一.概述:
实际工作中估计会碰到需要用一台ASA接两家ISP线路,比如电信和网通,而又没有足够的预算买负载均衡设备,但是又想实现链路负载分担和自动切换,从电信来的流量,从电信线路回去,从网通来的流量从网通线路回去,当其中一条线路出现故障时,所有的流量从没有出现故障线路走。二.基本思路:A.用OSPF模拟运营商网络,主要是为了不想手工添加路由
B.通过添加默认路由走电信线路、监控电信线路的网关,和高metric的默认路由走网通线路,实现:
----电信来的流量走电信回去(需要C手工配置网通静态路由相配合)
----电信链路出现故障时,走网通线路
C.通过添加网通的静态路由走网通线路,并监控网通线路的网关,实现:
----网通来的流量走网通回去
----网通链路出现故障时,走电信线路的默认路由
D.对于静态NAT,实际环境只有当两条ISP线路都正常时,才会同时能被访问
E.测试环境,实现静态NAT当一条线路出现故障时,还能同时被访问,实现的方法是:
---ASA两个外部接口配置两条静态NAT
---ASA两个相连的ISP路由器把另外一家ISP所NAT的网段发布出去,并将metric设置比OSPF默认的大
三.测试拓扑:
四.基本配置:A.R1:①接口配置:interface Loopback0 ip address 1.1.1.1 255.255.255.0interface Loopback61 ip address 61.1.3.1 255.255.255.0 ip ospf network point-to-pointinterface Loopback202 ip address 202.100.3.1 255.255.255.0ip ospf network point-to-point interface FastEthernet0/0 ip address 202.100.2.1 255.255.255.0 no shutinterface FastEthernet0/1 ip address 61.1.2.1 255.255.255.0 no shut②路由配置:router ospf 1 router-id 1.1.1.1 passive-interface default no passive-interface FastEthernet0/0 no passive-interface FastEthernet0/1 network 61.1.2.1 0.0.0.0 area 0 network 61.1.3.1 0.0.0.0 area 0 network 202.100.2.1 0.0.0.0 area 0 network 202.100.3.1 0.0.0.0 area 0B:R2:①接口配置:interface Loopback0 ip address 2.2.2.2 255.255.255.0interface FastEthernet0/0 ip address 202.100.1.2 255.255.255.0 no shutinterface FastEthernet0/1 ip address 202.100.2.2 255.255.255.0 no shutinterface FastEthernet1/0 ip address 23.1.1.1 255.255.255.252 no shut②路由配置:router ospf 1 router-id 2.2.2.2 log-adjacency-changes passive-interface default no passive-interface FastEthernet0/1 no passive-interface FastEthernet1/0 network 23.1.1.1 0.0.0.0 area 0 network 202.100.1.2 0.0.0.0 area 0 network 202.100.2.2 0.0.0.0 area 0C.R3:①接口配置:interface Loopback0 ip address 3.3.3.3 255.255.255.0interface FastEthernet0/0 ip address 61.1.1.3 255.255.255.0 no shutinterface FastEthernet0/1 ip address 61.1.2.3 255.255.255.0 no shutinterface FastEthernet1/0 ip address 23.1.1.2 255.255.255.252 no shut②路由配置:router ospf 1 router-id 3.3.3.3 passive-interface default no passive-interface FastEthernet0/1 no passive-interface FastEthernet1/0 network 23.1.1.2 0.0.0.0 area 0 network 61.1.1.3 0.0.0.0 area 0 network 61.1.2.3 0.0.0.0 area 0D.ASA842:①接口配置:interface GigabitEthernet0 nameif Inside security-level 100 ip address 10.1.1.10 255.255.255.0 no shutinterface GigabitEthernet1 nameif Outside security-level 0 ip address 202.100.1.10 255.255.255.0 no shutinterface GigabitEthernet2 nameif Backup security-level 0 ip address 61.1.1.10 255.255.255.0 no shut②两条线路的动态PAT配置:object network inside_net subnet 0.0.0.0 0.0.0.0object network inside_any subnet 0.0.0.0 0.0.0.0object network inside_net nat (Inside,Outside) dynamic interfaceobject network inside_any nat (Inside,Backup) dynamic interface③两条线路的静态NAT配置:object network Inside_host_outside host 10.1.1.4object network Inside_host_backup host 10.1.1.4object network Outside-to-backup host 10.1.1.4object network Backup-to-outside host 10.1.1.4object network Inside_host_outside nat (Inside,Outside) static 202.100.1.4object network Inside_host_backup nat (Inside,Backup) static 61.1.1.4object network Outside-to-backup nat (Inside,Outside) static 61.1.1.4object network Backup-to-outside nat (Inside,Backup) static 202.100.1.4----每条线路配置两条NAT,保证一条ISP线路出现故障时,两条静态NAT都能被访问④防火墙策略配置:
class-map ALL_IPmatch anypolicy-map global_policy class inspection_default inspect icmp class ALL_IPset connection decrement-ttlservice-policy global_policy globalaccess-list outside extended permit icmp any any access-list outside extended permit udp any any range 33434 33523 access-list outside extended permit tcp any object Inside_host_outside eq telnetaccess-group outside in interface Outsideaccess-group outside in interface Backup
E:R4:①接口配置:interface Loopback0 ip address 192.168.1.4 255.255.255.0interface FastEthernet0/0 ip address 10.1.1.4 255.255.255.0 no shut②路由配置:ip route 0.0.0.0 0.0.0.0 10.1.1.10③telnet配置:line vty 0 4 password cisco login五.ASA842 SLA及路由配置:①sla配置:sla monitor 1 type echo protocol ipIcmpEcho 202.100.1.2 interface Outside frequency 10sla monitor schedule 1 life forever start-time nowsla monitor 2 type echo protocol ipIcmpEcho 61.1.1.3 interface Backup frequency 10sla monitor schedule 2 life forever start-time now②track配置:track 1 rtr 1 reachability track 2 rtr 2 reachability ③静态路由配置:route outside 0 0 202.100.1.2 1 track 1route backup 0 0 61.1.1.3 254---默认路由走电信线路,当电信线路出现故障时自动切换到网通线路route Backup 61.1.2.0 255.255.255.0 61.1.1.3 1 track 2route Backup 61.1.3.0 255.255.255.0 61.1.1.3 1 track 2---当网通线路正常时,到网通的网络的数据走网通的线路,否则走电信的默认路由route Inside 192.168.1.0 255.255.255.0 10.1.1.4 1---增加一条回指路由六.关于静态NAT:---为了使两条线路其中一条线路出现故障时,两个被静态NAT地址都能访问,需要:A.每条线路配置两条静态NAT----前面已经配置B.每个相连的ISP路由器把另外一家ISP所NAT的网段发布出去,并将metric设置比ospf默认的大----这种情况在实际环境基本无法实现,两家ISP不可能会帮客户做这样的事情,除非给的费用足够多----测试环境下还是可以玩一玩的①R2路由器:ip route 61.1.1.0 255.255.255.0 202.100.1.10 254 tag 10route-map ASA842 permit 10 match tag 10router ospf 1 redistribute static metric 130 subnets route-map ASA842②R3路由器:ip route 202.100.1.0 255.255.255.0 61.1.1.10 254 tag 10route-map ASA842 permit 10 match tag 10router ospf 1 redistribute static metric 130 subnets route-map ASA842
七.效果测试:
A.线路正常的情况下:
R4#traceroute 202.100.3.1 source l0Type escape sequence to abort.Tracing the route to 202.100.3.1 1 202.100.1.2 160 msec 108 msec 56 msec 2 202.100.2.1 36 msec * 24 msec R4#traceroute 61.1.3.1 source l0Type escape sequence to abort.Tracing the route to 61.1.3.1 1 61.1.1.3 112 msec 8 msec 0 msec 2 61.1.2.1 112 msec * 68 msec---去电信的流量走电信,去网通的流量走网通
R1#traceroute 202.100.1.4 source l202Type escape sequence to abort.Tracing the route to 202.100.1.4 1 202.100.2.2 32 msec 56 msec 20 msec 2 202.100.1.10 40 msec * 24 msec 3 202.100.1.4 80 msec * 16 msecR1#traceroute 202.100.1.4 source l61 Type escape sequence to abort.Tracing the route to 202.100.1.4 1 202.100.2.2 140 msec 180 msec 80 msec 2 202.100.1.10 64 msec * 88 msec 3 202.100.1.4 140 msec * 84 msecR1#traceroute 61.1.1.4 source l61Type escape sequence to abort.Tracing the route to 61.1.1.4 1 61.1.2.3 116 msec 32 msec 0 msec 2 61.1.1.10 4 msec * 4 msec 3 61.1.1.4 208 msec * 128 msecR1#traceroute 61.1.1.4 source l202Type escape sequence to abort.Tracing the route to 61.1.1.4 1 61.1.2.3 8 msec 120 msec 192 msec 2 61.1.1.10 0 msec * 20 msec 3 61.1.1.4 152 msec * 204 msec----两个被静态NAT地址都能被访问,并且电信的地址走电信接口,网通的地址走网通的接口
B.电信线路不正常的情况下:
R4#traceroute 202.100.3.1 source l0Type escape sequence to abort.Tracing the route to 202.100.3.1 1 10.1.1.10 188 msec * 28 msec 2 61.1.1.3 44 msec 0 msec 0 msec 3 61.1.2.1 108 msec * 84 msecR4#traceroute 61.1.3.1 source l0Type escape sequence to abort.Tracing the route to 61.1.3.1 1 10.1.1.10 0 msec * 20 msec 2 61.1.1.3 100 msec 32 msec 0 msec 3 61.1.2.1 108 msec * 72 msec---去电信和网通的流量都走网通R1#traceroute 202.100.1.4 source l202Type escape sequence to abort.Tracing the route to 202.100.1.4 1 61.1.2.3 4 msec 184 msec 52 msec 2 61.1.1.10 0 msec * 0 msec 3 202.100.1.4 152 msec * 12 msecR1#traceroute 202.100.1.4 source l61 Type escape sequence to abort.Tracing the route to 202.100.1.4 1 61.1.2.3 36 msec 4 msec 16 msec 2 61.1.1.10 200 msec * 16 msec 3 202.100.1.4 184 msec * 148 msecR1#traceroute 61.1.1.4 source l61 Type escape sequence to abort.Tracing the route to 61.1.1.4 1 61.1.2.3 48 msec 0 msec 0 msec 2 61.1.1.10 4 msec * 32 msec 3 61.1.1.4 148 msec * 180 msecR1#traceroute 61.1.1.4 source l202Type escape sequence to abort.Tracing the route to 61.1.1.4 1 61.1.2.3 76 msec 52 msec 0 msec 2 61.1.1.10 0 msec * 16 msec 3 61.1.1.4 172 msec * 112 msec----电信和网通被静态NAT的地址都能被电信和网通的用户访问
C.网通线路不正常的情况下:
R4#traceroute 202.100.3.1 source l0Type escape sequence to abort.Tracing the route to 202.100.3.1 1 10.1.1.10 8 msec * 28 msec 2 202.100.1.2 108 msec 72 msec 84 msec 3 202.100.2.1 88 msec * 128 msecR4#traceroute 61.1.3.1 source l0Type escape sequence to abort.Tracing the route to 61.1.3.1 1 10.1.1.10 0 msec * 76 msec 2 202.100.1.2 112 msec 96 msec 24 msec 3 202.100.2.1 248 msec * 76 msec---去电信和网通的流量都走电信R1#traceroute 202.100.1.4 source l202Type escape sequence to abort.Tracing the route to 202.100.1.4 1 202.100.2.2 4 msec 156 msec 76 msec 2 * 202.100.1.10 40 msec * 3 202.100.1.4 68 msec * 24 msecR1#traceroute 202.100.1.4 source l61 Type escape sequence to abort.Tracing the route to 202.100.1.4 1 202.100.2.2 92 msec 60 msec 124 msec 2 202.100.1.10 4 msec * 36 msec 3 202.100.1.4 152 msec * 60 msecR1#traceroute 61.1.1.4 source l61 Type escape sequence to abort.Tracing the route to 61.1.1.4 1 202.100.2.2 32 msec 136 msec 116 msec 2 202.100.1.10 80 msec * 56 msec 3 61.1.1.4 120 msec * 120 msecR1#traceroute 61.1.1.4 source l202 Type escape sequence to abort.Tracing the route to 61.1.1.4 1 202.100.2.2 4 msec 140 msec 112 msec 2 202.100.1.10 64 msec * 64 msec 3 61.1.1.4 156 msec * 80 msec----电信和网通被静态NAT的地址都能被电信和网通的用户访问