实验需求

① 实验的地址自行规划（或者按照下面的也可以）
② 在出口的两台防火墙（AUG6000v）做双机热备，FW5作为主墙，FW6作为备墙，提高网络稳定性
③ 分别创建VLAN10、VLAN20和VLAN30，能让这三个VLAN流量能够访问到ISP（SNAT）
④ 能够在公网访问到Server服务器（DNAT）

实验拓扑

华为防火墙
账号：admin
密码：Admin@123

配置

FW5-M

前骤

<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sysn FW5-M[FW5-M]undo info-center enable           ## 关闭消息弹窗
Info: Information center is disabled.

单臂路由和VRRP

[FW5-M]int g1/0/1.10                                  ## 进入g1/0/1.10
[FW5-M-GigabitEthernet1/0/1.10]vlan-type dot1q 10	  ## 给VLAN10使用
[FW5-M-GigabitEthernet1/0/1.10]ip address 192.168.10.251 24	    ## 配置IP地址（不要与网关地址一样）
[FW5-M-GigabitEthernet1/0/1.10]vrrp vrid 10 virtual-ip 192.168.10.254 active    ## 部署VRRP组10 虚拟IP为192.168.10.254 并且为主IP
[FW5-M-GigabitEthernet1/0/1.10]service-manage ping permit       ## 开启防火墙接口ping服务
[FW5-M-GigabitEthernet1/0/1.10]quit[FW5-M]int g1/0/1.20
[FW5-M-GigabitEthernet1/0/1.20]vlan-type dot1q 20	
[FW5-M-GigabitEthernet1/0/1.20]ip address 192.168.20.251 24
[FW5-M-GigabitEthernet1/0/1.20]vrrp vrid 20 virtual-ip 192.168.20.254 active
[FW5-M-GigabitEthernet1/0/1.20]service-manage ping permit 	
[FW5-M-GigabitEthernet1/0/1.20]quit [FW5-M]int g1/0/1.30	
[FW5-M-GigabitEthernet1/0/1.30]vlan-type dot1q 30
[FW5-M-GigabitEthernet1/0/1.30]ip address 192.168.30.251 24
[FW5-M-GigabitEthernet1/0/1.30]vrrp vrid 30 virtual-ip 192.168.30.254 active
[FW5-M-GigabitEthernet1/0/1.30]service-manage ping permit
[FW5-M-GigabitEthernet1/0/1.30]quit[FW5-M]int g1/0/0	
[FW5-M-GigabitEthernet1/0/0]ip address 192.168.100.100 24
[FW5-M-GigabitEthernet1/0/0]quit[FW5-M]int g1/0/2
[FW5-M-GigabitEthernet1/0/2]ip address 202.101.1.2 24
[FW5-M-GigabitEthernet1/0/2]service-manage ping permit
[FW5-M-GigabitEthernet1/0/2]quit

划分防火墙基本区域

[FW5-M]firewall zone trust                   ## 进入Trust区域
[FW5-M-zone-trust]add interface g1/0/1.10    ## 添加接口g1/0/1.10到Trust区域
[FW5-M-zone-trust]add interface g1/0/1.20    ## 添加接口g1/0/1.20到Trust区域
[FW5-M-zone-trust]quit                       ## 回退[FW5-M]firewall zone dmz                     ## 进入DMZ区域 	
[FW5-M-zone-dmz]add interface g1/0/1.30      ## 添加接口g1/0/1.30到DMZ区域
[FW5-M-zone-dmz]quit[FW5-M]firewall zone untrust 
[FW5-M-zone-untrust]add interface g1/0/2
[FW5-M-zone-untrust]quit

部署HRP（华为心跳协议）

[FW5-M]firewall zone name HRP id 6         ## 先创建一个区域名为HRP，id为6
[FW5-M-zone-HRP]set priority 90            ## 设置区域优先级为 90 
[FW5-M-zone-HRP]add interface g1/0/0       ## 将接口g1/0/0添加到HRP区域
[FW5-M-zone-HRP]quit                       ## 回退[FW5-M]hrp enable                          ## 开启HRP协议
Info: NAT IP detect function is disabled.  
HRP_S[FW5-M]hrp interface GigabitEthernet 1/0/0 remote 192.168.100.200 
##指定HRP的心跳口为g1/0/0 对端地址为192.168.100.200
HRP_S[FW5-M]quit

FW6-B

前骤

<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]sysn FW6-B[FW6-B]undo info-center enable 
Info: Information center is disabled.

