Skip to main content

 路由器设置 > 新闻资讯 >

PIX8.0双链路VPN和上互联网流量分开且线路冗余测

2013-07-12 23:49 浏览:

一.概述:

   总部和分部两端都为PIX8.0,都为双链路,比如一个电信的线路,一个移动的线路,要求电信的线路走各自内网上互联网的流量,移动的线路走VPN流量,但是如果电信线路故障,或者移动线路故障,不能中断互联网和VPN的连接。

二.基本思路:

A.设置两条默认网关,移动线路metric值为254;电信线路metric值为1,并且sla监控电信线路的网关

----这样就保证默认互联网流量走电信线路,当电信线路故障时,走移动线路

B.设置两条到达对方内网的VPN流量的路由,电信线路metric值为254;移动线路metric值为1,并且用sla监控对方PIX的移动线路的接口地址

----这样就保证VPN流量默认走移动线路,当移动线路出现故障时,两边VPN流量都走电信线路

三.测试拓扑:

四.基本配置:

A.R1:

interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 172.16.1.1

B.PIX1:

interface Ethernet0
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0 
no shut
interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.1.1 255.255.255.0 
no shut

interface Ethernet2
nameif Backup
security-level 0
ip address 61.1.1.1 255.255.255.0 
no shut

C.R2:

interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.10 255.255.255.0
no shut

D.R3:

interface FastEthernet0/0
ip address 61.1.1.10 255.255.255.0
no shut

interface FastEthernet0/1
ip address 61.1.2.10 255.255.255.0
no shut

E.PIX2:

interface Ethernet0
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0 
no shut

interface Ethernet1
nameif Outside
security-level 0
ip address 202.100.2.1 255.255.255.0 
no shut

interface Ethernet2
nameif Backup
security-level 0
ip address 61.1.2.1 255.255.255.0 
 no shut

F.R4:

interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
 no shut

ip route 0.0.0.0 0.0.0.0 192.168.1.1

五.防火墙配置:

A.PIX1:

①sla配置:

sla monitor 1
type echo protocol ipIcmpEcho 202.100.1.10 interface Outside
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 61.1.2.1 interface Backup
num-packets 3
frequency 10

②track配置:

track 1 rtr 1 reachability
track 2 rtr 2 reachability

③默认路由配置:

route Outside 0.0.0.0 0.0.0.0 202.100.1.10 1 track 1
route Backup 0.0.0.0 0.0.0.0 61.1.1.10 10

④静态路由配置:

route Backup 61.1.2.1 255.255.255.255 61.1.1.10 1 (为track2服务)
route Backup 192.168.1.0 255.255.255.0 61.1.1.10 1 track 2
route Outside 192.168.1.0 255.255.255.0 202.100.1.10 254
---VPN不要配置反向路由注入

PAT及NAT免除配置:

access-list PAT extended permit ip 172.16.1.0 255.255.255.0 any 
nat (inside) 1 access-list PAT
global (Outside) 1 interface
global (Backup) 1 interface
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 
nat (inside) 0 access-list NONAT

策略配置:

access-list OUTSIDE extended permit icmp any any 
access-list BACKUP extended permit icmp any any 
access-group OUTSIDE in interface Outside
access-group BACKUP in interface Backup

L2LVPN配置:

---第一阶段策略:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.2.1 type ipsec-l2l
tunnel-group 202.100.2.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
tunnel-group 61.1.2.1 type ipsec-l2l
tunnel-group 61.1.2.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
---第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac 
---感兴趣流:
access-list VPN extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 
---配置crypto map并在接口应该,接口启用isakmp:
crypto map crymap 10 match address VPN
crypto map crymap 10 set peer 202.100.2.1 
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto map crymap-backup 10 match address VPN
crypto map crymap-backup 10 set peer 61.1.2.1 
crypto map crymap-backup 10 set transform-set transet
crypto map crymap-backup interface Backup
crypto isakmp enable Outside
crypto isakmp enable Backup

B.PIX2:

①sla配置:

sla monitor 1
type echo protocol ipIcmpEcho 202.100.2.10 interface Outside
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 61.1.1.1 interface Backup
num-packets 3
frequency 10

②track配置:

track 1 rtr 1 reachability
track 2 rtr 2 reachability

③默认路由配置:

route Outside 0.0.0.0 0.0.0.0 202.100.2.10 1 track 1
route Backup 0.0.0.0 0.0.0.0 61.1.2.10 10

④静态路由配置:

route Backup 61.1.1.1 255.255.255.255 61.1.2.10 1 (为track2服务)
route Backup 172.16.1.0 255.255.255.0 61.1.2.10 1 track 2
route Outside 172.16.1.0 255.255.255.0 202.100.2.10 254
---VPN不要配置反向路由注入

PAT及NAT免除配置:

access-list PAT extended permit ip 192.168.1.0 255.255.255.0 any 
nat (inside) 1 access-list PAT
global (Outside) 1 interface
global (Backup) 1 interface
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0  
nat (inside) 0 access-list NONAT

