Cisco PIX防火墻實現雙出口

來源:本站原創 CISCO 超過712 views圍觀 0條評論

Cisco PIX防火墻實現雙出口

一、用戶需求   用戶有一臺Cisco PIX 515E防火墻,一個網通的出口,一個電信的出口。現在要實現默認都往電信線路出去,而訪問網通的網站時使用網通的線路出去。
二、實現要點
1、首先要收集網通的IP網段(這個可以在網絡上搜索,或者電信的朋友要一份);
2、在路由方面,由于Cisco PIX是偏向于防火墻的功能,因此PIX在路由方面是比較弱的無法通過策略路由來實現,在此我使用了默認路由往設成電信的網關,同時添加網通IP網段的靜態路由。這樣實現了兩個出口路由的走向。
3、在NAT方面,要配置兩條NAT,其中一條是通往網通的轉換成網通的出口IP,另一條是通往電信的轉換成電信的出口IP,這個NAT應該是網通的NAT要配置在電信NAT前面,否則將無法實現。
三、Cisco PIX雙出口配置
3.1 環境描述
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet5 teloutside security0
ip address outside 224.254.14.164 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip address teloutside 202.99.114.91 255.255.255.128
#備注:outside為網通線路出口;teloutside為電信線路出口;inside為內網接口;
3.2雙出口實現
A、網通IP網段定義
object-group network wtnetwork
network-object 58.16.0.0 255.248.0.0
network-object 58.100.0.0 255.254.0.0
network-object 58.240.0.0 255.240.0.0
network-object 60.0.0.0 255.248.0.0
network-object 60.8.0.0 255.252.0.0
network-object 60.12.0.0 255.255.0.0
network-object 60.13.0.0 255.255.192.0
network-object 60.13.128.0 255.255.128.0
network-object 60.16.0.0 255.240.0.0
network-object 60.24.0.0 255.248.0.0
network-object 60.31.0.0 255.255.0.0
network-object 60.208.0.0 255.248.0.0
network-object 60.216.0.0 255.254.0.0
network-object 60.220.0.0 255.252.0.0
network-object 61.48.0.0 255.252.0.0
network-object 61.52.0.0 255.254.0.0
network-object 61.54.0.0 255.255.0.0
network-object 61.55.0.0 255.255.0.0
network-object 61.133.0.0 255.255.128.0
network-object 61.134.64.0 255.255.192.0
network-object 61.134.128.0 255.255.128.0
network-object 61.135.0.0 255.255.0.0
network-object 61.136.0.0 255.255.0.0
network-object 61.138.0.0 255.255.128.0
network-object 61.139.128.0 255.255.192.0
network-object 61.148.0.0 255.255.0.0
network-object 61.149.0.0 255.255.0.0
network-object 61.156.0.0 255.255.0.0
network-object 61.158.0.0 255.255.0.0
network-object 61.159.0.0 255.255.192.0
network-object 61.161.0.0 255.255.192.0
network-object 61.161.128.0 255.255.128.0
network-object 61.162.0.0 255.255.0.0
network-object 61.163.0.0 255.255.0.0
network-object 61.167.0.0 255.255.0.0
network-object 61.168.0.0 255.255.0.0
network-object 61.176.0.0 255.255.0.0
network-object 61.179.0.0 255.255.0.0
network-object 61.180.128.0 255.255.128.0
network-object 61.181.0.0 255.255.0.0
network-object 61.182.0.0 255.255.0.0
network-object 61.189.0.0 255.255.128.0
network-object 124.90.0.0 255.254.0.0
network-object 124.162.0.0 255.255.0.0
network-object 202.32.0.0 255.224.0.0
network-object 202.96.64.0 255.255.224.0
network-object 202.97.128.0 255.255.128.0
network-object 202.98.0.0 255.255.224.0
network-object 202.99.0.0 255.255.0.0
network-object 202.102.128.0 255.255.192.0
network-object 202.102.224.0 255.255.254.0
network-object 202.106.0.0 255.255.0.0
network-object 202.107.0.0 255.255.128.0
network-object 202.108.0.0 255.255.0.0
network-object 202.110.0.0 255.255.128.0
network-object 202.110.192.0 255.255.192.0
