ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

来源:本站原创 CISCO 超过686 views围观 0条评论

Network Diagram

This document uses this network setup:


This document uses these configurations:

Command-Line Interface (CLI)

Adaptive Security Device Manager (ASDM)

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

pix# show running-config
: Saved
PIX Version 7.2(1)
hostname pix
domain-name default.domain.invalid
enable password 9jNfZuG3TC5tCVH0 encrypted
interface Ethernet0
nameif outside
security-level 0
ip address
interface Ethernet1
nameif backup

!— The interface attached to the Secondary ISP.
!— “backup” was chosen here, but any name can be assigned.

security-level 0
ip address
interface Ethernet2
nameif inside
security-level 100
ip address
interface Ethernet3
no nameif
no security-level
no ip address
interface Ethernet4
no nameif
no security-level
no ip address
interface Ethernet5
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu backup 1500
mtu inside 1500
no failover
asdm image flash:/asdm521.bin
no asdm history enable
arp timeout 14400

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1

!— NAT Configuration for Outside and Backup

route outside 1 track 1

!— Enter this command in order to track a static route.
!— This is the static route to be installed in the routing
!— table while the tracked object is reachable.  The value after
!— the keyword “track” is a tracking ID you specify.

route backup 254

!— Define the backup route to use when the tracked object is unavailable.
!— The administrative distance of the backup route must be greater than
!— the administrative distance of the tracked route.
!— If the primary gateway is unreachable, that route is removed
!— and the backup route is installed in the routing table
!— instead of the tracked route.

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ffIRPGpDSOJh9YLq encrypted
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123
type echo protocol ipIcmpEcho interface outside
num-packets 3
frequency 10

!— Configure a new monitoring process with the ID 123.  Specify the
!— monitoring protocol and the target network object whose availability the tracking
!— process monitors.  Specify the number of packets to be sent with each poll.
!— Specify the rate at which the monitor process repeats (in seconds).

sla monitor schedule 123 life forever start-time now

!— Schedule the monitoring process.  In this case the lifetime
!— of the process is specified to be forever.  The process is scheduled to begin
!— at the time this command is entered.  As configured, this command allows the
!— monitoring configuration specified above to determine how often the testing
!— occurs.  However, you can schedule this monitoring process to begin in the
!— future and to only occur at specified times.

track 1 rtr 123 reachability

!— Associate a tracked static route with the SLA monitoring process.
!— The track ID corresponds to the track ID given to the static route to monitor:
!— route outside 1 track 1
!— “rtr” = Response Time Reporter entry.  123 is the ID of the SLA process
!— defined above.

telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
: end

文章出自:CCIE那点事 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
  • 相关文章
  • 为您推荐
  • 各种观点


您必须 [ 登录 ] 才能发表留言!