策略配置:

access-list OUTSIDE extended permit icmp any any 
access-list BACKUP extended permit icmp any any 
access-group OUTSIDE in interface Outside
access-group BACKUP in interface Backup

L2LVPN配置:

---第一阶段策略:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
tunnel-group 202.100.1.1 type ipsec-l2l
tunnel-group 202.100.1.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
tunnel-group 61.1.1.1 type ipsec-l2l
tunnel-group 61.1.1.1 ipsec-attributes
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
---第二阶段转换集:
crypto ipsec transform-set transet esp-des esp-md5-hmac 
---感兴趣流:
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 
---配置crypto map并在接口应该,接口启用isakmp:
crypto map crymap 10 match address VPN
crypto map crymap 10 set peer 202.100.1.1 
crypto map crymap 10 set transform-set transet
crypto map crymap interface Outside
crypto map crymap-backup 10 match address VPN
crypto map crymap-backup 10 set peer 61.1.1.1 
crypto map crymap-backup 10 set transform-set transet
crypto map crymap-backup interface Backup
crypto isakmp enable Outside
crypto isakmp enable Backup

六.验证:

A.双链路都正常情况下:

---互联网流量走Outside接口,VPN流量走Backup接口

---从下面的路由情况可以看出

PIX1# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

C    172.16.1.0 255.255.255.0 is directly connected, inside
C    202.100.1.0 255.255.255.0 is directly connected, Outside
S    192.168.1.0 255.255.255.0 [1/0] via 61.1.1.10, Backup
C    61.1.1.0 255.255.255.0 is directly connected, Backup
S    61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside

PIX2# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.2.10 to network 0.0.0.0

C    202.100.2.0 255.255.255.0 is directly connected, Outside
S    172.16.1.0 255.255.255.0 [1/0] via 61.1.2.10, Backup
C    192.168.1.0 255.255.255.0 is directly connected, Inside
S    61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C    61.1.2.0 255.255.255.0 is directly connected, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.2.10, Outside

B.PIX1/PIX2只是Outside链路出现故障:

---手工将R2连接PIX1/PIX2的Outside接口shutdown

---这时只影响PIX1/PIX2的默认路由,上互联网的流量,不影响VPN的流量

PIX1# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 61.1.1.10 to network 0.0.0.0

C    172.16.1.0 255.255.255.0 is directly connected, inside
C    202.100.1.0 255.255.255.0 is directly connected, Outside
S    192.168.1.0 255.255.255.0 [1/0] via 61.1.1.10, Backup
C    61.1.1.0 255.255.255.0 is directly connected, Backup
S    61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S*   0.0.0.0 0.0.0.0 [10/0] via 61.1.1.10, Backup

PIX2# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 61.1.2.10 to network 0.0.0.0

C    202.100.2.0 255.255.255.0 is directly connected, Outside
S    172.16.1.0 255.255.255.0 [1/0] via 61.1.2.10, Backup
C    192.168.1.0 255.255.255.0 is directly connected, Inside
S    61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C    61.1.2.0 255.255.255.0 is directly connected, Backup
S*   0.0.0.0 0.0.0.0 [10/0] via 61.1.2.10, Backup

---如果Outside链路恢复正常,SLA监控到后,默认路由会切换回去,互联网流量仍然走Outside接口

C.PIX1/PIX2只是Backup链路出现故障:

---因为VPN流量是监控对方Backup接口地址,所以只需任何一方Backup链路出现故障,VPN流量就会发生切换,这样可避免如果两家运营商地址互相不通,用Outside接口去与对方的Backup接口,导致VPN无法建立的情况

PIX1# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.1.10 to network 0.0.0.0

C    172.16.1.0 255.255.255.0 is directly connected, inside
C    202.100.1.0 255.255.255.0 is directly connected, Outside
S    192.168.1.0 255.255.255.0 [254/0] via 202.100.1.10, Outside
C    61.1.1.0 255.255.255.0 is directly connected, Backup
S    61.1.2.1 255.255.255.255 [1/0] via 61.1.1.10, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside

PIX2# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      * - candidate default, U - per-user static route, o - ODR
      P - periodic downloaded static route

Gateway of last resort is 202.100.2.10 to network 0.0.0.0

C    202.100.2.0 255.255.255.0 is directly connected, Outside
S    172.16.1.0 255.255.255.0 [254/0] via 202.100.2.10, Outside
C    192.168.1.0 255.255.255.0 is directly connected, Inside
S    61.1.1.1 255.255.255.255 [1/0] via 61.1.2.10, Backup
C    61.1.2.0 255.255.255.0 is directly connected, Backup
S*   0.0.0.0 0.0.0.0 [1/0] via 202.100.2.10, Outside

---如果Backup链路恢复正常,即SLA监控到互相能ping通对方的Backup接口地址后,到达对方内网的路由会切换回去,VPN流量仍然走Backup接口