Lompat ke konten Lompat ke sidebar Lompat ke footer
Beranda / Cisco | Koneksi Internet Firewall Forti - Skenario 2

Cisco | Koneksi Internet Firewall Forti - Skenario 2

Oleh Hasugian Posting Komentar

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
Pada Lab kali ini hampir sama dengan Lab yg sebelumnya Koneksi Internet Firewall Forti - Skenario 1. Bedanya dengan sekanrio y ke-2 ini adalah:

  1. Firewall Redudancy mode HA, Nilai prioroty firewall Primary 255 sedangkan secondary 128, dan interface link to LAN mode Redudant. 
  2. Disi switch EDGE menggunakn IP hsrp dan IP diset di interface vlan, bukan interface physical.Selebihnya sama.

langsung saja kita masuk ke lab dan konfig  masing-masing perangkat. Goal kita disis adalah user/server-server yg ada di area serverfarm bs akses internet.

Konfig masing-masing perangkarat.

hostname R-INET-01
!
interface GigabitEthernet0/0
 description LINK-TO-FW-T1-01
 ip address 11.11.11.2 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 standby 1 ip 11.11.11.1
 standby 1 priority 110
 standby 1 preempt
 standby 1 track 100 decrement 20
 no shut
 exit
!
interface GigabitEthernet0/1
 description LINK-to-R-INET-02
 ip address 11.11.11.253 255.255.255.252
 ip ospf network point-to-point
 ip ospf 1 area 0
 no shut
 exit
!
interface GigabitEthernet0/2
 ip address 10.0.137.102 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
  no shut
 exit
!
router ospf 1
!
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 10.0.137.1
!
router bgp 65123
 network 11.11.11.0 mask 255.255.255.0
 redistribute static
 neighbor 11.11.11.254 remote-as 65123
 neighbor 11.11.11.254 soft-reconfiguration inbound
 neighbor 11.11.11.254 next-hop-self
 default-information originate
!

hostname SW-EDGE-01
interface Loopback1
 ip address 12.168.255.2 255.255.255.255
 ip ospf 1 area 0
!
interface GigabitEthernet0/0
 switchport access vlan 152
 negotiation auto
!
interface GigabitEthernet0/2
 switchport access vlan 152
 negotiation auto
!
interface Vlan152
 description LINK-TO-FW-T1-01
 ip address 12.12.12.2 255.255.255.248
 standby 1 ip 12.12.12.1
 standby 1 priority 110
 standby 1 preempt
 ip ospf 1 area 0
!
interface GigabitEthernet0/1
 description LINK-tSW-CORE-01
 no switchport
 ip address 13.13.13.1 255.255.255.252
 ip ospf network point-to-point
 ip ospf 1 area 0
 negotiation auto
!
interface GigabitEthernet0/3
description TO-SW-EDGE-02
channel-group 1 mode active
no switchport
no shutdow
!
interface GigabitEthernet1/1
 description TO-SW-EDGE-02
 no shutdown
 channel-group 1 mode active
no switchport
!
interface Port-channel1
 no switchport
 ip address 17.17.17.1 255.255.255.252
ip ospf network point-to-point
 ip ospf 1 area 0
no shut
!
interface GigabitEthernet1/0
 description LINK-TO-SW-FS-02
 no switchport
 ip address 13.13.13.13 255.255.255.252
 ip ospf network point-to-point
 ip ospf 1 area 0
 negotiation auto
!
router ospf 1
 default-information originate
!
ip route 0.0.0.0 0.0.0.0 12.12.12.4

!

hostname SW-CORE-01
interface Loopback1
 ip address 192.168.255.1 255.255.255.255
 ip ospf 1 area 0
!
interface GigabitEthernet0/0
 description LINK-TO-SW-SF-01
 no switchport
 ip address 14.14.14.2 255.255.255.252
 ip ospf network point-to-point
 ip ospf 1 area 0
 negotiation auto
!
interface GigabitEthernet0/1
 description LINK-to-SW-EDGE_01
 no switchport
 ip address 13.13.13.2 255.255.255.252
 ip ospf network point-to-point
 ip ospf 1 area 0
 no shut
exit
!
interface GigabitEthernet0/2
 description LINK-to-SW-CORE_02
 no switchport
 ip address 13.13.13.6 255.255.255.252
 ip ospf network point-to-point
 ip ospf 1 area 0
no shut
exit
!
interface GigabitEthernet0/3
 description LINK-TO-SW-EDGE-02
 no switchport
 ip address 13.13.13.9 255.255.255.252
 ip ospf network point-to-point
 ip ospf 1 area 0
no shut
exit
!
router ospf 1
!
hostname SW-SF-01
interface GigabitEthernet0/0
 description LINK-TO-SW-CORE-01
 no switchport
 ip address 14.14.14.1 255.255.255.252
 ip ospf network point-to-point
 ip ospf 1 area 0
 no shu
!
interface GigabitEthernet0/1
 description LINK-to-SW-CORE_01
 no switchport
 ip address 15.15.15.1 255.255.255.252
 ip ospf network point-to-point
 ip ospf 1 area 0
 no shu
!
interface GigabitEthernet0/2
 switchport access vlan 10
 switchport mode access
 no shu
!
interface GigabitEthernet0/3
 switchport access vlan 20
 switchport mode access
 no shu
!
interface Vlan10
 ip address 10.87.10.253 255.255.255.0
 standby 1 ip 10.87.10.1
 standby 1 priority 110
 standby 1 preempt
 ip ospf 1 area 0
!
interface Vlan20
 ip address 10.87.20.253 255.255.255.0
 standby 1 ip 10.87.20.1
 standby 1 priority 110
 standby 1 preempt
 ip ospf 1 area 0
!
interface Vlan30
 ip address 10.87.30.253 255.255.255.0
 standby 1 ip 10.87.30.1
 standby 1 priority 110
 standby 1 preempt
 ip ospf 1 area 0
!
router ospf 1
!

Konfig Firewall Tear-1 (Forti)
IP Interface Mode Redudant










Routing. Destination 0.0.0.0/0 tujuan ke internet, destination 10.0.0.0/8 ke arean inside/serverfarm dan LAN-user.




Polciy Firewall. Rule untuk mengijinkan akses dari user/inside ke outside/internet.
















Setting HA untuk redudancy firewall Primary dan secondary. Sebeleum joint HA, Firewall Primasry sdh bisa diakses dari IP Mgmt. Misal Forti Primary IP Mgmt 192.168.194.200 dan Forti Secondary IP Mgmt 92.168.194.201. Lalu lakukan joint HA dari menu Setting-->HA. NIlai Primary 255 dan Secondari 128, dan group-name dan password harus sama.













Verifkasi
















Sukses...!!!

Posting Komentar untuk "Cisco | Koneksi Internet Firewall Forti - Skenario 2"

Posting Komentar