network-object 202.111.128.0 255.255.192.0
network-object 203.79.0.0 255.255.0.0
network-object 203.80.0.0 255.255.0.0
network-object 203.81.0.0 255.255.224.0
network-object 203.86.32.0 255.255.224.0
network-object 203.86.64.0 255.255.224.0
network-object 203.90.0.0 255.255.128.0
network-object 203.90.128.0 255.255.192.0
network-object 203.90.192.0 255.255.224.0
network-object 203.92.0.0 255.254.0.0
network-object 210.12.0.0 255.255.128.0
network-object 210.12.192.0 255.255.192.0
network-object 210.13.0.0 255.255.255.0
network-object 210.14.160.0 255.255.224.0
network-object 210.14.192.0 255.255.192.0
network-object 210.15.0.0 255.255.128.0
network-object 210.15.128.0 255.255.192.0
network-object 210.16.128.0 255.255.192.0
network-object 210.21.0.0 255.255.0.0
network-object 210.22.0.0 255.255.0.0
network-object 210.51.0.0 255.255.0.0
network-object 210.52.0.0 255.254.0.0
network-object 210.52.128.0 255.255.128.0
network-object 210.53.0.0 255.255.0.0
network-object 210.74.64.0 255.255.192.0
network-object 210.74.128.0 255.255.192.0
network-object 210.78.0.0 255.255.224.0
network-object 210.82.0.0 255.254.0.0
network-object 211.100.0.0 255.255.0.0
network-object 211.101.0.0 255.255.192.0
network-object 211.147.0.0 255.255.0.0
network-object 211.167.96.0 255.255.224.0
network-object 218.4.0.0 255.252.0.0
network-object 218.10.0.0 255.254.0.0
network-object 218.21.128.0 255.255.128.0
network-object 218.24.0.0 255.254.0.0
network-object 218.26.0.0 255.255.0.0
network-object 218.27.0.0 255.255.0.0
network-object 218.28.0.0 255.254.0.0
network-object 218.56.0.0 255.252.0.0
network-object 218.60.0.0 255.254.0.0
network-object 218.62.0.0 255.255.128.0
network-object 218.67.128.0 255.255.128.0
network-object 218.68.0.0 255.254.0.0
network-object 218.109.159.0 255.255.255.0
network-object 219.141.128.0 255.255.128.0
network-object 219.142.0.0 255.254.0.0
network-object 219.154.0.0 255.254.0.0
network-object 219.156.0.0 255.254.0.0
network-object 219.158.0.0 255.255.0.0
network-object 219.159.0.0 255.255.192.0
network-object 220.248.0.0 255.252.0.0
network-object 220.252.0.0 255.255.0.0
network-object 221.0.0.0 255.252.0.0
network-object 221.4.0.0 255.254.0.0
network-object 221.6.0.0 255.255.0.0
network-object 221.7.128.0 255.255.128.0
network-object 221.8.0.0 255.254.0.0
network-object 221.10.0.0 255.255.0.0
network-object 221.11.0.0 255.255.128.0
network-object 221.12.0.0 255.252.0.0
network-object 221.12.0.0 255.255.128.0
network-object 221.12.128.0 255.255.192.0
network-object 221.192.0.0 255.252.0.0
network-object 221.195.0.0 255.255.0.0
network-object 221.196.0.0 255.254.0.0
network-object 221.199.0.0 255.255.224.0
network-object 221.199.32.0 255.255.240.0
network-object 221.199.128.0 255.255.192.0
network-object 221.199.192.0 255.255.240.0
network-object 221.200.0.0 255.252.0.0
network-object 221.204.0.0 255.254.0.0
network-object 221.207.0.0 255.255.192.0
network-object 221.208.0.0 255.240.0.0
