ASA/PIX 7.x: Redundant or Backup ISP Links Configuration Example

来源:本站原创 CISCO 超过566 views围观 0条评论

Network Diagram

This document uses this network setup:

http://img.bimg.126.net/photo/v3lmKE9dl9cXXqX-hrgudQ==/449234062847054682.jpg

Configurations

This document uses these configurations:

Command-Line Interface (CLI)

Adaptive Security Device Manager (ASDM)

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

pix# show running-config
: Saved
:
PIX Version 7.2(1)
!
hostname pix
domain-name default.domain.invalid
enable password 9jNfZuG3TC5tCVH0 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.200.159.2 255.255.255.248
!
interface Ethernet1
nameif backup

!— The interface attached to the Secondary ISP.
!— “backup” was chosen here, but any name can be assigned.

security-level 0
ip address 10.250.250.2 255.255.255.248
!
interface Ethernet2
nameif inside
security-level 100
ip address 172.22.1.163 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu backup 1500
mtu inside 1500
no failover
asdm image flash:/asdm521.bin
no asdm history enable
arp timeout 14400

global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0

!— NAT Configuration for Outside and Backup

route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1

!— Enter this command in order to track a static route.
!— This is the static route to be installed in the routing
!— table while the tracked object is reachable.  The value after
!— the keyword “track” is a tracking ID you specify.

route backup 0.0.0.0 0.0.0.0 10.250.250.1 254

!— Define the backup route to use when the tracked object is unavailable.
!— The administrative distance of the backup route must be greater than
!— the administrative distance of the tracked route.
!— If the primary gateway is unreachable, that route is removed
!— and the backup route is installed in the routing table
!— instead of the tracked route.

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ffIRPGpDSOJh9YLq encrypted
http server enable
http 172.22.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10

!— Configure a new monitoring process with the ID 123.  Specify the
!— monitoring protocol and the target network object whose availability the tracking
!— process monitors.  Specify the number of packets to be sent with each poll.
!— Specify the rate at which the monitor process repeats (in seconds).

sla monitor schedule 123 life forever start-time now

!— Schedule the monitoring process.  In this case the lifetime
!— of the process is specified to be forever.  The process is scheduled to begin
!— at the time this command is entered.  As configured, this command allows the
!— monitoring configuration specified above to determine how often the testing
!— occurs.  However, you can schedule this monitoring process to begin in the
!— future and to only occur at specified times.

!
track 1 rtr 123 reachability

!— Associate a tracked static route with the SLA monitoring process.
!— The track ID corresponds to the track ID given to the static route to monitor:
!— route outside 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1
!— “rtr” = Response Time Reporter entry.  123 is the ID of the SLA process
!— defined above.

telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4a0e9be4593ad43bc17a1cc25e32dc2
: end

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文链接:http://www.jdccie.com/?p=368转载请注明转自CCIE那点事
如果喜欢:点此订阅本站
  • 相关文章
  • 为您推荐
  • 各种观点

暂时还木有人评论,坐等沙发!
发表评论

快捷键:Ctrl+Enter