PIX8.0雙鏈路***和上互聯網流量分開且線路冗餘測試

一.概述：

   總部和分部兩端都爲PIX8.0，都爲雙鏈路，比如一個電信的線路，一個移動的線路，要求電信的線路走各自內網上互聯網的流量，移動的線路走***流量，但是如果電信線路故障，或者移動線路故障，不能中斷互聯網和***的連接。

二.基本思路：

A.設置兩條默認網關，移動線路metric值爲254；電信線路metric值爲1，並且sla監控電信線路的網關

----這樣就保證默認互聯網流量走電信線路，當電信線路故障時，走移動線路

B.設置兩條到達對方內網的***流量的路由，電信線路metric值爲254；移動線路metric值爲1，並且用sla監控對方PIX的移動線路的接口地址

----這樣就保證***流量默認走移動線路，當移動線路出現故障時，兩邊***流量都走電信線路

三.測試拓撲：

四.基本配置：

A.R1：

interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.1

B.PIX1：

interface Ethernet0
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0
no shut

interface Ethernet2
nameif Backup
security-level 0
ip address 61.1.1.1 255.255.255.0
no shut

C.R2：

interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.10 255.255.255.0
no shut

D.R3：

interface FastEthernet0/0
ip address 61.1.1.10 255.255.255.0
no shut

interface FastEthernet0/1
ip address 61.1.2.10 255.255.255.0
no shut

E.PIX2：

interface Ethernet0
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut

interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255.0
no shut

interface Ethernet2
nameif Backup
security-level 0
ip address 61.1.2.1 255.255.255.0
 no shut

F.R4：

interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
 no shut

ip route 0.0.0.0 0.0.0.0 192.168.1.1

五.防火牆配置：

A.PIX1：

①sla配置：

sla monitor 1
type echo protocol ipIcmpEcho 202.100.1.10 interface Outside
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 61.1.2.1 interface Backup
num-packets 3
frequency 10

②track配置：

track 1 rtr 1 reachability
track 2 rtr 2 reachability

③默認路由配置：

route Outside 0.0.0.0 0.0.0.0 202.100.1.10 1 track 1
route Backup 0.0.0.0 0.0.0.0 61.1.1.10 10

④靜態路由配置：

route Backup 61.1.2.1 255.255.255.255 61.1.1.10 1 （爲track2服務）
route Backup 192.168.1.0 255.255.255.0 61.1.1.10 1 track 2
route Outside 192.168.1.0 255.255.255.0 202.100.1.10 254
---***不要配置反向路由注入

⑤PAT及NAT免除配置：

access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any
nat (inside) 1 access-list PAT
global (Outside) 1 interface
global (Backup) 1 interface
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list NONAT

⑥策略配置：

access-list OUTSIDE extended permit icmp any any
access-list BACKUP extended permit icmp any any
access-group OUTSIDE in interface Outside
access-group BACKUP in interface Backup

⑦L2L***配置：

---第一階段策略：
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
tunnel-group 61.1.2.1 type ipsec-l2l
tunnel-group 61.1.2.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
---第二階段轉換集：
crypto ipsec transform-set transet esp-des esp-md5-hmac
---感興趣流：
access-list *** extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
---配置crypto map並在接口應該，接口啓用isakmp：
crypto map crymap 10 match address ***
crypto map crymap 10 set peer 202.100.2.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto map crymap-backup 10 match address ***
crypto map crymap-backup 10 set peer 61.1.2.1
crypto map crymap-backup 10 set transform-set transet
crypto map crymap-backup interface Backup
crypto isakmp enable Outside
crypto isakmp enable Backup

B.PIX2：

①sla配置：

sla monitor 1
type echo protocol ipIcmpEcho 202.100.2.10 interface Outside
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 61.1.1.1 interface Backup
num-packets 3
frequency 10

②track配置：

track 1 rtr 1 reachability
track 2 rtr 2 reachability

③默認路由配置：

route Outside 0.0.0.0 0.0.0.0 202.100.2.10 1 track 1
route Backup 0.0.0.0 0.0.0.0 61.1.2.10 10

④靜態路由配置：

route Backup 61.1.1.1 255.255.255.255 61.1.2.10 1 （爲track2服務）
route Backup 172.16.1.0 255.255.255.0 61.1.2.10 1 track 2
route Outside 172.16.1.0 255.255.255.0 202.100.2.10 254
---***不要配置反向路由注入