network-object 221.208.0.0 255.252.0.0
network-object 221.213.0.0 255.255.0.0
network-object 221.214.0.0 255.254.0.0
network-object 222.128.0.0 255.252.0.0
network-object 222.132.0.0 255.252.0.0
network-object 222.136.0.0 255.248.0.0
network-object 222.160.0.0 255.252.0.0
network-object 222.163.0.0 255.255.224.0
B、定義Access-list 為作NAT準備
access-list 101 permit ip 192.168.0.0 object-group wtnetwork
#內部網絡到網通IP網段的Access-list
access-list 104 permit ip 192.168.0.0 255.255.255.0 any
#內部網絡到任何IP的Access-list
C、NAT配置
global (outside) 1 interface
#定義NAT ID 1為網通的出口ip
global (teloutside) 4 interface
#定義NAT ID 4為電信的出口ip
nat (inside) 1 access-list 101
#定義符合access-list 101(就是內部到網通IP網段)就轉換成NAT ID 1的IP(網通的出口)
nat (inside) 5 access-list 105
#定義符合access-list 101(就是內部到網通IP網段)就轉換成NAT ID 1的IP(網通的出口)
注意:nat (inside) 1 access-list 101一定要在nat (inside) 5 access-list 105前面。
D、Route路由配置
#####添加默認路由往電信的網關出去################
route teloutside 0.0.0.0 0.0.0.0 202.99.114.126 1
##################################################
#######添加靜態路由往網通IP網段往網通的網關出去######
route outside 58.16.0.0 255.248.0.0 224.254.14.161
route outside 58.100.0.0 255.254.0.0 224.254.14.161
route outside 58.240.0.0 255.240.0.0 224.254.14.161
route outside 60.0.0.0 255.248.0.0 224.254.14.161
route outside 60.8.0.0 255.252.0.0 224.254.14.161
route outside 60.12.0.0 255.255.0.0 224.254.14.161
route outside 60.13.0.0 255.255.192.0 224.254.14.161
route outside 60.13.128.0 255.255.128.0 224.254.14.161
route outside 60.16.0.0 255.240.0.0 224.254.14.161
route outside 60.24.0.0 255.248.0.0 224.254.14.161
route outside 60.31.0.0 255.255.0.0 224.254.14.161
route outside 60.208.0.0 255.248.0.0 224.254.14.161
route outside 60.216.0.0 255.254.0.0 224.254.14.161
route outside 60.220.0.0 255.252.0.0 224.254.14.161
route outside 61.48.0.0 255.252.0.0 224.254.14.161
route outside 61.52.0.0 255.254.0.0 224.254.14.161
route outside 61.54.0.0 255.255.0.0 224.254.14.161
route outside 61.55.0.0 255.255.0.0 224.254.14.161
route outside 61.133.0.0 255.255.128.0 224.254.14.161
route outside 61.134.64.0 255.255.192.0 224.254.14.161
route outside 61.134.128.0 255.255.128.0 224.254.14.161
route outside 61.135.0.0 255.255.0.0 224.254.14.161
route outside 61.136.0.0 255.255.0.0 224.254.14.161
route outside 61.138.0.0 255.255.128.0 224.254.14.161
route outside 61.139.128.0 255.255.192.0 224.254.14.161
route outside 61.148.0.0 255.255.0.0 224.254.14.161
route outside 61.149.0.0 255.255.0.0 224.254.14.161
route outside 61.156.0.0 255.255.0.0 224.254.14.161
route outside 61.158.0.0 255.255.0.0 224.254.14.161
route outside 61.159.0.0 255.255.192.0 224.254.14.161
route outside 61.161.0.0 255.255.192.0 224.254.14.161
route outside 61.161.128.0 255.255.128.0 224.254.14.161
route outside 61.162.0.0 255.255.0.0 224.254.14.161
route outside 61.163.0.0 255.255.0.0 224.254.14.161
route outside 61.167.0.0 255.255.0.0 224.254.14.161
route outside 61.168.0.0 255.255.0.0 224.254.14.161
route outside 61.176.0.0 255.255.0.0 224.254.14.161
route outside 61.179.0.0 255.255.0.0 224.254.14.161
route outside 61.180.128.0 255.255.128.0 224.254.14.161
route outside 61.181.0.0 255.255.0.0 224.254.14.161
route outside 61.182.0.0 255.255.0.0 224.254.14.161
route outside 61.189.0.0 255.255.128.0 224.254.14.161
route outside 124.90.0.0 255.254.0.0 224.254.14.161
route outside 124.162.0.0 255.255.0.0 224.254.14.161
route outside 202.32.0.0 255.224.0.0 224.254.14.161
route outside 202.96.64.0 255.255.224.0 224.254.14.161
route outside 202.97.128.0 255.255.128.0 224.254.14.161
route outside 202.98.0.0 255.255.224.0 224.254.14.161
route outside 202.99.0.0 255.255.0.0 224.254.14.161
route outside 202.102.128.0 255.255.192.0 224.254.14.161
route outside 202.102.224.0 255.255.254.0 224.254.14.161
route outside 202.106.0.0 255.255.0.0 224.254.14.161
route outside 202.107.0.0 255.255.128.0 224.254.14.161
route outside 202.108.0.0 255.255.0.0 224.254.14.161
route outside 202.110.0.0 255.255.128.0 224.254.14.161
route outside 202.110.192.0 255.255.192.0 224.254.14.161
route outside 202.111.128.0 255.255.192.0 224.254.14.161
route outside 203.79.0.0 255.255.0.0 224.254.14.161
route outside 203.80.0.0 255.255.0.0 224.254.14.161
route outside 203.81.0.0 255.255.224.0 224.254.14.161
route outside 203.86.32.0 255.255.224.0 224.254.14.161
route outside 203.86.64.0 255.255.224.0 224.254.14.161
route outside 203.90.0.0 255.255.128.0 224.254.14.161
route outside 203.90.128.0 255.255.192.0 224.254.14.161
route outside 203.90.192.0 255.255.224.0 224.254.14.161
route outside 203.92.0.0 255.254.0.0 224.254.14.161
route outside 210.12.0.0 255.255.128.0 224.254.14.161
route outside 210.12.192.0 255.255.192.0 224.254.14.161
route outside 210.13.0.0 255.255.255.0 224.254.14.161
route outside 210.14.160.0 255.255.224.0 224.254.14.161
route outside 210.14.192.0 255.255.192.0 224.254.14.161
route outside 210.15.0.0 255.255.128.0 224.254.14.161
route outside 210.15.128.0 255.255.192.0 224.254.14.161
route outside 210.16.128.0 255.255.192.0 224.254.14.161
route outside 210.21.0.0 255.255.0.0 224.254.14.161
route outside 210.22.0.0 255.255.0.0 224.254.14.161
route outside 210.51.0.0 255.255.0.0 224.254.14.161
route outside 210.52.0.0 255.254.0.0 224.254.14.161
route outside 210.52.128.0 255.255.128.0 224.254.14.161
route outside 210.53.0.0 255.255.0.0 224.254.14.161
route outside 210.74.64.0 255.255.192.0 224.254.14.161
route outside 210.74.128.0 255.255.192.0 224.254.14.161
route outside 210.78.0.0 255.255.224.0 224.254.14.161
route outside 210.82.0.0 255.254.0.0 224.254.14.161
route outside 211.100.0.0 255.255.0.0 224.254.14.161
route outside 211.101.0.0 255.255.192.0 224.254.14.161
route outside 211.147.0.0 255.255.0.0 224.254.14.161
route outside 211.167.96.0 255.255.224.0 224.254.14.161
route outside 218.4.0.0 255.252.0.0 224.254.14.161
route outside 218.10.0.0 255.254.0.0 224.254.14.161
