实验:
1.思路:数据包的走向
2.要求:vlan互通,VRRP 内网pat访问外网,发布web服务器供外网访问,
让sw1作根交换机
1.配置sw10 创建vlan10 20 100
1端口加入vlan10 2和3端口为trunk模式
2.配置sw20 创建vlan10 20 40 100
1端口加入vlan100 3端口加入vlan40 2和4端口为trunk模式
配置vlanif 10 ip:192.168.10.254 24
vlanif20 ip:192.168.20.254 24
vlanif40 ip:192.168.40.1 24
vlanif100 ip:192.168.100.254 24
3.配置sw30 创建vlan10 20 50 100
1端口加入vlan20 3端口加入vlan50 2和4端口为trunk模式
配置vlanif 10 ip:192.168.10.253 24
vlanif20 ip:192.168.20.253 24
vlanif50 ip:192.168.50.1 24
vlanif100 ip:192.168.100.253 24
4.配置sw20 配置 vlan1的vrrp
vrrp vrid 10 virtual-ip 192.168.10.250
vrrp vrid 10 priority150
vrrp vrid 10 track interface g0/0/3 reduce 80
vrrp vrid 10 track interface g0/0/2 reduce 80
配置 vlan100的vrrp
vrrp vrid 100 virtual-ip 192.168.100.250
vrrp vrid 100 priority150
vrrp vrid 100 track interface g0/0/3 reduce 80
vrrp vrid 100 track interface g0/0/2 reduce 80
配置 vlan20的vrrp
vrrp vrid 20 virtual-ip 192.168.20.250
5.配置sw30 配置 vlan10的vrrp
vrrp vrid 10 virtual-ip 192.168.20.250
配置 vlan20的vrrp
vrrp vrid 20 virtual-ip 192.168.20.250
vrrp vrid 20priority150
vrrp vrid 20 track interface g0/0/3 reduce 80
vrrp vrid 20 track interface g0/0/2 reduce 80
配置 vlan100的vrrp
vrrp vrid 100 virtual-ip 192.168.100.250
6.配置sw20 配置rip
rip
version2
network 192.168.10.0
network 192.168.100.0
network 192.168.20.0
network 192.168.40.0
静态浮动路由
ip route-static 0.0.0.0 0.0.0.0 192.168.40.254
7.配置sw30 配置rip
rip
version2
network 192.168.10.0
network 192.168.20.0
network 192.168.50.0
network 192.168.100.0
静态浮动路由
ip route-static 0.0.0.0 0.0.0.0 192.168.50.254
8.配置防火墙
interface g0
nameif inside1
no shutdown
ip address 192.168.40.254 255.255.255.0
security-level 100
interface g1
nameif inside2
no shutdown
ip address 192.168.50.254 255.255.255.0
security-level 90
interface g2
nameif outside
no shutdown
ip address 200.8.8.1 255.255.255.252
security-level 0
配置默认路由
route inside1 192.168.10.0 255.255.255.0 192.168.40.1
route inside1 192.168.100.0 255.255.255.0 192.168.40.1
route inside2 192.168.20.0 255.255.255.0 192.168.50.1
route outside 200.1.1.0 255.255.255.0 200.8.8.2
备份
route inside2 192.168.1.0 255.255.255.0 192.168.50.2
route inside2 192.168.100.0 255.255.255.0 192.168.50.2
route inside2 192.168.2.0 255.255.255.0 192.168.50.2
9.配置AR1
配置0端口ip:200.1.1.254 24
1端口ip:200.8.8.2 255.255.255.252
配置静态浮动路由
ip route-static 0.0.0.0 0.0.0.0 200.8.8.1
10.在防火墙上配置静态NAT
object network ob-in1
subnet 192.168.10.0 255.255.255.0
nat (inside1,outside)dynamic 119.1.1.1
object network ob-in2
subnet 192.168.20.0 255.255.255.0
nat (inside2,outside)dynamic 119.1.1.2
此时client1和clent2 都可访问公网ftp 并抓包查看 内网地址已转化
配置动态PAT 使公网访问内网
object network ob-out
host 119.1.1.3
object network outside
host 200.1.1.1
nat (outside,inside1)static ob-out service tcp 80 80
配置ACL
access-list out-to-ins permit tcp any object inside1 eq http
access-group out-to-ins in interface outside