1-双出口
1-双出口
(1)拓扑图
(2)基础配置
sw1:
int GE 1/0/0
port link-type access
port default vlan 1
int GE 1/0/1
port link-type access
port default vlan 1
sw2:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 100.100.100.254 255.255.255.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 1.1.1.1 255.255.255.0
sw3:
interface GE1/0/0
undo portswitch
undo shutdown
ip address 200.200.200.254 255.255.255.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 2.2.2.1 255.255.255.0
fw:
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 10.12.1.1 255.255.0.0
gateway 10.12.12.254
service-manage http permit
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.1.254 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.100.100.100 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 200.200.200.200 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
service-manage ssh permit
service-manage snmp permit
service-manage telnet permit
service-manage netconf permit
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
#
security-policy
default action permit
fw:
ip route-static 1.1.1.0 255.255.255.0 100.100.100.254
ip route-static 2.2.2.0 255.255.255.0 200.200.200.254
(3.1)配置内网访问互联网的安全策略
security-policy
default action deny
rule name trust-to-untrust
source-zone trust
destination-zone untrust
action permit
(3.2)配置地址池
nat address-group isp1 0
mode pat
route enable
section 0 100.100.100.100 100.100.100.105
#
nat address-group isp2 1
mode pat
route enable
section 0 200.200.200.200 200.200.200.205
(3.3)配置NAT策略(源NAT)
rule name isp1
source-zone trust
destination-zone untrust
action source-nat address-group isp1
rule name isp2
source-zone trust
destination-zone untrust
action source-nat address-group isp2
测试:结果ping 200.200.200.254不通,但是ping 100.100.100.254是通的。
原因:[fw]display firewall session table 因为访问200.200.200.254时,源地址转换有问题。
因为两个接口都切分到了一个zone, 所有NAT策略要使用egress-interface的方式,如果是划分到不同的zone才可以用destination-zone的方式。
解决:
nat-policy
rule name isp1
source-zone trust
egress-interface GigabitEthernet1/0/1
action source-nat address-group isp1
rule name isp2
source-zone trust
egress-interface GigabitEthernet1/0/2
action source-nat address-group isp2
测试:已经可以ping通两个运营商的ip地址了。
(3.4)黑洞路由
配置黑洞路由:
1. 当NAT地址池地址与出接口地址不在同一网段时,必须配置黑洞路由;
2. 当NAT地址池地址与出接口地址在同一网段时,建议配置黑洞路由。
3. 当地址池地址与出接口地址一致时,不会产生路由环路,不需要配置黑洞路由。
4. 可以配置黑洞路由功能route enable命令产生UNR路由,也可以使用ip route-static ip-address (x.x.x.x x.x.x.x) NULL 0命令手工进行配置实现黑洞路由,两种方法二先一。
(4.1)把内网web服务器 192.168.101映射出去
健康检查:
healthcheck enable
healthcheck name isp1
destination 100.100.100.254 interface GigabitEthernet1/0/0 protocol icmp
link-interface 0 name isp1
interface GigabitEthernet1/0/1 next-hop 100.100.100.254 route disable //route disable即没有启用缺省路由
healthcheck isp1
redirect-reverse enable //启用源进源出
配置NAT
nat server web-server zone untrust global 100.100.100.101 inside 192.168.1.101 unr-route
security-policy
rule name untrust-to-web-server
source-zone untrust
destination-address 192.168.1.101 mask 255.255.255.255
action permit
测试:外网用户pc2可以成功访问pc1
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
nat server web-server zone untrust global 100.100.100.101 inside 192.168.1.101 unr-route
nat server web-server-isp2 zone untrust global 200.200.200.201 inside 192.168.1.101 no-reverse unr-route
security-policy
rule name web-server-isp2
source-zone untrust
destination-address 192.168.1.101 mask 255.255.255.255
action permit
[fw]display firewall server-map
2023-02-13 02:20:45.590
Current Total Server-map : 3
Type: Nat Server, ANY -> 100.100.100.101[192.168.1.101], Zone: untrust , protocol:---
Vpn: public -> public
