ASA双链路SLA配置测试

一.概述：

实际工作中估计会经常碰到用ASA接两家ISP线路，比如电信和网通，而又没有足够的预算买负载均衡设备，但是又想实现链路负载分担和自动切换，从电信来的流量，从电信线路回去，从网通来的流量从网通线路回去，当其中一条线路出现故障时，所有的流量从没有出现故障线路走。
二.基本思路：
A.用OSPF模拟运营商网络，主要是为了不想手工添加路由

B.通过添加默认路由走电信线路、监控电信线路的网关，和高metric的默认路由走网通线路，实现：

―-电信来的流量走电信回去（需要C手工配置网通静态路由相配合）

―-电信链路出现故障时，走网通线路

C.通过添加网通的静态路由走网通线路，并监控网通线路的网关，实现：

―-网通来的流量走网通回去

―-网通链路出现故障时，走电信线路的默认路由

D.对于静态NAT,实际环境只有当两条ISP线路都正常时，才会同时能被访问

E.测试环境，实现静态NAT当一条线路出现故障时，还能同时被访问，实现的方法是：

―ASA两个外部接口配置两条静态NAT

―ASA两个相连的ISP路由器把另外一家ISP所NAT的网段发布出去，并将metric设置比OSPF默认的大

三.测试拓扑：

四.基本配置：
A.R1：
①接口配置：
interfaceLoopback0
ipaddress1.1.1.1255.255.255.0
interfaceLoopback61
ipaddress61.1.3.1255.255.255.0
ipospfnetworkpoint-to-point
interfaceLoopback202
ipaddress202.100.3.1255.255.255.0
ipospfnetworkpoint-to-point
interfaceFastEthernet0/0
ipaddress202.100.2.1255.255.255.0
noshut
interfaceFastEthernet0/1
ipaddress61.1.2.1255.255.255.0
noshut
②路由配置:
routerospf1
router-id1.1.1.1
passive-interfacedefault
nopassive-interfaceFastEthernet0/0
nopassive-interfaceFastEthernet0/1
network61.1.2.10.0.0.0area0
network61.1.3.10.0.0.0area0
network202.100.2.10.0.0.0area0
network202.100.3.10.0.0.0area0
B:R2：
①接口配置：
interfaceLoopback0
ipaddress2.2.2.2255.255.255.0
interfaceFastEthernet0/0
ipaddress202.100.1.2255.255.255.0
noshut
interfaceFastEthernet0/1
ipaddress202.100.2.2255.255.255.0
noshut
interfaceFastEthernet1/0
ipaddress23.1.1.1255.255.255.252
noshut
②路由配置：
routerospf1
router-id2.2.2.2
log-adjacency-changes
passive-interfacedefault
nopassive-interfaceFastEthernet0/1
nopassive-interfaceFastEthernet1/0
network23.1.1.10.0.0.0area0
network202.100.1.20.0.0.0area0
network202.100.2.20.0.0.0area0
C.R3:
①接口配置：
interfaceLoopback0
ipaddress3.3.3.3255.255.255.0
interfaceFastEthernet0/0
ipaddress61.1.1.3255.255.255.0
noshut
interfaceFastEthernet0/1
ipaddress61.1.2.3255.255.255.0
noshut
interfaceFastEthernet1/0
ipaddress23.1.1.2255.255.255.252
noshut
②路由配置：
routerospf1
router-id3.3.3.3
passive-interfacedefault
nopassive-interfaceFastEthernet0/1
nopassive-interfaceFastEthernet1/0
network23.1.1.20.0.0.0area0
network61.1.1.30.0.0.0area0
network61.1.2.30.0.0.0area0
D.ASA842:
①接口配置：
interfaceGigabitEthernet0
nameifInside
security-level100
ipaddress10.1.1.10255.255.255.0
noshut
interfaceGigabitEthernet1
nameifOutside
security-level0
ipaddress202.100.1.10255.255.255.0
noshut
interfaceGigabitEthernet2
nameifBackup
security-level0
ipaddress61.1.1.10255.255.255.0
noshut
②两条线路的动态PAT配置：
objectnetworkinside_net
subnet0.0.0.00.0.0.0
objectnetworkinside_any
subnet0.0.0.00.0.0.0
objectnetworkinside_net
nat(Inside,Outside)dynamicinterface
objectnetworkinside_any
nat(Inside,Backup)dynamicinterface
③两条线路的静态NAT配置：
objectnetworkInside_host_outside
host10.1.1.4
objectnetworkInside_host_backup
host10.1.1.4
objectnetworkOutside-to-backup
host10.1.1.4
objectnetworkBackup-to-outside
host10.1.1.4
objectnetworkInside_host_outside
nat(Inside,Outside)static202.100.1.4
objectnetworkInside_host_backup
nat(Inside,Backup)static61.1.1.4
objectnetworkOutside-to-backup
nat(Inside,Outside)static61.1.1.4
objectnetworkBackup-to-outside
nat(Inside,Backup)static202.100.1.4
―-每条线路配置两条NAT,保证一条ISP线路出现故障时，两条静态NAT都能被访问
④防火墙策略配置：

class-mapALL_IP
matchany
policy-mapglobal_policy
classinspection_default
inspecticmp
classALL_IP
setconnectiondecrement-ttl
service-policyglobal_policyglobal
access-listoutsideextendedpermiticmpanyany
access-listoutsideextendedpermitudpanyanyrange3343433523
access-listoutsideextendedpermittcpanyobjectInside_host_outsideeqtelnet
access-groupoutsideininterfaceOutside
access-groupoutsideininterfaceBackup

