CISCO ASA防护墙详细AS/双出口配置切换---By 年糕泰迪（cisco路由器设置）

CISCO ASA防护墙详细AS/双出口配置切换---By 年糕泰迪（cisco路由器设置）

一.实验概述实验目的：1/开机零配置中性企业网络骨干架构。2/部署出口防火墙HA(Active/Standby)并验证测试。3/部署双出口自动冗余切换并验证测试。实验材料：EVE-NG ，ASAv(v9.8) ，路由器，L3交换机。实验前提此次实验防火墙为routed模式，并且为single模式

实验拓扑：

拓扑说明：1/名称说明：Net云为通EVE-NG模拟器主机桥接的NAT网卡，负责该网络拓扑向外通信；ISP指代为运营商设备，BSW为边界交换机用于透传vlan和扩展接口，ASA为出口防火墙，CSW为核心交换机，ASW为介入交换机，DMZSW为DMZ网关交换机。2/网段说明：ISP1:100.100.100.x/30 ISP2:200.200.200.x/30 DMZ PAT地址为100.100.101.x/24 ,核心上联网段为10.10.10.x/24 ,核心下联网段为10.10.20.0/24和10.10.21.0/24，用户端为10.10.30.0/24，DMZ上联网段为172.16.10.0/24 ，服务器网段为172.16.20.0/243/关键功能点说明①出口双线冗余自动切换，采用静态浮动路由的方式（默认ISP1为主）。②防火墙双击冗余，采用failover Active/Standby 机制(默认ASA-A为主)。③关键难点，在防火墙配置了AS模式后，主备防火墙配置是一模一样的，包括接口配置/路由配置/ACL/NAT等基础策略，当主防火墙在故障（宕机或者监控接口down ）在切换到备墙后上下联设备配置如何自动适应墙的主备切换。上联防火墙通过交换机vlan将2个墙的出口和对应线路的ISP网关组到了一个广播域中，无论是哪台墙工作都可以自动通ISP网关自适应,另外ISP提供的IP是极其有限的，我们不能在上联进行HSRP这样的冗余切换配置，只能是通过二层vlan通ISP网关打通（土豪无所谓）。对于下联我们就可以用HSRP的方式实现通墙切换的联动。注意这里有个小细节因为防火墙上联至二层和ISP 网关打通的所以切换过程中不涉及路由的切换，而下联是通过三层联动，这里会涉及路由的切换，如果同样也在墙中启用了动态路由协议那就不用考虑这个问题，但大多数情况下生产环境墙内是不会去跑路由协议的（墙主要职能是安全规则不是控制路由，静态完全游刃有余，而且清晰明了）。从核心层到用户网关层之间我们启用OSFP,核心到上联使用静态路由，所以这里上联的静态路由也需要加track,否则即使防火墙从A切换到B核心层上来的路由依旧会在CSW-1，然后再转发到CSW-2，在CSW-1静态路由中加入track ，引入OSPF时不添加always 参数，当ASA-A异常切换到ASA-B时，CSW-1中的track被触发，静态路由消失，CSW-1的OSPF中就不会向下发布默认路由，而CSW-2中的静态路由和CSW-1中的时一样的加track和相同的OSPF路由引入配置，这样就不会存在墙且到备以后，路由的横向折返，直接有主防火墙下联交换机下发默认路由，下联交换机直接转发数据包到对于的下一条。

二.设备核心配置

所有设备配置中均不包含二层/三层安全及调优/管理配置ISP

interface Ethernet0/0ip address dhcp!interface Ethernet0/1ip address 100.100.100.2 255.255.255.252!interface Ethernet0/2ip address 200.200.200.2 255.255.255.252

ip route 100.100.101.0 255.255.255.0 100.100.100.1ip route 200.200.201.0 255.255.255.0 200.200.200.1//以上配置为ISP中配置，路由为DMZ中做PAT pool的public IP

BSW

interface Port-channel10switchport trunk encapsulation dot1qswitchport mode trunk!interface GigabitEthernet0/0switchport access vlan 100switchport mode accessmedia-type rj45negotiation auto!interface GigabitEthernet0/1switchport access vlan 100switchport mode accessmedia-type rj45negotiation auto!interface GigabitEthernet0/2switchport access vlan 200switchport mode accessmedia-type rj45negotiation auto!interface GigabitEthernet1/2switchport trunk encapsulation dot1qswitchport mode trunkmedia-type rj45negotiation autochannel-group 10 mode active!interface GigabitEthernet1/3switchport trunk encapsulation dot1qswitchport mode trunkmedia-type rj45negotiation autochannel-group 10 mode active!