单臂路由和VRRP

[FW6-B]int g1/0/1.10
[FW6-B-GigabitEthernet1/0/1.10]vlan-type dot1q 10
[FW6-B-GigabitEthernet1/0/1.10]ip address 192.168.10.252 24
[FW6-B-GigabitEthernet1/0/1.10]vrrp vrid 10 virtual-ip 192.168.10.254 standby
## 部署VRRP组10 虚拟IP为192.168.10.254 并且为备用IP
[FW6-B-GigabitEthernet1/0/1.10]service-manage ping permit
[FW6-B-GigabitEthernet1/0/1.10]quit[FW6-B]int g1/0/1.20
[FW6-B-GigabitEthernet1/0/1.20]vlan-type dot1q 20
[FW6-B-GigabitEthernet1/0/1.20]ip address 192.168.20.252 24
[FW6-B-GigabitEthernet1/0/1.20]vrrp vrid 20 virtual-ip 192.168.20.254 standby
[FW6-B-GigabitEthernet1/0/1.20]service-manage ping permit 
[FW6-B-GigabitEthernet1/0/1.20]quit[FW6-B]int g1/0/1.30
[FW6-B-GigabitEthernet1/0/1.30] vlan-type dot1q 30
[FW6-B-GigabitEthernet1/0/1.30] service-manage ping permit
[FW6-B-GigabitEthernet1/0/1.30]ip address 192.168.30.252 24
[FW6-B-GigabitEthernet1/0/1.30]vrrp vrid 30 virtual-ip 192.168.30.254 standby 
[FW6-B-GigabitEthernet1/0/1.30]quit[FW6-B]int g1/0/0	
[FW6-B-GigabitEthernet1/0/0]ip address 192.168.100.200 24
[FW6-B-GigabitEthernet1/0/0]quit[FW6-B]int g1/0/2
[FW6-B-GigabitEthernet1/0/2]ip address 202.101.1.3 24
[FW6-M-GigabitEthernet1/0/2]service-manage ping permit
[FW6-B-GigabitEthernet1/0/2]quit

划分防火墙基本区域

[FW6-B]firewall zone trust 
[FW6-B-zone-trust]add interface g1/0/1.10
[FW6-B-zone-trust]add interface g1/0/1.20
[FW6-B-zone-trust]quit [FW6-B]firewall zone dmz
[FW6-B-zone-dmz]add interface GigabitEthernet1/0/1.30
[FW6-B-zone-dmz]quit[FW6-B]firewall zone untrust 
[FW6-B-zone-untrust]add interface g0/0/2
[FW6-B-zone-untrust]quit 

部署HRP（华为心跳协议）

[FW6-B]firewall zone name HRP id 6
[FW6-B-zone-HRP]set priority 90
[FW6-B-zone-HRP]add interface g1/0/0
[FW6-B-zone-HRP]quit[FW6-B]hrp enable
HRP_S[FW6-B]hrp interface GigabitEthernet 1/0/0 remote 192.168.100.100
HRP_S[FW6-B]quit

HRP_M[FW5-M]security-policy (+B) ## +B是同步的意思

HRP_S[FW6-B]security-policy
Error: The device is in HRP standby state, so this command can not be executed.

在有一些配置上面，只有主墙可以进行配置，并对背墙进行同步，备墙不可以

LSW2

[LSW2]sysname LSW2
[LSW2]undo info-center enable
Info: Information center is disabled.
[LSW2]vlan batch 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.[LSW2]interface Ethernet0/0/1
[LSW2-Ethernet0/0/1] port link-type trunk
[LSW2-Ethernet0/0/1] port trunk allow-pass vlan all
[LSW2-Ethernet0/0/1]quit[LSW2]interface Ethernet0/0/2
[LSW2-Ethernet0/0/2] port link-type trunk
[LSW2-Ethernet0/0/2] port trunk allow-pass vlan all
[LSW2-Ethernet0/0/2]quit[LSW2]interface Ethernet0/0/3
[LSW2-Ethernet0/0/3] port link-type access
[LSW2-Ethernet0/0/3] port default vlan 10
[LSW2-Ethernet0/0/3]quit[LSW2]interface Ethernet0/0/4
[LSW2-Ethernet0/0/4] port link-type access
[LSW2-Ethernet0/0/4] port default vlan 20
[LSW2-Ethernet0/0/4]quit[LSW2]interface Ethernet0/0/5
[LSW2-Ethernet0/0/5] port link-type access
[LSW2-Ethernet0/0/5] port default vlan 30
[LSW2-Ethernet0/0/5] quit

