Shulou(Shulou.com)06/01 Report--

one。 Overview:

In practical work, it is estimated that you will need to use one ASA to connect two ISP lines, such as Telecom and Netcom, but do not have enough budget to buy load balancing equipment, but also want to achieve link load sharing and automatic switching. The traffic from Telecom will go back from the telecom line, and the traffic from Netcom will go back from Netcom line. When one of the lines fails, all the traffic will never go to the fault line.

two。 Basic ideas:

a. Use OSPF to simulate the operator network, mainly in order not to add routes manually

b. By adding the default route to the telecom line, the gateway to monitor the telecom line, and the high metric default route to Netcom line, the following is achieved:

-the traffic from China Telecom goes back to China Telecom (C manual configuration of Netcom static route is required)

-when the telecommunication link fails, take Netcom line.

c. By adding the static route of Netcom to take the Netcom line, and monitoring the gateway of the Netcom line, we can achieve:

-the traffic from Netcom goes back through Netcom.

-when the Netcom link fails, take the default route of the telecommunication line.

d. For static NAT, the real environment can be accessed at the same time only if both ISP lines are normal

e. Test environment, to achieve static NAT when a line failure, can also be accessed at the same time, the implementation method is:

-ASA two external interfaces are configured with two static NAT

-ASA two connected ISP routers publish the network segment of the NAT of the other ISP and set the metric setting larger than the default of OSPF

three。 Test the topology:

four。 Basic configuration:

A.R1:

① interface configuration:

Interface Loopback0

Ip address 1.1.1.1 255.255.255.0

Interface Loopback61

Ip address 61.1.3.1 255.255.255.0

Ip ospf network point-to-point

Interface Loopback202

Ip address 202.100.3.1 255.255.255.0

Ip ospf network point-to-point

Interface FastEthernet0/0

Ip address 202.100.2.1 255.255.255.0

No shut

Interface FastEthernet0/1

Ip address 61.1.2.1 255.255.255.0

No shut

② routing configuration:

Router ospf 1

Router-id 1.1.1.1

Passive-interface default

No passive-interface FastEthernet0/0

No passive-interface FastEthernet0/1

Network 61.1.2.1 0.0.0.0 area 0

Network 61.1.3.1 0.0.0.0 area 0

Network 202.100.2.1 0.0.0.0 area 0

Network 202.100.3.1 0.0.0.0 area 0

B:R2:

① interface configuration:

Interface Loopback0

Ip address 2.2.2.2 255.255.255.0

Interface FastEthernet0/0

Ip address 202.100.1.2 255.255.255.0

No shut

Interface FastEthernet0/1

Ip address 202.100.2.2 255.255.255.0

No shut

Interface FastEthernet1/0

Ip address 23.1.1.1 255.255.255.252

No shut

② routing configuration:

Router ospf 1

Router-id 2.2.2.2

Log-adjacency-changes

Passive-interface default

No passive-interface FastEthernet0/1

No passive-interface FastEthernet1/0

Network 23.1.1.1 0.0.0.0 area 0

Network 202.100.1.2 0.0.0.0 area 0

Network 202.100.2.2 0.0.0.0 area 0

C.R3:

① interface configuration:

Interface Loopback0

Ip address 3.3.3.3 255.255.255.0

Interface FastEthernet0/0

Ip address 61.1.1.3 255.255.255.0

No shut

Interface FastEthernet0/1

Ip address 61.1.2.3 255.255.255.0

No shut

Interface FastEthernet1/0

Ip address 23.1.1.2 255.255.255.252

No shut

② routing configuration:

Router ospf 1

Router-id 3.3.3.3

Passive-interface default

No passive-interface FastEthernet0/1

No passive-interface FastEthernet1/0

Network 23.1.1.2 0.0.0.0 area 0

Network 61.1.1.3 0.0.0.0 area 0

Network 61.1.2.3 0.0.0.0 area 0

D.ASA842:

① interface configuration:

Interface GigabitEthernet0

Nameif Inside

Security-level 100

Ip address 10.1.1.10 255.255.255.0

No shut

Interface GigabitEthernet1

Nameif Outside

Security-level 0

Ip address 202.100.1.10 255.255.255.0

No shut

Interface GigabitEthernet2

Nameif Backup

Security-level 0

Ip address 61.1.1.10 255.255.255.0

No shut

Dynamic PAT configuration for ② two lines:

Object network inside_net

Subnet 0.0.0.0 0.0.0.0

Object network inside_any

Subnet 0.0.0.0 0.0.0.0

Object network inside_net

Nat (Inside,Outside) dynamic interface

Object network inside_any

Nat (Inside,Backup) dynamic interface

Static NAT configuration for two lines of ③:

Object network Inside_host_outside

Host 10.1.1.4

Object network Inside_host_backup

Host 10.1.1.4

Object network Outside-to-backup

Host 10.1.1.4

Object network Backup-to-outside

Host 10.1.1.4

Object network Inside_host_outside

Nat (Inside,Outside) static 202.100.1.4

Object network Inside_host_backup

Nat (Inside,Backup) static 61.1.1.4

Object network Outside-to-backup

Nat (Inside,Outside) static 61.1.1.4

Object network Backup-to-outside

Nat (Inside,Backup) static 202.100.1.4

-two NAT per line to ensure that both static NAT can be accessed when one ISP line fails.

④ Firewall Policy configuration:

Class-map ALL_IP

Match any

Policy-map global_policy

Class inspection_default

Inspect icmp

Class ALL_IP

Set connection decrement-ttl

Service-policy global_policy global

Access-list outside extended permit icmp any any

Access-list outside extended permit udp any any range 33434 33523

Access-list outside extended permit tcp any object Inside_host_outside eq telnet

Access-group outside in interface Outside

Access-group outside in interface Backup

E:R4:

① interface configuration:

Interface Loopback0

Ip address 192.168.1.4 255.255.255.0

Interface FastEthernet0/0

Ip address 10.1.1.4 255.255.255.0

No shut

② routing configuration:

Ip route 0.0.0.0 0.0.0.0 10.1.1.10

③ telnet configuration:

Line vty 0 4

Password cisco

Login

5. ASA842 SLA and routing configuration:

① sla configuration:

Sla monitor 1

Type echo protocol ipIcmpEcho 202.100.1.2 interface Outside

Frequency 10

Sla monitor schedule 1 life forever start-time now

Sla monitor 2

Type echo protocol ipIcmpEcho 61.1.1.3 interface Backup

Frequency 10

Sla monitor schedule 2 life forever start-time now

② track configuration:

Track 1 rtr 1 reachability

Track 2 rtr 2 reachability

③ static route configuration:

Route outside 00 202.100.1.2 1 track 1

Route backup 0 0 61.1.1.3 254

-the default route is the telecommunication line, which automatically switches to the Netcom line when the telecommunication line fails.

Route Backup 61.1.2.0 255.255.255.0 61.1.1.3 1 track 2

Route Backup 61.1.3.0 255.255.255.0 61.1.1.3 1 track 2

-when Netcom's line is normal, the data to Netcom's network will go through Netcom's line, otherwise take the default route of Telecom.

Route Inside 192.168.1.0 255.255.255.0 10.1.1.4 1

-add an anaphora route

six。 About static NAT:

-in order for both lines to be accessible by static NAT addresses when one of the lines fails, you need to:

a. Configure two static NAT per line

-previously configured

b. Each connected ISP router publishes the network segment of the NAT of another ISP and sets the metric setting larger than the default of ospf

-this situation is basically impossible in the real environment, and it is impossible for the two ISP companies to do such a thing for their customers unless they pay enough money.

-you can still play in the test environment.

① R2 Router:

Ip route 61.1.1.0 255.255.255.0 202.100.1.10 254 tag 10

Route-map ASA842 permit 10

Match tag 10

Router ospf 1

Redistribute static metric 130 subnets route-map ASA842

② R3 Router:

Ip route 202.100.1.0 255.255.255.0 61.1.1.10 254 tag 10

Route-map ASA842 permit 10

Match tag 10

Router ospf 1

Redistribute static metric 130 subnets route-map ASA842

seven。 Effect test:

a. When the line is normal:

R4#traceroute 202.100.3.1 source l0

Type escape sequence to abort.

Tracing the route to 202.100.3.1

1 202.100.1.2 160 msec 108 msec 56 msec

2 202.100.2.1 36 msec * 24 msec

R4#traceroute 61.1.3.1 source l0

Type escape sequence to abort.

Tracing the route to 61.1.3.1

1 61.1.1.3 112 msec 8 msec 0 msec

2 61.1.2.1 112 msec * 68 msec

-the traffic to telecom goes through telecom, and the traffic to Netcom goes to Netcom.

R1#traceroute 202.100.1.4 source l202

Type escape sequence to abort.

Tracing the route to 202.100.1.4

1 202.100.2.2 32 msec 56 msec 20 msec

2 202.100.1.10 40 msec * 24 msec

3 202.100.1.4 80 msec * 16 msec

R1#traceroute 202.100.1.4 source l61

Type escape sequence to abort.

Tracing the route to 202.100.1.4

1 202.100.2.2 140 msec 180 msec 80 msec

2 202.100.1.10 64 msec * 88 msec

3 202.100.1.4 140 msec * 84 msec

R1#traceroute 61.1.1.4 source l61

Type escape sequence to abort.

