2月 262014
 

双WAN线路接入,不同服务通过映射走不同WAN口进入内部网络
链路冗余,主线路中断后流量切换至第二条线路(出站)

通过show run查看接口和VLAN划分情况

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.15.1 255.255.255.0
 !
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.3.100 255.255.252.0
 !
interface Vlan3
 nameif outside1
 security-level 0
 ip address 172.16.19.2 255.255.255.0

定义两个网络对象

object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj_172
 subnet 0.0.0.0 0.0.0.0

用来进行OUTSIDE口IP映射的内部主机192.168.15.11 端口3389

OUTSIDE(0/0)口IP 192.168.3.100 使用的映射IP 192.168.3.101
OUTSIDE1(0/1)口IP 172.16.19.2 使用的映射IP 172.16.19.13

object network 192.168.15.11
 host 192.168.15.11
object network 192.168.15.11-2
 host 192.168.15.11
object-group service 192.168.3.101
 service-object tcp-udp destination eq 3389
object-group service 172.16.19.13
 service-object tcp-udp destination eq 3389

访问控制列表规则

access-list outside_access extended permit object-group 192.168.3.101 any object 192.168.15.11
access-list outside_access extended permit object-group 172.16.19.13 any object 192.168.15.11-2
access-list outside_access_in extended permit ip any any

NAT规则

object network obj_any
 nat (inside,outside) dynamic interface
object network 192.168.15.11
 nat (inside,outside) static 192.168.3.101 dns
object network obj_172
 nat (inside,outside1) dynamic interface
object network 192.168.15.11-2
 nat (inside,outside1) static 172.16.19.13 dns

在接口上应用规则

access-group outside_access_in in interface outside control-plane
access-group outside_access in interface outside
access-group outside_access_in in interface outside1 control-plane
access-group outside_access in interface outside1

两条外部接口的静态路由,默认路由接口为OUTSIDE(0/0)

route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
route outside1 0.0.0.0 0.0.0.0 172.16.19.1 2

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据