ASA-A

!failoverfailover lan unit primaryfailover lan interface Folink GigabitEthernet0/5failover polltime unit 1 holdtime 5failover polltime interface msec 500 holdtime 25failover polltime link-state msec 500failover standby config-lockfailover link statelink GigabitEthernet0/6failover interface ip Folink 2.2.2.1 255.255.255.252 standby 2.2.2.2failover interface ip statelink 3.3.3.1 255.255.255.252 standby 3.3.3.2failover ipsec pre-shared-key *****!

interface GigabitEthernet0/0nameif insidesecurity-level 100ip address 10.10.10.1 255.255.255.0!interface GigabitEthernet0/1nameif outside1security-level 0ip address 100.100.100.1 255.255.255.252!interface GigabitEthernet0/2nameif outside2security-level 0ip address 200.200.200.1 255.255.255.252!interface GigabitEthernet0/3nameif DMZsecurity-level 80ip address 172.16.10.1 255.255.255.252!interface GigabitEthernet0/5description LAN Failover Interface!interface GigabitEthernet0/6description STATE Failover Interface!

!object network InUserssubnet 10.0.0.0 255.0.0.0object network DMZsubnet 172.16.0.0 255.255.0.0object network Pub_DMZhost 100.100.101.200object service TCP_8080service tcp destination eq 8080object service TCP_80service tcp destination eq network DMZ_172.16.20.200host 172.16.20.200access-list inside_in extended permit icmp any anyaccess-list inside_in extended permit ip 10.0.0.0 255.0.0.0 anyaccess-list outside1_in extended permit icmp any anyaccess-list outside1_in extended permit ip any host 172.16.20.200access-list outside2_in extended permit icmp any anyaccess-list outside2_in extended permit ip any host 172.16.20.200access-list dmz_in extended permit icmp any anyaccess-list dmz_in extended permit ip object DMZ anynat (any,DMZ) source static any any destination static Pub_DMZ DMZ_172.16.20.200 service TCP_8080 TCP_80nat (inside,outside1) source dynamic InUsers interfacenat (DMZ,outside1) source dynamic DMZ interfacenat (inside,outside2) source dynamic InUsers interfacenat (DMZ,outside2) source dynamic DMZ interfaceaccess-group inside_in in interface insideaccess-group outside1_in in interface outside1access-group outside2_in in interface outside2access-group dmz_in in interface DMZroute outside1 0.0.0.0 0.0.0.0 100.100.100.2 1 track 1route outside2 0.0.0.0 0.0.0.0 200.200.200.2 10route inside 10.0.0.0 255.0.0.0 10.10.10.2 1route DMZ 172.16.0.0 255.255.0.0 172.16.10.2 1!!sla monitor 1type echo protocol ipIcmpEcho 100.100.100.2 interface outside1timeout 1000sla monitor schedule 1 life forever start-time now!!track 1 rtr 1 reachability!

ASA-B中只有failover配置略有不同，其他配置全部同步子ASA-A完全一致。failoverfailover lan unit secondaryfailover lan interface Folink GigabitEthernet0/5failover polltime unit 1 holdtime 5failover polltime interface msec 500 holdtime 25failover polltime link-state msec 500failover standby config-lockfailover link statelink GigabitEthernet0/6failover interface ip Folink 2.2.2.1 255.255.255.252 standby 2.2.2.2failover interface ip statelink 3.3.3.1 255.255.255.252 standby 3.3.3.2failover ipsec pre-shared-key *****

