As shown in Figure 1:
The device acts as a security gateway.
The internal network is divided into Network A and Network B. Users in Network A and Network B are isolated.
Network A and Network B are attached to the Internet through a public network interface on the device. Users in Network A use public address 1.1.1.100 and users in Network B use public address 1.1.1.101.
Users in the Internet can use public IP 1.1.1.2 to access the Web interface of Server A in Network A.
This configuration example was created and verified on R9071 of the M9000-AI-E8 device.
1. Create vSystems and assign interfaces to the vSystems:
# Create vSystem vsys1 and configure a description for the vSystem.
<Device> system-view
[Device] vsys vsys1
[Device-vsys-2-vsys1] description vsys-1
# Assign interface GigabitEthernet 1/0/2 to vSystem vsys1.
[Device-vsys-2-vsys1] allocate interface gigabitethernet 1/0/2
Some configurations on the interface are removed.
[Device-vsys-2-vsys1] quit
# Create vSystem vsys2 and configure a description for the vSystem.
[Device] vsys vsys2
[Device-vsys-3-vsys2] description vsys-2
# Assign interface GigabitEthernet 1/0/3 to vSystem vsys2.
[Device-vsys-3-vsys2] allocate interface gigabitethernet 1/0/3
Some configurations on the interface are removed.
[Device-vsys-3-vsys2] quit
2. Assign IP addresses to interfaces and add interfaces to security zones:
# Assign IP addresses to interfaces.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 1.1.1.1 24
[Device-GigabitEthernet1/0/1] quit
# Add interfaces to security zones.
[Device] security-zone name trust
[Device-security-zone-Trust] import interface vsys-interface 1
[Device-security-zone-Trust] quit
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Device-security-zone-Untrust] quit
3. Configure settings for routing:
This example configures static routes.
# Configure a static route for internal users to access the Internet through the default vSystem. In the route, the next hop IP address is 1.1.1.2.
[Device] ip route-static 0.0.0.0 0 1.1.1.2
# Configure a static route to redistribute the traffic from external users to VPC A to vSystem vsys1.
[Device] ip route-static 10.0.1.0 24 vpn-instance vsys1
# Configure a static route to redistribute the traffic from external users to VPC B to vSystem vsys2.
[Device] ip route-static 10.0.2.0 24 vpn-instance vsys2
4. Configure the IPv4 security policy:
# Configure a rule named untrust-trust to allow external users to access Server A.
[Device] security-policy ip
[Device-security-policy-ip] rule name untrust-trust
[Device-security-policy-ip-1-untrust-trust] source-zone untrust
[Device-security-policy-ip-1-untrust-trust] destination-zone trust
[Device-security-policy-ip-1-untrust-trust] destination-ip-host 10.0.1.3
[Device-security-policy-ip-1-untrust-trust] action pass
[Device-security-policy-ip-1-untrust-trust] quit
# Configure a rule named trust-untrust to allow internal users to access the Internet.
[Device-security-policy-ip] rule name trust-untrust
[Device-security-policy-ip-2-trust-untrust] source-zone trust
[Device-security-policy-ip-2-trust-untrust] destination-zone untrust
[Device-security-policy-ip-2-trust-untrust] source-ip-subnet 10.0.1.0 24
[Device-security-policy-ip-2-trust-untrust] source-ip-subnet 10.0.2.0 24
[Device-security-policy-ip-2-trust-untrust] action pass
[Device-security-policy-ip-2-trust-untrust] quit
[Device-security-policy-ip] quit
5. Configure NAT:
# Create address group 1 that contains public address 1.1.1.100, and create address group 2 that contains public address 1.1.1.101.
[Device] nat address-group 1
[Device-address-group-1] address 1.1.1.100 1.1.1.100
[Device-address-group-1] quit
[Device] nat address-group 2
[Device-address-group-2] address 1.1.1.101 1.1.1.101
[Device-address-group-2] quit
# Configure ACL 2000, and create a rule to permit the packets only from Network A to be translated. Configure ACL 2001, and create a rule to permit the packets only from Network B to be translated.
