㈠ 華為USG多出口策略路由怎麼配置
我前根據配置資料做筆記沒說利用IP址做判斷功能基礎配置路由圖實現(部資料源於 07net01 - cisco網路技術 網站)
Asa/PIXStatic Route Tracking命令效解決雙ISP口問題
存問題:
靜態路由沒固定機制決定否用即使跳達靜態路由存路由表ASA自條路由相關介面down才路由表刪除
解決辦:
Static Route Trackingfeature提供種追蹤靜態路由主路由失效安裝備份路由進路由表例:2條預設指向同ISP主ISP 斷立即啟用備用ISP鏈路使用ICMP進行追蹤定holdtime沒收reply認條鏈路down立即刪除該靜態路由預先設置備份路由進入路由表
注意:配置要outside口放icmp reply(打icmp限制)
pixFirewall(config)#sla monitor sla_id #指定檢測slaID
Pixfirewall(config-sla-monitor)# type echo protocol ipIcmpEcho target_ip interface
if_name #指定檢測協議類型ICMP協議並指定檢測目址介面
必須ping通址址用track跟蹤路由刪除備份路由進路由表
pixFirewall(config)#sla monitor schele sla_id [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring] #指定Schele般start now
必須要寫間表track路由進路由表
pixFirewall(config)# track track_id rtr sla_id reachability #指定TrackID並要求追蹤SlaID達性
pixFirewall(config)# route if_name dest_ip mask gateway_ip [admin_distance] track track_i #設定默認路由並綁定TrackID
配置實例:
sla monitor 1
type echo protocol ipIcmpEcho 202.1.1.2 interface dx
sla monitor schele 1 start-time now(必須配置track路由進路由表)
track 2 rtr 1 reachability
route dx 0.0.0.0 0.0.0.0 202.1.1.2 1 track 2 (電信默認網關追蹤址達性)
route wt 0.0.0.0 0.0.0.0 101.1.1.2 2 (網通默認網關)
配置202.1.1.2 ping通(ICMP協議能Reachability)候route dx 0.0.0.0 0.0.0.0 202.1.1.2 1路由表刪除並由第二條默認路由即route wt 0.0.0.0 0.0.0.0 101.1.1.2 2取代202.1.1.2恢復重新變dx 0.0.0.0 0.0.0.0 202.1.1.2 1
feature我想家項目都遇ASA效解決
與我用路由器實現雙口備份通配置SAA檢查其連通性並跟蹤結路由進行選擇實現思路非精巧
附:PIX雙口ISP配置實例
網路拓撲圖:
配置文件:
Pixfirewall# show running-config
: Saved
:
PIX Version 7.2(1)
hostname pix
domain-name default.domain.invalid
enable password 9jNfZuG3TC5tCVH0 encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address 10.200.159.2 255.255.255.248
interface Ethernet1
nameif backup--- 命名鏈接備份ISP介面介面名字隨便起名字security-level 0
ip address 10.250.250.2 255.255.255.248
interface Ethernet2
nameif inside
security-level 100
ip address 172.22.1.163 255.255.255.0
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu backup 1500
mtu inside 1500
no failover
asdm image flash:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0
--- 配置雙ISP介面NAT都直接指定介面IP址
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
--- 配置追蹤默認靜態路由並指定管理距離1.
--- 追蹤靜態路由追蹤功則路由表否則路由表清除
route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
--- 配置備份默認靜態路由定要指定管理距離於追蹤靜態默認路由
--- 追蹤默認靜態路由追蹤功則選用追蹤路由其管理距離
--- 追蹤默認靜態路由追蹤功則選用本條路由追蹤默認路由已路由表清除
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ffIRPGpDSOJh9YLq encrypted
http server enable
http 172.22.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
sla monitor schele 123 life forever start-time now
--- 配置SLA Monitor設定ID123;指定協議監測目IP址及介面
--- 並且設置包數頻率10秒
--- 配置SLA Monitor ID123命期始間
track 1 rtr 123 reachability
--- 配置Track ID1RTR要求判斷標准達性
--- 與前面命令route outside 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1 相應
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:: end