求助思科ASA5550双出口主备配置

linkunya · 发表于 2014-7-22 23:05:18

如图示，求配置一份
另求一份ASA5550的配置文档（中文版）
版本信息：Cisco Adaptive Security Appliance Software Version 8.2(1) Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"

SG-ASA5550-1 up 1 year 170 days

Hardware: ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                           Boot microcode : CN1000-MC-BOOT-2.00
                           SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                           IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

心_、 · 发表于 2014-9-4 11:34:50

手工写的哈，错误多，莫见怪。
实验名称：
防火墙的SLA+浮动路由；

实验目的：
让chinanet成为主出口，chinaUnicom成为备用出口，并实现自动切换；

实验说明：
一、配置R1、R2的环回接口loopback0的ip地址都为2.2.2.2/24来模拟外网地址；
二、配置R1的环回接口loopback的ip地址为1.1.1.1/24模拟内网地址；

实验命令：
R1配置：
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R2的配置：
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface Ethernet0/0
ip address 12.1.12.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 12.1.12.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
R3的配置：
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface Ethernet0/0
ip address 13.1.13.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 13.1.13.1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ASA防火墙的配置：
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
interface Ethernet0/1
nameif outside
security-level 0
ip address 12.1.12.1 255.255.255.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
interface Ethernet0/2
nameif backup
security-level 0
ip address 13.1.13.1 255.255.255.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

access-list 123 extended permit ip any any
access-list 123 extended permit icmp any any
access-group 123 in interface outside
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

NAT配置：
ASA的IOS 旧版本的NAT配置：
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 1.1.1.0 255.255.255.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ASA的ios 新版本的NAT配置（没试验过）：
object network To_internet
subnet 1.1.1.0 255.255.255.0
object network To_internet
nat (inside,outside) dynamic interface
nat (inside,backup) dynamic interface
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
路由器和防火墙的NAT与路由表的关系，内网访问外网先经过路由表路由，再通过NAT出外网，外网访问内网先经过NAT再通过路由表进入内网；

route outside 0.0.0.0 0.0.0.0 12.1.12.2 1 track 1
route backup 0.0.0.0 0.0.0.0 13.1.13.3 10
route inside 1.1.1.0 255.255.255.0 10.1.1.1 1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

SLA旨在向公网网关不断发送ICMP协议，若对面不应答，则视作线路已断。
sla monitor 1 !!!SLA监测器1
type echo protocol ipIcmpEcho 12.1.12.2 interface outside !!!类型icmp应答协议，ICMP应答地址12.1.12.2（公网的网关），出口outside
num-packets 3 !!!每次三个包
frequency 10 !!!发包频率为10
sla monitor schedule 1 life forever start-time now !!!SLA监视表1存在时间为永远，并马上启动
track 1 rtr 1 reachability 追踪监视器1表的策略是否可达
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

实验结果：
1.show route观察路由表中的主出口应该是R1；
2.在R2上shutdown e0/0接口，asa自动切换出口到R3；

linkunya · 发表于 2014-10-15 17:11:24

心_、发表于 2014-9-4 11:34
手工写的哈，错误多，莫见怪。
实验名称：
防火墙的SLA+浮动路由；

非常感谢你的回答，回复来晚了抱歉，问题已解决！谢谢

wuxinhen330 · 发表于 2016-8-21 16:01:35

楼主，你是怎么解决了，我现在也遇到和类似的情况，双asa 双运行商线路，能否告知下？

账号		自动登录	找回密码
密码			论坛注册

求助思科ASA5550双出口主备配置

相关帖子

客服中心

投诉建议