[Device] acl basic 2000
[Device-acl-ipv4-basic-2000] rule permit source 10.0.1.0 0.0.0.255
[Device-acl-ipv4-basic-2000] quit
[Device] acl basic 2001
[Device-acl-ipv4-basic-2001] rule permit source 10.0.2.0 0.0.0.255
[Device-acl-ipv4-basic-2001] quit
# Configure an outbound NAT rule to allow users in Network A to use addresses in address group 1 to access the Internet. Configure an outbound NAT rule to allow users in Network B to use addresses in address group 2 to access the Internet.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] nat outbound 2000 address-group 1
[Device-GigabitEthernet1/0/1] nat outbound 2001 address-group 2
# Configure a NAT internal server to allow external users to use IP address 1.1.1.2 and port number 8080 to access Server A.
[Device-GigabitEthernet1/0/1] nat server protocol tcp global 1.1.1.2 8080 inside 10.0.1.3 http
[Device-GigabitEthernet1/0/1] quit
1. Log in to vSystem vsys1, assign IP addresses to interfaces, and add interfaces to security zones:
# Log in to vSystem vsys1.
[Device] switchto vsys vsys1
<Device-vsys1> system-view
# Assign IP addresses to interfaces.
[Device-vsys1] interface gigabitethernet 1/0/2
[Device-vsys1-GigabitEthernet1/0/2] ip address 10.0.1.1 24
[Device-vsys1-GigabitEthernet1/0/2] quit
# Add interfaces to security zones.
[Device-vsys1] security-zone name trust
[Device-vsys1-security-zone-Trust] import interface gigabitethernet 1/0/2
[Device-vsys1-security-zone-Trust] quit
[Device-vsys1] security-zone name untrust
[Device-vsys1-security-zone-Untrust] import interface vsys-interface 2
[Device-vsys1-security-zone-Untrust] quit
2. Configure settings for routing. This example configures a static route. In the route, the next hop is the default vSystem for users in vSystem vsys1 to access the Internet.
[Device-vsys1] ip route-static 0.0.0.0 0 public
3. Configure the IPv4 security policy:
# Configure a rule named untrust-trust to allow external users to access Server A.
[Device-vsys1] security-policy ip
[Device-vsys1-security-policy-ip] rule name untrust-trust
[Device-vsys1-security-policy-ip-1-untrust-trust] source-zone untrust
[Device-vsys1-security-policy-ip-1-untrust-trust] destination-zone trust
[Device-vsys1-security-policy-ip-1-untrust-trust] destination-ip-host 10.0.1.3
[Device-vsys1-security-policy-ip-1-untrust-trust] action pass
[Device-vsys1-security-policy-ip-1-untrust-trust] quit
# Configure a rule named trust-untrust to allow internal users to access the Internet.
[Device-vsys1-security-policy-ip] rule name trust-untrust
[Device-vsys1-security-policy-ip-2-trust-untrust] source-zone trust
[Device-vsys1-security-policy-ip-2-trust-untrust] destination-zone untrust
[Device-vsys1-security-policy-ip-2-trust-untrust] source-ip-subnet 10.0.1.0 24
[Device-vsys1-security-policy-ip-2-trust-untrust] action pass
4. Return to the default vSystem from vSystem vsys1.
[Device-vsys1-security-policy-ip-2-trust-untrust] return
<Device-vsys1> quit
[Device]
1. Log in to vSystem vsys2, assign IP addresses to interfaces, and add interfaces to security zones:
# Log in to vSystem vsys2.
[Device] switchto vsys vsys2
<Device-vsys2> system-view
# Assign IP addresses to interfaces.
[Device-vsys2] interface gigabitethernet 1/0/3
[Device-vsys2-GigabitEthernet1/0/3] ip address 10.0.2.1 24
[Device-vsys2-GigabitEthernet1/0/3] quit
# Add interfaces to security zones.
[Device-vsys2] security-zone name trust
[Device-vsys2-security-zone-Trust] import interface gigabitethernet 1/0/3
[Device-vsys2-security-zone-Trust] quit
[Device-vsys2] security-zone name untrust
[Device-vsys2-security-zone-Untrust] import interface vsys-interface 3
[Device-vsys2-security-zone-Untrust] quit
2. Configure settings for routing. This example configures a static route. In the route, the next hop is the default vSystem for users in vSystem vsys2 to access the Internet.
