PIX8.0双链路***和上互联网流量分开且线路冗余测试
一.概述:
总部和分部两端都为PIX8.0,都为双链路,比如一个电信的线路,一个移动的线路,要求电信的线路走各自内网上互联网的流量,移动的线路走***流量,但是如果电信线路故障,或者移动线路故障,不能中断互联网和***的连接。
二.基本思路:
A.设置两条默认网关,移动线路metric值为254;电信线路metric值为1,并且sla监控电信线路的网关
----这样就保证默认互联网流量走电信线路,当电信线路故障时,走移动线路
B.设置两条到达对方内网的***流量的路由,电信线路metric值为254;移动线路metric值为1,并且用sla监控对方PIX的移动线路的接口地址
----这样就保证***流量默认走移动线路,当移动线路出现故障时,两边***流量都走电信线路
三.测试拓扑:
四.基本配置:
A.R1:
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.1
B.PIX1:
interface Ethernet0
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut
interface Ethernet2
nameif Backup
security-level 0
ip address 61.1.1.1 255.255.255.0
no shut
C.R2:
interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.10 255.255.255.0
no shut
D.R3:
interface FastEthernet0/0
ip address 61.1.1.10 255.255.255.0
no shut
interface FastEthernet0/1
ip address 61.1.2.10 255.255.255.0
no shut
E.PIX2:
interface Ethernet0
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255.0
no shut
interface Ethernet2
nameif Backup
security-level 0
ip address 61.1.2.1 255.255.255.0
no shut
F.R4:
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.1
五.防火墙配置:
A.PIX1:
①sla配置:
sla monitor 1
type echo protocol ipIcmpEcho 202.100.1.10 interface Outside
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 61.1.2.1 interface Backup
num-packets 3
frequency 10
②track配置:
track 1 rtr 1 reachability
track 2 rtr 2 reachability
③默认路由配置:
route Outside 0.0.0.0 0.0.0.0 202.100.1.10 1 track 1
route Backup 0.0.0.0 0.0.0.0 61.1.1.10 10
④静态路由配置:
route Backup 61.1.2.1 255.255.255.255 61.1.1.10 1 (为track2服务)
route Backup 192.168.1.0 255.255.255.0 61.1.1.10 1 track 2
route Outside 192.168.1.0 255.255.255.0 202.100.1.10 254
---***不要配置反向路由注入
⑤PAT及NAT免除配置:
access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any
nat (inside) 1 access-list PAT
global (Outside) 1 interface
global (Backup) 1 interface
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
⑥策略配置:
access-list OUTSIDE extended permit icmp any any
access-list BACKUP extended permit icmp any any
access-group OUTSIDE in interface Outside
access-group BACKUP in interface Backup
⑦L2L***配置:
---第一阶段策略:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
tunnel-group 61.1.2.1 type ipsec-l2l
tunnel-group 61.1.2.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
---第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
---感兴趣流:
access-list *** extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
---配置crypto map并在接口应该,接口启用isakmp:
crypto map crymap 10 match address ***
crypto map crymap 10 set peer 202.100.2.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto map crymap-backup 10 match address ***
crypto map crymap-backup 10 set peer 61.1.2.1
crypto map crymap-backup 10 set transform-set transet
crypto map crymap-backup interface Backup
crypto isakmp enable Outside
crypto isakmp enable Backup
B.PIX2:
①sla配置:
sla monitor 1
type echo protocol ipIcmpEcho 202.100.2.10 interface Outside
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 61.1.1.1 interface Backup
num-packets 3
frequency 10
②track配置:
track 1 rtr 1 reachability
track 2 rtr 2 reachability
③默认路由配置:
route Outside 0.0.0.0 0.0.0.0 202.100.2.10 1 track 1
route Backup 0.0.0.0 0.0.0.0 61.1.2.10 10
④静态路由配置:
route Backup 61.1.1.1 255.255.255.255 61.1.2.10 1 (为track2服务)
route Backup 172.16.1.0 255.255.255.0 61.1.2.10 1 track 2
route Outside 172.16.1.0 255.255.255.0 202.100.2.10 254
---***不要配置反向路由注入
⑤PAT及NAT免除配置:
access-list PAT extended permit ip 192.168.1.0 255.255.255.0 any
nat (inside) 1 access-list PAT
global (Outside) 1 interface
global (Backup) 1 interface
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
⑥策略配置:
access-list OUTSIDE extended permit icmp any any
access-list BACKUP extended permit icmp any any
access-group OUTSIDE in interface Outside
access-group BACKUP in interface Backup
⑦L2L***配置:
---第一阶段策略:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
tunnel-group 61.1.1.1 type ipsec-l2l
tunnel-group 61.1.1.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
---第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac
---感兴趣流:
access-list *** extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
---配置crypto map并在接口应该,接口启用isakmp:
crypto map crymap 10 match address ***
crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto map crymap-backup 10 match address ***
crypto map crymap-backup 10 set peer 61.1.1.1
crypto map crymap-backup 10 set transform-set transet
crypto map crymap-backup interface Backup
crypto isakmp enable Outside
crypto isakmp enable Backup
六.验证:
A.双链路都正常情况下:
---互联网流量走Outside接口,***流量走Backup接口
---从下面的路由情况可以看出
PIX1# sho route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 202.100.1.10 to network 0.0.0.0
C 172.16.1.0 255.255.255.0 is directly connected, inside
C 202.100.1.0 255.255.255.0 is directly connected, Outside
S 192.168.1.0 255.255.255.0 [1/0] via 61.1.1.10, Backup
C 61.1.1.0 255.255.255.0 is directly connected, Backup
S 61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside
PIX2# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 202.100.2.10 to network 0.0.0.0
C 202.100.2.0 255.255.255.0 is directly connected, Outside
S 172.16.1.0 255.255.255.0 [1/0] via 61.1.2.10, Backup
C 192.168.1.0 255.255.255.0 is directly connected, Inside
S 61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C 61.1.2.0 255.255.255.0 is directly connected, Backup
S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.2.10, Outside
B.PIX1/PIX2只是Outside链路出现故障:
---手工将R2连接PIX1/PIX2的Outside接口shutdown
---这时只影响PIX1/PIX2的默认路由,上互联网的流量,不影响***的流量
PIX1# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 61.1.1.10 to network 0.0.0.0
C 172.16.1.0 255.255.255.0 is directly connected, inside
C 202.100.1.0 255.255.255.0 is directly connected, Outside
S 192.168.1.0 255.255.255.0 [1/0] via 61.1.1.10, Backup
C 61.1.1.0 255.255.255.0 is directly connected, Backup
S 61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S* 0.0.0.0 0.0.0.0 [10/0] via 61.1.1.10, Backup
PIX2# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 61.1.2.10 to network 0.0.0.0
C 202.100.2.0 255.255.255.0 is directly connected, Outside
S 172.16.1.0 255.255.255.0 [1/0] via 61.1.2.10, Backup
C 192.168.1.0 255.255.255.0 is directly connected, Inside
S 61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C 61.1.2.0 255.255.255.0 is directly connected, Backup
S* 0.0.0.0 0.0.0.0 [10/0] via 61.1.2.10, Backup
---如果Outside链路恢复正常,SLA监控到后,默认路由会切换回去,互联网流量仍然走Outside接口
C.PIX1/PIX2只是Backup链路出现故障:
---因为***流量是监控对方Backup接口地址,所以只需任何一方Backup链路出现故障,***流量就会发生切换,这样可避免如果两家运营商地址互相不通,用Outside接口去与对方的Backup接口,导致***无法建立的情况
PIX1# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 202.100.1.10 to network 0.0.0.0
C 172.16.1.0 255.255.255.0 is directly connected, inside
C 202.100.1.0 255.255.255.0 is directly connected, Outside
S 192.168.1.0 255.255.255.0 [254/0] via 202.100.1.10, Outside
C 61.1.1.0 255.255.255.0 is directly connected, Backup
S 61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside
PIX2# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 202.100.2.10 to network 0.0.0.0
C 202.100.2.0 255.255.255.0 is directly connected, Outside
S 172.16.1.0 255.255.255.0 [254/0] via 202.100.2.10, Outside
C 192.168.1.0 255.255.255.0 is directly connected, Inside
S 61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C 61.1.2.0 255.255.255.0 is directly connected, Backup
S* 0.0.0.0 0.0.0.0 [1/0] via 202.100.2.10, Outside
---如果Backup链路恢复正常,即SLA监控到互相能ping通对方的Backup接口地址后,到达对方内网的路由会切换回去,***流量仍然走Backup接口