PIX8.0双链路***和上互联网流量分开且线路冗余测试

一.概述：

   总部和分部两端都为PIX8.0，都为双链路，比如一个电信的线路，一个移动的线路，要求电信的线路走各自内网上互联网的流量，移动的线路走***流量，但是如果电信线路故障，或者移动线路故障，不能中断互联网和***的连接。

二.基本思路：

A.设置两条默认网关，移动线路metric值为254；电信线路metric值为1，并且sla监控电信线路的网关

----这样就保证默认互联网流量走电信线路，当电信线路故障时，走移动线路

B.设置两条到达对方内网的***流量的路由，电信线路metric值为254；移动线路metric值为1，并且用sla监控对方PIX的移动线路的接口地址

----这样就保证***流量默认走移动线路，当移动线路出现故障时，两边***流量都走电信线路

三.测试拓扑：

四.基本配置：

A.R1：

interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.1

B.PIX1：

interface Ethernet0
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut

interface Ethernet2
nameif Backup
security-level 0
ip address 61.1.1.1 255.255.255.0
no shut

C.R2：

interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.10 255.255.255.0
no shut

D.R3：

interface FastEthernet0/0
ip address 61.1.1.10 255.255.255.0
no shut

interface FastEthernet0/1
ip address 61.1.2.10 255.255.255.0
no shut

E.PIX2：

interface Ethernet0
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut

interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255.0
no shut

interface Ethernet2
nameif Backup
security-level 0
ip address 61.1.2.1 255.255.255.0
 no shut

F.R4：

interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
 no shut

ip route 0.0.0.0 0.0.0.0 192.168.1.1

五.防火墙配置：

A.PIX1：

①sla配置：

sla monitor 1
type echo protocol ipIcmpEcho 202.100.1.10 interface Outside
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 61.1.2.1 interface Backup
num-packets 3
frequency 10

②track配置：

track 1 rtr 1 reachability
track 2 rtr 2 reachability

③默认路由配置：

route Outside 0.0.0.0 0.0.0.0 202.100.1.10 1 track 1
route Backup 0.0.0.0 0.0.0.0 61.1.1.10 10

④静态路由配置：

route Backup 61.1.2.1 255.255.255.255 61.1.1.10 1 （为track2服务）
route Backup 192.168.1.0 255.255.255.0 61.1.1.10 1 track 2
route Outside 192.168.1.0 255.255.255.0 202.100.1.10 254
---***不要配置反向路由注入

⑤PAT及NAT免除配置：

access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any
nat (inside) 1 access-list PAT
global (Outside) 1 interface
global (Backup) 1 interface
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list NONAT

⑥策略配置：

access-list OUTSIDE extended permit icmp any any
access-list BACKUP extended permit icmp any any
access-group OUTSIDE in interface Outside
access-group BACKUP in interface Backup

⑦L2L***配置：

---第一阶段策略：
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
tunnel-group 61.1.2.1 type ipsec-l2l
tunnel-group 61.1.2.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
---第二阶段转换集：
crypto ipsec transform-set transet esp-des esp-md5-hmac
---感兴趣流：
access-list *** extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
---配置crypto map并在接口应该，接口启用isakmp：
crypto map crymap 10 match address ***
crypto map crymap 10 set peer 202.100.2.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto map crymap-backup 10 match address ***
crypto map crymap-backup 10 set peer 61.1.2.1
crypto map crymap-backup 10 set transform-set transet
crypto map crymap-backup interface Backup
crypto isakmp enable Outside
crypto isakmp enable Backup

B.PIX2：

①sla配置：

sla monitor 1
type echo protocol ipIcmpEcho 202.100.2.10 interface Outside
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 61.1.1.1 interface Backup
num-packets 3
frequency 10

②track配置：

track 1 rtr 1 reachability
track 2 rtr 2 reachability

③默认路由配置：

route Outside 0.0.0.0 0.0.0.0 202.100.2.10 1 track 1
route Backup 0.0.0.0 0.0.0.0 61.1.2.10 10

④静态路由配置：

route Backup 61.1.1.1 255.255.255.255 61.1.2.10 1 （为track2服务）
route Backup 172.16.1.0 255.255.255.0 61.1.2.10 1 track 2
route Outside 172.16.1.0 255.255.255.0 202.100.2.10 254
---***不要配置反向路由注入

⑤PAT及NAT免除配置：

access-list PAT extended permit ip 192.168.1.0 255.255.255.0 any
nat (inside) 1 access-list PAT
global (Outside) 1 interface
global (Backup) 1 interface
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0  
nat (inside) 0 access-list NONAT

⑥策略配置：

access-list OUTSIDE extended permit icmp any any
access-list BACKUP extended permit icmp any any
access-group OUTSIDE in interface Outside
access-group BACKUP in interface Backup

⑦L2L***配置：

---第一阶段策略：
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
tunnel-group 61.1.1.1 type ipsec-l2l
tunnel-group 61.1.1.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
---第二阶段转换集：
crypto ipsec transform-set transet esp-des esp-md5-hmac
---感兴趣流：
access-list *** extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
---配置crypto map并在接口应该，接口启用isakmp：
crypto map crymap 10 match address ***
crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto map crymap-backup 10 match address ***
crypto map crymap-backup 10 set peer 61.1.1.1
crypto map crymap-backup 10 set transform-set transet
crypto map crymap-backup interface Backup
crypto isakmp enable Outside
crypto isakmp enable Backup

六.验证：

A.双链路都正常情况下：

---互联网流量走Outside接口，***流量走Backup接口

---从下面的路由情况可以看出

PIX1# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

C    172.16.1.0 255.255.255.0 is directly connected, inside
C    202.100.1.0 255.255.255.0 is directly connected, Outside
S    192.168.1.0 255.255.255.0 [1/0] via 61.1.1.10, Backup
C    61.1.1.0 255.255.255.0 is directly connected, Backup
S    61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside

PIX2# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.2.10 to network 0.0.0.0

C    202.100.2.0 255.255.255.0 is directly connected, Outside
S    172.16.1.0 255.255.255.0 [1/0] via 61.1.2.10, Backup
C    192.168.1.0 255.255.255.0 is directly connected, Inside
S    61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C    61.1.2.0 255.255.255.0 is directly connected, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.2.10, Outside

B.PIX1/PIX2只是Outside链路出现故障：

---手工将R2连接PIX1/PIX2的Outside接口shutdown

---这时只影响PIX1/PIX2的默认路由，上互联网的流量，不影响***的流量

PIX1# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 61.1.1.10 to network 0.0.0.0

C    172.16.1.0 255.255.255.0 is directly connected, inside
C    202.100.1.0 255.255.255.0 is directly connected, Outside
S    192.168.1.0 255.255.255.0 [1/0] via 61.1.1.10, Backup
C    61.1.1.0 255.255.255.0 is directly connected, Backup
S    61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S*   0.0.0.0 0.0.0.0 [10/0] via 61.1.1.10, Backup

PIX2# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 61.1.2.10 to network 0.0.0.0

C    202.100.2.0 255.255.255.0 is directly connected, Outside
S    172.16.1.0 255.255.255.0 [1/0] via 61.1.2.10, Backup
C    192.168.1.0 255.255.255.0 is directly connected, Inside
S    61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C    61.1.2.0 255.255.255.0 is directly connected, Backup
S*   0.0.0.0 0.0.0.0 [10/0] via 61.1.2.10, Backup

---如果Outside链路恢复正常，SLA监控到后，默认路由会切换回去，互联网流量仍然走Outside接口

C.PIX1/PIX2只是Backup链路出现故障：

---因为***流量是监控对方Backup接口地址，所以只需任何一方Backup链路出现故障，***流量就会发生切换，这样可避免如果两家运营商地址互相不通，用Outside接口去与对方的Backup接口，导致***无法建立的情况

PIX1# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

C    172.16.1.0 255.255.255.0 is directly connected, inside
C    202.100.1.0 255.255.255.0 is directly connected, Outside
S    192.168.1.0 255.255.255.0 [254/0] via 202.100.1.10, Outside
C    61.1.1.0 255.255.255.0 is directly connected, Backup
S    61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside

PIX2# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.2.10 to network 0.0.0.0

C    202.100.2.0 255.255.255.0 is directly connected, Outside
S    172.16.1.0 255.255.255.0 [254/0] via 202.100.2.10, Outside
C    192.168.1.0 255.255.255.0 is directly connected, Inside
S    61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C    61.1.2.0 255.255.255.0 is directly connected, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.2.10, Outside

---如果Backup链路恢复正常，即SLA监控到互相能ping通对方的Backup接口地址后，到达对方内网的路由会切换回去，***流量仍然走Backup接口