Tracing the route to 61.1.1.4

1 61.1.2.3 116 msec 32 msec 0 msec

2 61.1.1.10 4 msec * 4 msec

3 61.1.1.4 208 msec * 128 msec

R1#traceroute 61.1.1.4 source l202

Type escape sequence to abort.

Tracing the route to 61.1.1.4

1 61.1.2.3 8 msec 120 msec 192 msec

2 61.1.1.100 msec * 20 msec

3 61.1.1.4 152 msec * 204 msec

-both static NAT addresses can be accessed, and the telecom address goes through the telecommunications interface, and the Netcom address goes through the Netcom interface.

b. In the case of abnormal telecommunication lines:

R4#traceroute 202.100.3.1 source l0

Type escape sequence to abort.

Tracing the route to 202.100.3.1

1 10.1.1.10 188 msec * 28 msec

2 61.1.1.3 44 msec 0 msec 0 msec

3 61.1.2.1 108 msec * 84 msec

R4#traceroute 61.1.3.1 source l0

Type escape sequence to abort.

Tracing the route to 61.1.3.1

1 10.1.1.100 msec * 20 msec

2 61.1.1.3 100 msec 32 msec 0 msec

3 61.1.2.1 108 msec * 72 msec

-the traffic to Telecom and Netcom goes through Netcom.

R1#traceroute 202.100.1.4 source l202

Type escape sequence to abort.

Tracing the route to 202.100.1.4

1 61.1.2.3 4 msec 184 msec 52 msec

2 61.1.1.100 msec * 0 msec

3 202.100.1.4 152 msec * 12 msec

R1#traceroute 202.100.1.4 source l61

Type escape sequence to abort.

Tracing the route to 202.100.1.4

1 61.1.2.3 36 msec 4 msec 16 msec

2 61.1.1.10 200 msec * 16 msec

3 202.100.1.4 184 msec * 148 msec

R1#traceroute 61.1.1.4 source l61

Type escape sequence to abort.

Tracing the route to 61.1.1.4

1 61.1.2.3 48 msec 0 msec 0 msec

2 61.1.1.10 4 msec * 32 msec

3 61.1.1.4 148 msec * 180 msec

R1#traceroute 61.1.1.4 source l202

Type escape sequence to abort.

Tracing the route to 61.1.1.4

1 61.1.2.3 76 msec 52 msec 0 msec

2 61.1.1.100 msec * 16 msec

3 61.1.1.4 172 msec * 112 msec

-Telecom and Netcom can be accessed by users of Telecom and Netcom by static NAT addresses.

c. In the case of abnormal Netcom lines:

R4#traceroute 202.100.3.1 source l0

Type escape sequence to abort.

Tracing the route to 202.100.3.1

1 10.1.1.10 8 msec * 28 msec

2 202.100.1.2 108 msec 72 msec 84 msec

3 202.100.2.1 88 msec * 128 msec

R4#traceroute 61.1.3.1 source l0

Type escape sequence to abort.

Tracing the route to 61.1.3.1

1 10.1.1.100 msec * 76 msec

2 202.100.1.2 112 msec 96 msec 24 msec

3 202.100.2.1 248 msec * 76 msec

-the traffic to Telecom and Netcom goes through Telecom.

R1#traceroute 202.100.1.4 source l202

Type escape sequence to abort.

Tracing the route to 202.100.1.4

1 202.100.2.2 4 msec 156 msec 76 msec

2 *

202.100.1.10 40 msec *

3 202.100.1.4 68 msec * 24 msec

R1#traceroute 202.100.1.4 source l61

Type escape sequence to abort.

Tracing the route to 202.100.1.4

1 202.100.2.2 92 msec 60 msec 124 msec

2 202.100.1.10 4 msec * 36 msec

3 202.100.1.4 152 msec * 60 msec

R1#traceroute 61.1.1.4 source l61

Type escape sequence to abort.

Tracing the route to 61.1.1.4

1 202.100.2.2 32 msec 136 msec 116 msec

2 202.100.1.10 80 msec * 56 msec

3 61.1.1.4 120 msec * 120 msec

R1#traceroute 61.1.1.4 source l202

Type escape sequence to abort.

Tracing the route to 61.1.1.4

1 202.100.2.2 4 msec 140 msec 112 msec

2 202.100.1.10 64 msec * 64 msec

3 61.1.1.4 156 msec * 80 msec

-Telecom and Netcom can be accessed by users of Telecom and Netcom by static NAT addresses.

Attachment: http://down.51cto.com/data/2363080

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.