|
一.概述: 实际工作中估计会经常碰到用ASA接两家ISP线路,比如电信和网通,而又没有足够的预算买负载均衡设备,但是又想实现链路负载分担和自动切换,从电信来的流量,从电信线路回去,从网通来的流量从网通线路回去,当其中一条线路出现故障时,所有的流量从没有出现故障线路走。
二.基本思路:
A.用OSPF模拟运营商网络,主要是为了不想手工添加路由 B.通过添加默认路由走电信线路、监控电信线路的网关,和高metric的默认路由走网通线路,实现: ----电信来的流量走电信回去(需要C手工配置网通静态路由相配合) ----电信链路出现故障时,走网通线路
C.通过添加网通的静态路由走网通线路,并监控网通线路的网关,实现: ----网通来的流量走网通回去 ----网通链路出现故障时,走电信线路的默认路由 D.对于静态NAT,实际环境只有当两条ISP线路都正常时,才会同时能被访问 E.测试环境,实现静态NAT当一条线路出现故障时,还能同时被访问,实现的方法是: ---ASA两个外部接口配置两条静态NAT ---ASA两个相连的ISP路由器把另外一家ISP所NAT的网段发布出去,并将metric设置比OSPF默认的大 三.测试拓扑:
四.基本配置:
A.R1:
①接口配置:
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface Loopback61
ip address 61.1.3.1 255.255.255.0
ip ospf network point-to-point
interface Loopback202
ip address 202.100.3.1 255.255.255.0
ip ospf network point-to-point
interface FastEthernet0/0
ip address 202.100.2.1 255.255.255.0
no shut
interface FastEthernet0/1
ip address 61.1.2.1 255.255.255.0
no shut
②路由配置:
router ospf 1
router-id 1.1.1.1
passive-interface default
no passive-interface FastEthernet0/0
no passive-interface FastEthernet0/1
network 61.1.2.1 0.0.0.0 area 0
network 61.1.3.1 0.0.0.0 area 0
network 202.100.2.1 0.0.0.0 area 0
network 202.100.3.1 0.0.0.0 area 0
B:R2:
①接口配置:
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.2 255.255.255.0
no shut
interface FastEthernet1/0
ip address 23.1.1.1 255.255.255.252
no shut
②路由配置:
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
passive-interface default
no passive-interface FastEthernet0/1
no passive-interface FastEthernet1/0
network 23.1.1.1 0.0.0.0 area 0
network 202.100.1.2 0.0.0.0 area 0
network 202.100.2.2 0.0.0.0 area 0
C.R3:
①接口配置:
interface Loopback0
ip address 3.3.3.3 255.255.255.0
interface FastEthernet0/0
ip address 61.1.1.3 255.255.255.0
no shut
interface FastEthernet0/1
ip address 61.1.2.3 255.255.255.0
no shut
interface FastEthernet1/0
ip address 23.1.1.2 255.255.255.252
no shut
②路由配置:
router ospf 1
router-id 3.3.3.3
passive-interface default
no passive-interface FastEthernet0/1
no passive-interface FastEthernet1/0
network 23.1.1.2 0.0.0.0 area 0
network 61.1.1.3 0.0.0.0 area 0
network 61.1.2.3 0.0.0.0 area 0
D.ASA842:
①接口配置:
interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shut
interface GigabitEthernet1
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
no shut
interface GigabitEthernet2
nameif Backup
security-level 0
ip address 61.1.1.10 255.255.255.0
no shut
②两条线路的动态PAT配置:
object network inside_net
subnet 0.0.0.0 0.0.0.0
object network inside_any
subnet 0.0.0.0 0.0.0.0
object network inside_net
nat (Inside,Outside) dynamic interface
object network inside_any
nat (Inside,Backup) dynamic interface
③两条线路的静态NAT配置:
object network Inside_host_outside
host 10.1.1.4
object network Inside_host_backup
host 10.1.1.4
object network Outside-to-backup
host 10.1.1.4
object network Backup-to-outside
host 10.1.1.4
object network Inside_host_outside
nat (Inside,Outside) static 202.100.1.4
object network Inside_host_backup
nat (Inside,Backup) static 61.1.1.4
object network Outside-to-backup
nat (Inside,Outside) static 61.1.1.4
object network Backup-to-outside
nat (Inside,Backup) static 202.100.1.4
----每条线路配置两条NAT,保证一条ISP线路出现故障时,两条静态NAT都能被访问
④防火墙策略配置: class-map ALL_IP
match any
policy-map global_policy
class inspection_default
inspect icmp
class ALL_IP
set connection decrement-ttl
service-policy global_policy global
access-list outside extended permit icmp any any
access-list outside extended permit udp any any range 33434 33523
access-list outside extended permit tcp any object Inside_host_outside eq telnet
access-group outside in interface Outside
access-group outside in interface Backup E:R4:
①接口配置:
interface Loopback0
ip address 192.168.1.4 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.4 255.255.255.0
no shut
②路由配置:
ip route 0.0.0.0 0.0.0.0 10.1.1.10
③telnet配置:
line vty 0 4
password cisco
login
五.ASA842 SLA及路由配置:
①sla配置:
sla monitor 1
type echo protocol ipIcmpEcho 202.100.1.2 interface Outside
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 61.1.1.3 interface Backup
frequency 10
sla monitor schedule 2 life forever start-time now
②track配置:
track 1 rtr 1 reachability
track 2 rtr 2 reachability
③静态路由配置:
route outside 0 0 202.100.1.2 1 track 1
route backup 0 0 61.1.1.3 254
---默认路由走电信线路,当电信线路出现故障时自动切换到网通线路
route Backup 61.1.2.0 255.255.255.0 61.1.1.3 1 track 2
route Backup 61.1.3.0 255.255.255.0 61.1.1.3 1 track 2
---当网通线路正常时,到网通的网络的数据走网通的线路,否则走电信的默认路由
route Inside 192.168.1.0 255.255.255.0 10.1.1.4 1
---增加一条回指路由
六.关于静态NAT:
---为了使两条线路其中一条线路出现故障时,两个被静态NAT地址都能访问,需要:
A.每条线路配置两条静态NAT
----前面已经配置
B.每个相连的ISP路由器把另外一家ISP所NAT的网段发布出去,并将metric设置比ospf默认的大
----这种情况在实际环境基本无法实现,两家ISP不可能会帮客户做这样的事情,除非给的费用足够多
----测试环境下还是可以玩一玩的
①R2路由器:
ip route 61.1.1.0 255.255.255.0 202.100.1.10 254 tag 10
route-map ASA842 permit 10
match tag 10
router ospf 1
redistribute static metric 130 subnets route-map ASA842
②R3路由器:
ip route 202.100.1.0 255.255.255.0 61.1.1.10 254 tag 10
route-map ASA842 permit 10
match tag 10
router ospf 1
redistribute static metric 130 subnets route-map ASA842 七.效果测试: A.线路正常的情况下: R4#traceroute 202.100.3.1 source l0
Type escape sequence to abort.
Tracing the route to 202.100.3.1
1 202.100.1.2 160 msec 108 msec 56 msec
2 202.100.2.1 36 msec * 24 msec
R4#traceroute 61.1.3.1 source l0
Type escape sequence to abort.