⑤PAT及NAT免除配置：

access-list PAT extended permit ip 192.168.1.0 255.255.255.0 any
nat (inside) 1 access-list PAT
global (Outside) 1 interface
global (Backup) 1 interface
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0  
nat (inside) 0 access-list NONAT

⑥策略配置：

access-list OUTSIDE extended permit icmp any any
access-list BACKUP extended permit icmp any any
access-group OUTSIDE in interface Outside
access-group BACKUP in interface Backup

⑦L2L***配置：

---第一階段策略：
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
tunnel-group 61.1.1.1 type ipsec-l2l
tunnel-group 61.1.1.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
---第二階段轉換集：
crypto ipsec transform-set transet esp-des esp-md5-hmac
---感興趣流：
access-list *** extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
---配置crypto map並在接口應該，接口啓用isakmp：
crypto map crymap 10 match address ***
crypto map crymap 10 set peer 202.100.1.1
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto map crymap-backup 10 match address ***
crypto map crymap-backup 10 set peer 61.1.1.1
crypto map crymap-backup 10 set transform-set transet
crypto map crymap-backup interface Backup
crypto isakmp enable Outside
crypto isakmp enable Backup

六.驗證：

A.雙鏈路都正常情況下：

---互聯網流量走Outside接口，***流量走Backup接口

---從下面的路由情況可以看出

PIX1# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

C    172.16.1.0 255.255.255.0 is directly connected, inside
C    202.100.1.0 255.255.255.0 is directly connected, Outside
S    192.168.1.0 255.255.255.0 [1/0] via 61.1.1.10, Backup
C    61.1.1.0 255.255.255.0 is directly connected, Backup
S    61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside

PIX2# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.2.10 to network 0.0.0.0

C    202.100.2.0 255.255.255.0 is directly connected, Outside
S    172.16.1.0 255.255.255.0 [1/0] via 61.1.2.10, Backup
C    192.168.1.0 255.255.255.0 is directly connected, Inside
S    61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C    61.1.2.0 255.255.255.0 is directly connected, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.2.10, Outside

B.PIX1/PIX2只是Outside鏈路出現故障：

---手工將R2連接PIX1/PIX2的Outside接口shutdown

---這時隻影響PIX1/PIX2的默認路由，上互聯網的流量，不影響***的流量

PIX1# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 61.1.1.10 to network 0.0.0.0

C    172.16.1.0 255.255.255.0 is directly connected, inside
C    202.100.1.0 255.255.255.0 is directly connected, Outside
S    192.168.1.0 255.255.255.0 [1/0] via 61.1.1.10, Backup
C    61.1.1.0 255.255.255.0 is directly connected, Backup
S    61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S*   0.0.0.0 0.0.0.0 [10/0] via 61.1.1.10, Backup

PIX2# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 61.1.2.10 to network 0.0.0.0

C    202.100.2.0 255.255.255.0 is directly connected, Outside
S    172.16.1.0 255.255.255.0 [1/0] via 61.1.2.10, Backup
C    192.168.1.0 255.255.255.0 is directly connected, Inside
S    61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C    61.1.2.0 255.255.255.0 is directly connected, Backup
S*   0.0.0.0 0.0.0.0 [10/0] via 61.1.2.10, Backup

---如果Outside鏈路恢復正常，SLA監控到後，默認路由會切換回去，互聯網流量仍然走Outside接口

C.PIX1/PIX2只是Backup鏈路出現故障：

---因爲***流量是監控對方Backup接口地址，所以只需任何一方Backup鏈路出現故障，***流量就會發生切換，這樣可避免如果兩家運營商地址互相不通，用Outside接口去與對方的Backup接口，導致***無法建立的情況

PIX1# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

C    172.16.1.0 255.255.255.0 is directly connected, inside
C    202.100.1.0 255.255.255.0 is directly connected, Outside
S    192.168.1.0 255.255.255.0 [254/0] via 202.100.1.10, Outside
C    61.1.1.0 255.255.255.0 is directly connected, Backup
S    61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside

PIX2# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.2.10 to network 0.0.0.0

C    202.100.2.0 255.255.255.0 is directly connected, Outside
S    172.16.1.0 255.255.255.0 [254/0] via 202.100.2.10, Outside
C    192.168.1.0 255.255.255.0 is directly connected, Inside
S    61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C    61.1.2.0 255.255.255.0 is directly connected, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.2.10, Outside

---如果Backup鏈路恢復正常，即SLA監控到互相能ping通對方的Backup接口地址後，到達對方內網的路由會切換回去，***流量仍然走Backup接口