E:R4:
①接口配置：
interfaceLoopback0
ipaddress192.168.1.4255.255.255.0
interfaceFastEthernet0/0
ipaddress10.1.1.4255.255.255.0
noshut
②路由配置：
iproute0.0.0.00.0.0.010.1.1.10
③telnet配置：
linevty04
passwordcisco
login
五.ASA842SLA及路由配置：
①sla配置：
slamonitor1
typeechoprotocolipIcmpEcho202.100.1.2interfaceOutside
frequency10
slamonitorschedule1lifeforeverstart-timenow
slamonitor2
typeechoprotocolipIcmpEcho61.1.1.3interfaceBackup
frequency10
slamonitorschedule2lifeforeverstart-timenow
②track配置：
track1rtr1reachability
track2rtr2reachability
③静态路由配置：
routeoutside00202.100.1.21track1
routebackup0061.1.1.3254
―默认路由走电信线路，当电信线路出现故障时自动切换到网通线路
routeBackup61.1.2.0255.255.255.061.1.1.31track2
routeBackup61.1.3.0255.255.255.061.1.1.31track2
―当网通线路正常时，到网通的网络的数据走网通的线路，否则走电信的默认路由
routeInside192.168.1.0255.255.255.010.1.1.41
―增加一条回指路由
六.关于静态NAT：
―为了使两条线路其中一条线路出现故障时，两个被静态NAT地址都能访问，需要：
A.每条线路配置两条静态NAT
―-前面已经配置
B.每个相连的ISP路由器把另外一家ISP所NAT的网段发布出去，并将metric设置比ospf默认的大
―-这种情况在实际环境基本无法实现，两家ISP不可能会帮客户做这样的事情，除非给的费用足够多
―-测试环境下还是可以玩一玩的
①R2路由器：
iproute61.1.1.0255.255.255.0202.100.1.10254tag10
route-mapASA842permit10
matchtag10
routerospf1
redistributestaticmetric130subnetsroute-mapASA842
②R3路由器：
iproute202.100.1.0255.255.255.061.1.1.10254tag10
route-mapASA842permit10
matchtag10
routerospf1
redistributestaticmetric130subnetsroute-mapASA842

七.效果测试：

A.线路正常的情况下：

R4#traceroute202.100.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto202.100.3.1
1202.100.1.2160msec108msec56msec
2202.100.2.136msec*24msec
R4#traceroute61.1.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto61.1.3.1
161.1.1.3112msec8msec0msec
261.1.2.1112msec*68msec
―去电信的流量走电信，去网通的流量走网通

R1#traceroute202.100.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
1202.100.2.232msec56msec20msec
2202.100.1.1040msec*24msec
3202.100.1.480msec*16msec
R1#traceroute202.100.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
1202.100.2.2140msec180msec80msec
2202.100.1.1064msec*88msec
3202.100.1.4140msec*84msec
R1#traceroute61.1.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
161.1.2.3116msec32msec0msec
261.1.1.104msec*4msec
361.1.1.4208msec*128msec
R1#traceroute61.1.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
161.1.2.38msec120msec192msec
261.1.1.100msec*20msec
361.1.1.4152msec*204msec
―-两个被静态NAT地址都能被访问，并且电信的地址走电信接口，网通的地址走网通的接口

B.电信线路不正常的情况下：

R4#traceroute202.100.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto202.100.3.1
110.1.1.10188msec*28msec
261.1.1.344msec0msec0msec
361.1.2.1108msec*84msec
R4#traceroute61.1.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto61.1.3.1
110.1.1.100msec*20msec
261.1.1.3100msec32msec0msec
361.1.2.1108msec*72msec
―去电信和网通的流量都走网通
R1#traceroute202.100.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
161.1.2.34msec184msec52msec
261.1.1.100msec*0msec
3202.100.1.4152msec*12msec
R1#traceroute202.100.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
161.1.2.336msec4msec16msec
261.1.1.10200msec*16msec
3202.100.1.4184msec*148msec
R1#traceroute61.1.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
161.1.2.348msec0msec0msec
261.1.1.104msec*32msec
361.1.1.4148msec*180msec
R1#traceroute61.1.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
161.1.2.376msec52msec0msec
261.1.1.100msec*16msec
361.1.1.4172msec*112msec
―-电信和网通被静态NAT的地址都能被电信和网通的用户访问

C.网通线路不正常的情况下：

R4#traceroute202.100.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto202.100.3.1
110.1.1.108msec*28msec
2202.100.1.2108msec72msec84msec
3202.100.2.188msec*128msec
R4#traceroute61.1.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto61.1.3.1
110.1.1.100msec*76msec
2202.100.1.2112msec96msec24msec
3202.100.2.1248msec*76msec
―去电信和网通的流量都走电信
R1#traceroute202.100.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
1202.100.2.24msec156msec76msec
2*
202.100.1.1040msec*
3202.100.1.468msec*24msec
R1#traceroute202.100.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
1202.100.2.292msec60msec124msec
2202.100.1.104msec*36msec
3202.100.1.4152msec*60msec
R1#traceroute61.1.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
1202.100.2.232msec136msec116msec
2202.100.1.1080msec*56msec
361.1.1.4120msec*120msec
R1#traceroute61.1.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
1202.100.2.24msec140msec112msec
2202.100.1.1064msec*64msec
361.1.1.4156msec*80msec
―-电信和网通被静态NAT的地址都能被电信和网通的用户访问