Tracing the route to 61.1.3.1
1 61.1.1.3 112 msec 8 msec 0 msec
2 61.1.2.1 112 msec * 68 msec
---去电信的流量走电信,去网通的流量走网通 R1#traceroute 202.100.1.4 source l202
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 202.100.2.2 32 msec 56 msec 20 msec
2 202.100.1.10 40 msec * 24 msec
3 202.100.1.4 80 msec * 16 msec
R1#traceroute 202.100.1.4 source l61
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 202.100.2.2 140 msec 180 msec 80 msec
2 202.100.1.10 64 msec * 88 msec
3 202.100.1.4 140 msec * 84 msec
R1#traceroute 61.1.1.4 source l61
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 61.1.2.3 116 msec 32 msec 0 msec
2 61.1.1.10 4 msec * 4 msec
3 61.1.1.4 208 msec * 128 msec
R1#traceroute 61.1.1.4 source l202
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 61.1.2.3 8 msec 120 msec 192 msec
2 61.1.1.10 0 msec * 20 msec
3 61.1.1.4 152 msec * 204 msec
----两个被静态NAT地址都能被访问,并且电信的地址走电信接口,网通的地址走网通的接口
B.电信线路不正常的情况下: R4#traceroute 202.100.3.1 source l0
Type escape sequence to abort.
Tracing the route to 202.100.3.1
1 10.1.1.10 188 msec * 28 msec
2 61.1.1.3 44 msec 0 msec 0 msec
3 61.1.2.1 108 msec * 84 msec
R4#traceroute 61.1.3.1 source l0
Type escape sequence to abort.
Tracing the route to 61.1.3.1
1 10.1.1.10 0 msec * 20 msec
2 61.1.1.3 100 msec 32 msec 0 msec
3 61.1.2.1 108 msec * 72 msec
---去电信和网通的流量都走网通
R1#traceroute 202.100.1.4 source l202
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 61.1.2.3 4 msec 184 msec 52 msec
2 61.1.1.10 0 msec * 0 msec
3 202.100.1.4 152 msec * 12 msec
R1#traceroute 202.100.1.4 source l61
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 61.1.2.3 36 msec 4 msec 16 msec
2 61.1.1.10 200 msec * 16 msec
3 202.100.1.4 184 msec * 148 msec
R1#traceroute 61.1.1.4 source l61
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 61.1.2.3 48 msec 0 msec 0 msec
2 61.1.1.10 4 msec * 32 msec
3 61.1.1.4 148 msec * 180 msec
R1#traceroute 61.1.1.4 source l202
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 61.1.2.3 76 msec 52 msec 0 msec
2 61.1.1.10 0 msec * 16 msec
3 61.1.1.4 172 msec * 112 msec
----电信和网通被静态NAT的地址都能被电信和网通的用户访问 C.网通线路不正常的情况下: R4#traceroute 202.100.3.1 source l0
Type escape sequence to abort.
Tracing the route to 202.100.3.1
1 10.1.1.10 8 msec * 28 msec
2 202.100.1.2 108 msec 72 msec 84 msec
3 202.100.2.1 88 msec * 128 msec
R4#traceroute 61.1.3.1 source l0
Type escape sequence to abort.
Tracing the route to 61.1.3.1
1 10.1.1.10 0 msec * 76 msec
2 202.100.1.2 112 msec 96 msec 24 msec
3 202.100.2.1 248 msec * 76 msec
---去电信和网通的流量都走电信
R1#traceroute 202.100.1.4 source l202
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 202.100.2.2 4 msec 156 msec 76 msec
2 *
202.100.1.10 40 msec *
3 202.100.1.4 68 msec * 24 msec
R1#traceroute 202.100.1.4 source l61
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 202.100.2.2 92 msec 60 msec 124 msec
2 202.100.1.10 4 msec * 36 msec
3 202.100.1.4 152 msec * 60 msec
R1#traceroute 61.1.1.4 source l61
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 202.100.2.2 32 msec 136 msec 116 msec
2 202.100.1.10 80 msec * 56 msec
3 61.1.1.4 120 msec * 120 msec
R1#traceroute 61.1.1.4 source l202
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 202.100.2.2 4 msec 140 msec 112 msec
2 202.100.1.10 64 msec * 64 msec
3 61.1.1.4 156 msec * 80 msec
----电信和网通被静态NAT的地址都能被电信和网通的用户访问
| 
QQ群⑧:
窥视卡
雷达卡
发表于 2013-7-1 08:55:16
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