展开全部
我前根据配置资料做笔记没说利用IP址做判断功62616964757a686964616fe4b893e5b19e31333363373664能基础配置路由图实现(部资料源于 07net01 - cisco网络技术 网站)
Asa/PIXStatic Route Tracking命令效解决双ISP口问题
存问题:
静态路由没固定机制决定否用即使跳达静态路由存路由表ASA自条路由相关接口down才路由表删除
解决办:
Static Route Trackingfeature提供种追踪静态路由主路由失效安装备份路由进路由表例:2条缺省指向同ISP主ISP 断立即启用备用ISP链路使用ICMP进行追踪定holdtime没收reply认条链路down立即删除该静态路由预先设置备份路由进入路由表
注意:配置要outside口放icmp reply(打icmp限制)
pixFirewall(config)#sla monitor sla_id #指定检测slaID
Pixfirewall(config-sla-monitor)# type echo protocol ipIcmpEcho target_ip interface
if_name #指定检测协议类型ICMP协议并指定检测目址接口
必须ping通址址用track跟踪路由删除备份路由进路由表
pixFirewall(config)#sla monitor schedule sla_id [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring] #指定Schedule般start now
必须要写间表track路由进路由表
pixFirewall(config)# track track_id rtr sla_id reachability #指定TrackID并要求追踪SlaID达性
pixFirewall(config)# route if_name dest_ip mask gateway_ip [admin_distance] track track_i #设定默认路由并绑定TrackID
配置实例:
sla monitor 1
type echo protocol ipIcmpEcho 202.1.1.2 interface dx
sla monitor schedule 1 start-time now(必须配置track路由进路由表)
track 2 rtr 1 reachability
route dx 0.0.0.0 0.0.0.0 202.1.1.2 1 track 2 (电信默认网关追踪址达性)
route wt 0.0.0.0 0.0.0.0 101.1.1.2 2 (网通默认网关)
配置202.1.1.2 ping通(ICMP协议能Reachability)候route dx 0.0.0.0 0.0.0.0 202.1.1.2 1路由表删除并由第二条默认路由即route wt 0.0.0.0 0.0.0.0 101.1.1.2 2取代202.1.1.2恢复重新变dx 0.0.0.0 0.0.0.0 202.1.1.2 1
feature我想家项目都遇ASA效解决
与我用路由器实现双口备份通配置SAA检查其连通性并跟踪结路由进行选择实现思路非精巧
附:PIX双口ISP配置实例
网络拓扑图:
配置文件:
Pixfirewall# show running-config
: Saved
:
PIX Version 7.2(1)
hostname pix
domain-name default.domain.invalid
enable password 9jNfZuG3TC5tCVH0 encrypted
names
interface Ethernet0
nameif outside
security-level 0
ip address 10.200.159.2 255.255.255.248
interface Ethernet1
nameif backup--- 命名链接备份ISP接口接口名字随便起名字security-level 0
ip address 10.250.250.2 255.255.255.248
interface Ethernet2
nameif inside
security-level 100
ip address 172.22.1.163 255.255.255.0
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu backup 1500
mtu inside 1500
no failover
asdm image flash:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 172.16.1.0 255.255.255.0
--- 配置双ISP接口NAT都直接指定接口IP址
route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
--- 配置追踪默认静态路由并指定管理距离1.
--- 追踪静态路由追踪功则路由表否则路由表清除
route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
--- 配置备份默认静态路由定要指定管理距离于追踪静态默认路由
--- 追踪默认静态路由追踪功则选用追踪路由其管理距离
--- 追踪默认静态路由追踪功则选用本条路由追踪默认路由已路由表清除
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ffIRPGpDSOJh9YLq encrypted
http server enable
http 172.22.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 10.0.0.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
--- 配置SLA Monitor设定ID123;指定协议监测目IP址及接口
--- 并且设置包数频率10秒
--- 配置SLA Monitor ID123命期始间
track 1 rtr 123 reachability
--- 配置Track ID1RTR要求判断标准达性
--- 与前面命令route outside 0.0.0.0 0.0.0.0 10.0.0.2 1 track 1 相应
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4a0e9be4593ad43bc17a1cc25e32dc2: end
![]()
已赞过
已踩过<
你对这个回答的评价是?
评论
收起
转播
