  source-zone trust
  destination-zone untrust 
  source-address range 10.3.0.2 10.3.0.10
  action permit 
 rule name to_internet_block
  source-zone trust   
  destination-zone untrust
  action deny    
#
nat-policy
 rule name nat1
  source-zone trust
  egress-interface GigabitEthernet0/0/1
  source-address range 10.3.0.2 10.3.0.10
  action source-nat easy-ip
#    
return

Virtual system (vsysb)

#
interface GigabitEthernet0/0/2
 ip address 10.1.1.9 255.255.255.0
# 
interface GigabitEthernet0/0/4
 ip address 10.3.1.1 255.255.255.0
#  
firewall zone trust  
 set priority 85     
 add interface GigabitEthernet0/0/4
#  
firewall zone untrust
 set priority 5      
 add interface GigabitEthernet0/0/2
#  
 ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#  
security-policy      
 rule name to_internet_allow
  source-zone trust
  destination-zone untrust
  source-address 10.3.1.0 mask 255.255.255.0
  action permit
#
nat-policy
 rule name nat1
  source-zone trust
  egress-interface GigabitEthernet0/0/2
  source-address 10.3.1.0 mask 255.255.255.0
  action source-nat easy-ip
#    
return