[Device-vsys2] ip route-static 0.0.0.0 0 public
3. Configure a rule named trust-untrust in the IPv4 security policy to allow internal users to access the Internet.
[Device-vsys2] security-policy ip
[Device-vsys2-security-policy-ip] rule name trust-untrust
[Device-vsys2-security-policy-ip-1-trust-untrust] source-zone trust
[Device-vsys2-security-policy-ip-1-trust-untrust] destination-zone untrust
[Device-vsys2-security-policy-ip-1-trust-untrust] source-ip-subnet 10.0.2.0 24
[Device-vsys2-security-policy-ip-1-trust-untrust] action pass
4. Return to the default vSystem from vSystem vsys2.
[Device-vsys2-security-policy-ip-1-trust-untrust] return
<Device-vsys2> quit
[Device]
# Verify that the vSystems are running correctly on the device. The device has three active vSystems.
[Device] display vsys
ID Name Status Description
1 Admin Active Default
2 vsys1 Active vsys-1
3 vsys2 Active vsys-2
# Verify that users in the Internet can use URL http://1.1.1.2:8080 to access Server A.
# Verify that users in Network A can access the Internet.
C:\> ping 3.3.3.3
Pinging 3.3.3.3 with 32 bytes of data:
Reply from 3.3.3.3: bytes=32 time=51ms TTL=255
Reply from 3.3.3.3: bytes=32 time=44ms TTL=255
Reply from 3.3.3.3: bytes=32 time=1ms TTL=255
Reply from 3.3.3.3: bytes=32 time=1ms TTL=255
Ping statistics for 3.3.3.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 51ms, Average = 24ms
# Verify that users in Network B can access the Internet.
C:\> ping 3.3.3.3
Pinging 3.3.3.3 with 32 bytes of data:
Reply from 3.3.3.3: bytes=32 time=25ms TTL=255
Reply from 3.3.3.3: bytes=32 time=36ms TTL=255
Reply from 3.3.3.3: bytes=32 time=1ms TTL=255
Reply from 3.3.3.3: bytes=32 time=1ms TTL=255
Ping statistics for 3.3.3.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 36ms, Average = 16ms
#
vsys vsys1 id 2
description vsys-1
allocate interface GigabitEthernet1/0/2
#
vsys vsys2 id 3
description vsys-2
allocate interface GigabitEthernet1/0/3
#
nat address-group 1
address 1.1.1.100 1.1.1.100
#
nat address-group 2
address 1.1.1.101 1.1.1.101
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
nat outbound 2001 address-group 2
nat outbound 2000 address-group 1
nat server protocol tcp global 1.1.1.2 8080 inside 10.0.1.3 http
#
interface GigabitEthernet1/0/2
ip address 10.0.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 10.0.2.1 255.255.255.0
#
security-zone name Trust
import interface vSys-interface1
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0 1.1.1.2
ip route-static 10.0.1.0 24 vpn-instance vsys1
ip route-static 10.0.2.0 24 vpn-instance vsys2
#
acl basic 2000
rule 0 permit source 10.0.1.0 0.0.0.255
#
acl basic 2001
rule 0 permit source 10.0.2.0 0.0.0.255
#
security-policy ip
rule 0 name untrust-trust
action pass
source-zone untrust
destination-zone trust
destination-ip-host 10.0.1.3
rule 1 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 10.0.1.0 255.255.255.0
source-ip-subnet 10.0.2.0 255.255.255.0
#
switchto vsys vsys1
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface vSys-interface2
#
ip route-static 0.0.0.0 0 public
#
security-policy ip
rule 0 name untrust-trust
action pass
source-zone untrust
destination-zone trust
destination-ip-host 10.0.1.3
rule 1 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 10.0.1.0 255.255.255.0
#
switchto vsys vsys2
#
security-zone name Trust
import interface GigabitEthernet1/0/3
#
security-zone name Untrust
import interface vSys-interface3
#
ip route-static 0.0.0.0 0 public
#
user-group system
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 10.0.2.0 255.255.255.0