Type: Nat Server, ANY -> 200.200.200.201[192.168.1.101], Zone: untrust , protocol:---
Vpn: public -> public
Type: Nat Server Reverse, 192.168.1.101[100.100.100.101] -> ANY, Zone: untrust , protocol:---
Vpn: public -> public, counter: 1
[fw]
测试,pc2与pc3都可以访问到192.168.1.101网站。
因为两个外网接口都在同一安全区域untrust, "web-server"已经勾选上了“允许服务器使用公网上网”,所以其他的映射策略则不允许再勾选“允许服务器使用公网上网”。
如果两个外网接口属于不同安全区域,则都可以勾选上“允许服务器使用公网地址上网”。
就算指定协议也是不可以:
nat server web-server zone untrust protocol tcp global 100.100.100.101 www inside 192.168.1.101 www unr-route
[fw]display firewall server-map
2023-02-13 02:24:25.390
Current Total Server-map : 3
Type: Nat Server, ANY -> 100.100.100.101:80[192.168.1.101:80], Zone: untrust , protocol:tcp
Vpn: public -> public
Type: Nat Server, ANY -> 200.200.200.201[192.168.1.101], Zone: untrust , protocol:---
Vpn: public -> public
Type: Nat Server Reverse, 192.168.1.101[100.100.100.101] -> ANY, Zone: untrust , protocol:tcp
Vpn: public -> public, counter: 1
[fw]
(5.1)配置全局智能选路
配置健康检查:
healthcheck enable
healthcheck name isp1
destination 100.100.100.254 interface GigabitEthernet1/0/1 protocol icmp
healthcheck name isp2
destination 200.200.200.254 interface GigabitEthernet1/0/2 protocol icmp
配置链路接口:
link-interface 0 name isp1
interface GigabitEthernet1/0/1 next-hop 100.100.100.254 route disable
healthcheck isp1
redirect-reverse enable //启用源进源出
#
link-interface 1 name isp2
interface GigabitEthernet1/0/2 next-hop 200.200.200.254 route disable
healthcheck isp2
redirect-reverse enable
配置缺省网关、过载保护、源进源出:
interface GigabitEthernet1/0/1
gateway 100.100.100.254
bandwidth ingress 100000 threshold 90
bandwidth egress 100000 threshold 90
redirect-reverse next-hop 100.100.100.254
interface GigabitEthernet1/0/2
gateway 200.200.200.254
bandwidth ingress 100000 threshold 90
bandwidth egress 100000 threshold 90
redirect-reverse next-hop 200.200.200.254
为了保证链路不会过载,管理员设置了过载保护阈值,各链路均为90%。当某条链路的带宽使用率达到90%时,已建立会话的流量仍从该链路转发,但是后续新建立会话的流量不再通过此链路转发,FW会在未过载的链路中智能选路,后续流量按照未过载链路之间的带宽比例进行负载分担。如果所有链路都已过载,那么FW将继续按照各链路的带宽比例分配流量。
配置全局选路策略:
配置全局先路策略:
multi-linkif //进入到全局智能选路视图中
mode priority-of-userdefine //根据“链路优先级主备备份”来选择最优的线路
add linkif isp1 priority 2
add linkif isp2
查看路由表:
[fw]display ip routing-table
2023-02-13 03:01:46.520
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 17 Routes : 18
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Unr 70 0 D 100.100.100.254 GigabitEthernet1/0/1
Unr 70 0 D 200.200.200.254 GigabitEthernet1/0/2
1.1.1.0/24 Static 60 0 RD 100.100.100.254 GigabitEthernet1/0/1
2.2.2.0/24 Static 60 0 RD 200.200.200.254 GigabitEthernet1/0/2
100.100.100.0/24 Direct 0 0 D 100.100.100.100 GigabitEthernet1/0/1
100.100.100.100/30 Unr 61 0 D 127.0.0.1 InLoopBack0
100.100.100.100/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/1
100.100.100.101/32 Unr 61 0 D 127.0.0.1 InLoopBack0
100.100.100.104/31 Unr 61 0 D 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.254 GigabitEthernet1/0/0
192.168.1.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
200.200.200.0/24 Direct 0 0 D 200.200.200.200 GigabitEthernet1/0/2
200.200.200.200/30 Unr 61 0 D 127.0.0.1 InLoopBack0
200.200.200.200/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/2
200.200.200.201/32 Unr 61 0 D 127.0.0.1 InLoopBack0
200.200.200.204/31 Unr 61 0 D 127.0.0.1 InLoopBack0
其他:
健康检查的流量的安全策略:
对于V500R001C80之前的版本,需要在FW上配置对应的安全策略,允许FW向目的设备发送健康检查探测报文。对于V500R001C80及之后的版本,健康检查的探测报文不受安全策略控制,默认放行,无需配置相应安全策略。
http://www.zh-cjh.com/wangluoanquan/1826.html
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » 1-双出口
作者: cjh
手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm