VRRP+NAT案例
配置:
#PC1
IP:192.168.137.10
GW:192.168.137.1
#PC2
IP:192.168.30.10
GW:192.168.30.2
#SW1(internet)
sysname Internet
interface Vlan-interface1
ip address 192.168.137.1 255.255.255.0
#SW2
sysname SW
interface Vlan-interface1
ip address 192.168.30.254 255.255.255.0
telnet server enable
line vty 0 4
authentication-mode scheme
user-role network-admin
quit
local-user admin
password simple gh2023meng
service-type telnet
authorization-attribute user-role network-admin
ip route-static 0.0.0.0 0 192.168.30.2
#FW1
sysname FW1
nat address-group 1
address 192.168.137.3 192.168.137.3
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.1.1.1 255.255.255.252
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 192.168.30.1 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.30.2 active
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
shutdown
ip address 192.168.137.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.137.3 active
vrrp vrid 2 virtual-ip 192.168.137.4 active
nat outbound address-group 1
nat server global 192.168.137.4 inside 192.168.30.254 rule ServerRule_1
security-zone name Trust
import interface GigabitEthernet1/0/3
security-zone name Untrust
import interface GigabitEthernet1/0/1
ip route-static 0.0.0.0 0 192.168.137.1
security-policy ip
rule 0 name permit-all
action pass
remote-backup group
data-channel interface GigabitEthernet1/0/2
local-ip 10.1.1.1
remote-ip 10.1.1.2
device-role primary
#FW2
sysname FW2
telnet server enable
nat address-group 1
address 192.168.137.3 192.168.137.3
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.1.1.2 255.255.255.252
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 192.168.30.3 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.30.2 standby
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.137.5 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.137.3 standby
vrrp vrid 2 virtual-ip 192.168.137.4 standby
nat outbound address-group 1
nat server global 192.168.137.4 inside 192.168.30.254 rule ServerRule_1
security-zone name Trust
import interface GigabitEthernet1/0/3
security-zone name Untrust
import interface GigabitEthernet1/0/1
ip route-static 0.0.0.0 0 192.168.137.1
security-policy ip
rule 0 name permit-all
action pass
remote-backup group
data-channel interface GigabitEthernet1/0/2
local-ip 10.1.1.2
remote-ip 10.1.1.1
device-role secondary