Shulou(Shulou.com)06/02 Report--

Lab name: vrry, Gateway redundancy, floating routing, pat address Translation, web Server Mapping

Experimental topology diagram:

3. Objective: 1. Enable the intranet to access the web server-server4

two。 Configure vrrp for redundant backups of gateways, link tracing, and floating static routes

3. Map the private network web server so that the public network client5 can access it

4. Ip address planning: private network: vlan 10: 192.168.10.1 192.168.10.2

Gateway of vlan 10: 192.168.10.254

Vlan 20: 192.168.20.1

Gateway of vlan 20: 192.168.20.254

Public network: the connection between cloud5 and AR is 192.168.40.0 / 24

The ip address of AR2 is 192.168.60. one

Web server ip address: 192.168.60.2

Client 5 192.168.60.3

5. Configuration idea: first configure the interconnection of the internal network, then configure the web server that can access the external network, then configure pat, then configure vrrp, and finally publish the web server of the intranet.

# procedure:

# first configure ip addresses for each terminal in the private network

Client 8: ip address 192.168.20. 1 255.255.255.0

Gateway 192.168.20.250 / / Virtual Gateway

Pc2: ip address: 192.168.10.1 255.255.255.0

Gateway: 192.168.10.250

Server 6: ip address 192.168.10. 2 255.255.255.0

Gateway 192.168.10.250

# configure lsw7,lsw5,lsw6, link status is trunk, create vlan, and add the corresponding port to the corresponding vlan

Configure lsw5

Stp priority 0 / / configure lsw5 as the root switch

Create vlan bath 10 20 30

Interface vlan 10

Ip address 192.168.10. 254 255.255.255.0

Interface vlan 20

Ip address 192.168.20.254 255.255.255.0

Ip address 192.168.30.1 255.255.255.0 / / set the ip address of vlan 10 20 30

Port-group group-member g0/0/1 g0/0/4

Port link-type mode access

Port default vlan 10

Port-group group-member g0/0/2 g0/0/5

Port link-type mode trunk

Port trunk allow pass vlan all / / add the appropriate port to the appropriate vlan

Interface g0/0/3

Port link-type mode access

Port default vlan 30

# configure lsw7

Create a vlan and add the appropriate port to the corresponding vlan

Vlan bath 10 20 30

Port-group group-member ethernet 0/0/1 ethernet 0/0/2

Port link-type trunk

Port trunk allow-pass vlan all

Interface ethernet 0/0/3

Port link-type access

Port default vlan 10

# configure lsw6

Create a vlan and add the appropriate port to the corresponding vlan

Vlan bath 10 20 50 30

Port-group group-member g0/0/3 g0/0/4

Port link-type trunk

Port trunk allow-pass vlan all

Interface g0/0/2

Port link-type access

Port default vlan 50

Interface g0/0/1

Port link-type access

Port default vlan 20

Interface vlan 10

Ip address 192.168.10.253 255.255.255.0

Interface vlan 20

Ip address 192.168.20.253 255.255.255.0

Interface vlan 50

Ip address 192.168.50.1 255.255.255.0

# configure ip address for firewall asa

Interface g0

Nameif inside1

Security-level 100

Ip address 192.168.30.2 255.255.255.0

No shutdown

Interface g 1

Nameif inside2

Security-level 50

Ip address 192.168.50.2 255.255.255.0

Interface g 1

Nameif outside

Security-level 0

Ip address 192.168.40.1 255.255.255.0

# next, configure static routes for interconnection of the private network.

Route inside1 192.168.0.0 255.255.0.0 1

Route inside2 192.168.0.0 255.255.0.0 20 / / configure a floating static route for backup. The smaller the priority, the more reliable it is.

Ip route-static 192.168.40.0 255.255.255.0 192.168.30.2 / / configured on lsw5

Ip route-static 192.168.40.0 255.255.255.0 192.168.50.2 / / configured on lsw6

# configure vrrp gateway redundancy

# configure the primary gateway on lsw5

Interface vlan 10

Vrrp vrrid 10 virtual-ip 192.168.10.250

Vrrp vrrid 10 priority 101 / / the priority defaults to 100. Configured to 101 to make him the main gateway

Vrrp vrrid 10 track interface g0Compact 3 / / Link tracking lsw5's g0UniUniplex 3 ports

Interface vlan 20

Vrrp vrrid 20 virtual-ip 192.168.20.250

Vrrp vrrid 20 priority 101 / / the priority defaults to 100. Configured to 101 to make him the main gateway

Vrrp vrrid 20 track interface g0Compact 3 / / Link tracking lsw5's g0UniUnix 3 ports

# configure a secondary gateway on lsw6

Interface vlan 10

Vrrp vrrid 10 virtual-ip 192.168.10.250

Interface vlan 20

Vrrp vrrid 20 virtual-ip 192.168.20.250

Verification and testing:

# all the outbound traffic proved above comes from the lsw5

# next, change the g 0amp 0apace 3 shutdown of lsw5, as shown in the following figure

# from the above diagram, it can be seen that lsw5 has become a backup gateway, while lsw6 has become a main gateway. All traffic flows from the lsw6.

# next configure the route to the 192.168.60.0 network segment

Configuration on ip route-static 192.168.60.0 255.255.255.0 192.168.30.2 / / lsw5

Configuration on ip route-static 192.168.60.0 255.255.255.0 192.168.50.2 / / lsw6

# configure the ASA route to 192.168.60.0 on the firewall

Route outside 192.168.60.0 255.255.255.0 192.168.40.2

# configure the route to the private network on AR2

# ip route-static 192.168.0.0 255.255.0.0 192.168.40.1

# Verification and testing:

The above diagram shows that the test is successful and the web server of the public network can be accessed, which means that the route is reachable.

# configure pat on the firewall for dynamic address translation

Object network inside1

Subnet 192.168.10.0 255.255.255.0

Subnet 192.168.20.0 255.255.255.0

Nat (inside1,outside) dynamic 192.168.40.3 / any unused ip address translated out of the inside1 port / / 192.168.40.0

Object network inside2

Subnet 192.168.10.0 255.255.255.0

Subnet 192.168.20.0 255.255.255.0

Nat (inside2,outside) dynamic 192.168.40.3 / converted out of the inside2 port

# Verification and testing

# the above tests show that private network addresses can be converted into public network addresses to access web servers

# publish internal web server / / make use of static pat

Object network ob-out

Host 192.168.40.5 / / an address that is not used on the external network

Object network inside1

Host 192.168.10.2

Nat (inside1,outside) static ob-out service tcp 80 80

Access-list out-to-insdie permit tcp any object inside1 eq http / / configure acl

Access-group out-to-inside in interface outside / / call acl

Verification and testing are shown in the following figure

# the above experiments show that the public network can access the private network web server.

-end

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.