PC

NAT

SNAT ：Easy IP

## 先放行Trust到UnTrust的流量
HRP_M[FW5-M]security-policy  (+B)
HRP_M[FW5-M-policy-security]rule name T_U (+B)
HRP_M[FW5-M-policy-security-rule-T_U]source-zone trust  (+B)
HRP_M[FW5-M-policy-security-rule-T_U]destination-zone untrust  (+B)
HRP_M[FW5-M-policy-security-rule-T_U]action permit  (+B)## 配置SNAT
HRP_M[FW5-M]nat-policy  (+B)
HRP_M[FW5-M-policy-nat]rule name SNAT (+B)
HRP_M[FW5-M-policy-nat-rule-SNAT]source-zone trust  (+B)
HRP_M[FW5-M-policy-nat-rule-SNAT]destination-zone untrust  (+B)
HRP_M[FW5-M-policy-nat-rule-SNAT]action source-nat easy-ip  (+B)
公网能通，说明SNAT做的也没问题

能通信啦

DNAT：将内网服务器业务映射到公网

HRP_M[FW5-M]security-policy  (+B)
HRP_M[FW5-M-policy-security-rule-U_D]source-zone untrust  (+B)
HRP_M[FW5-M-policy-security-rule-U_D]destination-address 192.168.30.100 32  (+B)
HRP_M[FW5-M-policy-security-rule-U_D]action permit  (+B)HRP_M[FW5-M]nat-policy  (+B)
HRP_M[FW5-M-policy-nat]rule name DNAT (+B)
HRP_M[FW5-M-policy-nat-rule-DNAT]source-zone untrust (+B)
HRP_M[FW5-M-policy-nat-rule-DNAT]destination-address 202.101.1.100 mask 255.25
5.255.255 (+B)
HRP_M[FW5-M-policy-nat-rule-DNAT]action destination-nat static address-to-addr
ess address 192.168.30.100 (+B)
HRP_M[FW5-M-policy-nat-rule-DNAT]quit
HRP_M[FW5-M-policy-nat]quit 

成功映射到公网，使公网能访问到该服务器，说明DNAT做成功啦

查看会话表项

HRP

HRP（Huawei Redundancy Protocol） — 华为心跳协议
用来实现防火墙双机热备的设备之间的状态数据同步，以及策略和关键命令备份

如果主墙出现故障，就会通过备墙进行传输
备份通道：心跳线（两台设备直连的这跟线）
对应的接口：HRP心跳接口
两台FW之间备份的数据是通过心跳口发送和接收的，是通过心跳链路（备份通道）传输的。
– 心跳口必须是状态独立且具有IP地址的接口，可以是一个物理接口（GE接口），也可以是为了增加带宽，由多个物理接口捆绑而成的一个逻辑接口Eth-Trunk。

HRP 的优先级默认：local_priority=45000
① 默认情况下，优先级高的为master
② 如果双方优先级一致，就根据VGMP组状态进行主备选举，VRRP主→HRP 主

如果使用修改优先级的方式进行主备选举的话，需要注意不要把备墙优先级修改过低,可能导致出现故障后,由于优先级主墙仍然比备墙高，而导致主备不会切换。
HRP_M ：HRP主
HRP_S ：HRP备