route outside 218.21.128.0 255.255.128.0 224.254.14.161
route outside 218.24.0.0 255.254.0.0 224.254.14.161
route outside 218.26.0.0 255.255.0.0 224.254.14.161
route outside 218.27.0.0 255.255.0.0 224.254.14.161
route outside 218.28.0.0 255.254.0.0 224.254.14.161
route outside 218.56.0.0 255.252.0.0 224.254.14.161
route outside 218.60.0.0 255.254.0.0 224.254.14.161
route outside 218.62.0.0 255.255.128.0 224.254.14.161
route outside 218.67.128.0 255.255.128.0 224.254.14.161
route outside 218.68.0.0 255.254.0.0 224.254.14.161
route outside 218.109.159.0 255.255.255.0 224.254.14.161
route outside 219.141.128.0 255.255.128.0 224.254.14.161
route outside 219.142.0.0 255.254.0.0 224.254.14.161
route outside 219.154.0.0 255.254.0.0 224.254.14.161
route outside 219.156.0.0 255.254.0.0 224.254.14.161
route outside 219.158.0.0 255.255.0.0 224.254.14.161
route outside 219.159.0.0 255.255.192.0 224.254.14.161
route outside 220.248.0.0 255.252.0.0 224.254.14.161
route outside 220.252.0.0 255.255.0.0 224.254.14.161
route outside 221.0.0.0 255.252.0.0 224.254.14.161
route outside 221.4.0.0 255.254.0.0 224.254.14.161
route outside 221.6.0.0 255.255.0.0 224.254.14.161
route outside 221.7.128.0 255.255.128.0 224.254.14.161
route outside 221.8.0.0 255.254.0.0 224.254.14.161
route outside 221.10.0.0 255.255.0.0 224.254.14.161
route outside 221.11.0.0 255.255.128.0 224.254.14.161
route outside 221.12.0.0 255.252.0.0 224.254.14.161
route outside 221.12.0.0 255.255.128.0 224.254.14.161
route outside 221.12.128.0 255.255.192.0 224.254.14.161
route outside 221.192.0.0 255.252.0.0 224.254.14.161
route outside 221.195.0.0 255.255.0.0 224.254.14.161
route outside 221.196.0.0 255.254.0.0 224.254.14.161
route outside 221.199.0.0 255.255.224.0 224.254.14.161
route outside 221.199.32.0 255.255.240.0 224.254.14.161
route outside 221.199.128.0 255.255.192.0 224.254.14.161
route outside 221.199.192.0 255.255.240.0 224.254.14.161
route outside 221.200.0.0 255.252.0.0 224.254.14.161
route outside 221.204.0.0 255.254.0.0 224.254.14.161
route outside 221.207.0.0 255.255.192.0 224.254.14.161
route outside 221.208.0.0 255.240.0.0 224.254.14.161
route outside 221.208.0.0 255.252.0.0 224.254.14.161
route outside 221.213.0.0 255.255.0.0 224.254.14.161
route outside 221.214.0.0 255.254.0.0 224.254.14.161
route outside 222.128.0.0 255.252.0.0 224.254.14.161
route outside 222.132.0.0 255.252.0.0 224.254.14.161
route outside 222.136.0.0 255.248.0.0 224.254.14.161
route outside 222.160.0.0 255.252.0.0 224.254.14.161
route outside 222.163.0.0 255.255.224.0 224.254.14.161
#備注:224.254.14.161為通往的網通的網關,##################
四、實現效果
目前國內的骨干網分為南、北兩張網。南電信北網通,不通運營商之間的通訊都需要到骨干進行數據交換,因此網通的用戶訪問電信網站很慢而電信用戶訪問方位網通網站也很慢,因此對大型網絡設置雙出口可以使不同運營商之間網絡訪問速度得到改善,本文檔是在這一背景下產生的需求。

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文鏈接:http://www.qdxgqk.live/?p=252轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
上篇文章:
下篇文章:
  • 相關文章
  • 為您推薦
  • 各種觀點
?
?
萌宠夺宝游戏