配置文档

FW5_M

#
sysname FW5-M
#
undo info-center enable
#hrp enablehrp interface GigabitEthernet1/0/0 remote 192.168.100.200
#
interface GigabitEthernet1/0/0undo shutdownip address 192.168.100.100 255.255.255.0
#
interface GigabitEthernet1/0/1.10vlan-type dot1q 10ip address 192.168.10.251 255.255.255.0vrrp vrid 10 virtual-ip 192.168.10.254 active  service-manage ping permit               
#
interface GigabitEthernet1/0/1.20vlan-type dot1q 20ip address 192.168.20.251 255.255.255.0vrrp vrid 20 virtual-ip 192.168.20.254 activeservice-manage ping permit
#
interface GigabitEthernet1/0/1.30vlan-type dot1q 30ip address 192.168.30.251 255.255.255.0vrrp vrid 30 virtual-ip 192.168.30.254 activeservice-manage ping permit
#
interface GigabitEthernet1/0/2ip address 202.101.1.2 255.255.255.0service-manage ping permit#
firewall zone trustadd interface GigabitEthernet1/0/1.10add interface GigabitEthernet1/0/1.20
#
firewall zone untrustadd interface GigabitEthernet1/0/2
#
firewall zone dmz                         add interface GigabitEthernet1/0/1.30
#
firewall zone name HRP id 6set priority 90add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 202.101.1.1
#
security-policyrule name SNAT                           source-zone trustdestination-zone untrustrule name T_Usource-zone trustdestination-zone untrustaction permitrule name U_Dsource-zone untrustdestination-address 192.168.30.100 mask 255.255.255.255action permit
#
nat-policyrule name DNATsource-zone untrustdestination-address 202.101.1.100 mask 255.255.255.255action destination-nat static address-to-address address 192.168.30.100rule name SNATsource-zone trust                       destination-zone untrustaction source-nat easy-ip
#

FW6_B

#
sysname FW6-B
#
undo info-center enable
#hrp enablehrp interface GigabitEthernet1/0/0 remote 192.168.100.100
#
interface GigabitEthernet1/0/0undo shutdownip address 192.168.100.200 255.255.255.0
#
interface GigabitEthernet1/0/1undo shutdown
#
interface GigabitEthernet1/0/1.10vlan-type dot1q 10ip address 192.168.10.252 255.255.255.0vrrp vrid 10 virtual-ip 192.168.10.254 standbyservice-manage ping permit               
#
interface GigabitEthernet1/0/1.20vlan-type dot1q 20ip address 192.168.20.252 255.255.255.0vrrp vrid 20 virtual-ip 192.168.20.254 standbyservice-manage ping permit
#
interface GigabitEthernet1/0/1.30vlan-type dot1q 30ip address 192.168.30.252 255.255.255.0vrrp vrid 30 virtual-ip 192.168.30.254 standbyservice-manage ping permit
#
interface GigabitEthernet1/0/2undo shutdownip address 202.101.1.3 255.255.255.0service-manage ping permit
#
firewall zone localset priority 100
#
firewall zone trustset priority 85add interface GigabitEthernet0/0/0add interface GigabitEthernet1/0/1.10add interface GigabitEthernet1/0/1.20
#
firewall zone untrustset priority 5add interface GigabitEthernet1/0/2
#
firewall zone dmz                         set priority 50add interface GigabitEthernet1/0/1.30
#
firewall zone name HRP id 6set priority 90add interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0.0.0.0 202.101.1.1 
#
security-policyrule name SNAT                           source-zone trustdestination-zone untrustrule name T_Usource-zone trustdestination-zone untrustaction permitrule name U_Dsource-zone untrustdestination-address 192.168.30.100 mask 255.255.255.255action permit
#
nat-policyrule name DNATsource-zone untrustdestination-address 202.101.1.100 mask 255.255.255.255action destination-nat static address-to-address address 192.168.30.100rule name SNATsource-zone trust                       destination-zone untrustaction source-nat easy-ip

LSW2

#
sysname LSW2
#
undo info-center enable
#
vlan batch 10 20 30
#
interface Ethernet0/0/1port link-type trunkport trunk allow-pass vlan all
#
interface Ethernet0/0/2port link-type trunkport trunk allow-pass vlan all
#
interface Ethernet0/0/3port link-type accessport default vlan 10
#
interface Ethernet0/0/4port link-type accessport default vlan 20
#
interface Ethernet0/0/5port link-type accessport default vlan 30

ISP

#
interface GigabitEthernet0/0/0ip address 202.101.1.1 255.255.255.0 
#
interface LoopBack0ip address 8.8.8.8 255.255.255.255 
#