PS:在防火墙的部署中，在开机零配置的情况下最后保证2台设备完全一致，首先分别配置failover，之后所有配置只需在主墙中配置即可。

ASDM配置

CSW-1

!interface Port-channel10switchport trunk encapsulation dot1qswitchport mode trunk!interface GigabitEthernet0/0switchport access vlan 1000switchport mode accessmedia-type rj45negotiation auto!!interface GigabitEthernet0/1no switchportip address 10.10.20.1 255.255.255.252negotiation auto!!interface GigabitEthernet1/2switchport trunk encapsulation dot1qswitchport mode trunkmedia-type rj45negotiation autochannel-group 10 mode on!interface GigabitEthernet1/3switchport trunk encapsulation dot1qswitchport mode trunkmedia-type rj45negotiation autochannel-group 10 mode on!!interface Vlan1000ip address 10.10.10.3 255.255.255.0standby 10 ip 10.10.10.2standby 10 priority 200standby 10 preemptstandby 10 track 1 decrement 50!

!router ospf 1router-id 10.10.10.3network 10.10.10.0 0.0.0.255 area 0network 10.10.20.0 0.0.0.255 area 0default-information originate metric-type 1!!ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 1!!ip sla 1icmp-echo 10.10.10.1 source-ip 10.10.10.3frequency 5ip sla schedule 1 life forever start-time now!!track 1 ip sla 1 reachability!

CSW-B

!interface Port-channel10switchport trunk encapsulation dot1qswitchport mode trunk!interface GigabitEthernet0/0switchport access vlan 1000switchport mode accessmedia-type rj45negotiation auto!

!interface GigabitEthernet0/1no switchportip address 10.10.21.1 255.255.255.252negotiation auto!!interface GigabitEthernet1/2switchport trunk encapsulation dot1qswitchport mode trunkmedia-type rj45negotiation autochannel-group 10 mode on!interface GigabitEthernet1/3switchport trunk encapsulation dot1qswitchport mode trunkmedia-type rj45negotiation autochannel-group 10 mode on!!interface Vlan1000ip address 10.10.10.4 255.255.255.0standby 10 ip 10.10.10.2standby 10 priority 180!

!router ospf 1router-id 10.10.10.4network 10.10.10.0 0.0.0.255 area 0network 10.10.21.0 0.0.0.255 area 0default-information originate metric 1 metric-type 1!!ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 1!!ip sla 1icmp-echo 10.10.10.1 source-ip 10.10.10.4frequency 5ip sla schedule 1 life forever start-time now!!track 1 ip sla 1 reachability!

ASW-1

!ip dhcp pool usersnetwork 10.10.30.0 255.255.255.0dns-server 223.5.5.5 114.114.114.114default-router 10.10.30.254!!interface GigabitEthernet0/2switchport access vlan 30switchport mode accessmedia-type rj45negotiation autospanning-tree portfast edge!!interface GigabitEthernet0/0no switchportip address 10.10.20.2 255.255.255.252negotiation auto!interface GigabitEthernet0/1no switchportip address 10.10.21.2 255.255.255.252negotiation auto!!router ospf 1router-id 10.10.20.2network 10.10.20.0 0.0.0.255 area 0network 10.10.21.0 0.0.0.255 area 0network 10.10.30.0 0.0.0.255 area 0!

DMZSW-1

!interface GigabitEthernet0/0switchport access vlan 10switchport mode accessmedia-type rj45negotiation auto!interface GigabitEthernet0/1switchport access vlan 10switchport mode accessmedia-type rj45negotiation auto!interface GigabitEthernet0/2switchport access vlan 20switchport mode accessmedia-type rj45negotiation autospanning-tree portfast edge!!interface Vlan10ip address 172.16.10.2 255.255.255.252!interface Vlan20ip address 172.16.20.254 255.255.255.0!

!ip route 0.0.0.0 0.0.0.0 172.16.10.1!

四.遗留问题1.上面虽然用手动刷新了路由表解决了这个缓存的问题，但在实际环境中这种切换时随机发生，我们不可能立马发现并受到刷新，所以如何避免因为路由缓存而影响HA切换故障时效时后面考虑的一个点。2.在上面的拓扑中存在一个缺陷即核心时单上联防火墙，所以当主核心宕机而防火墙正常的情况下，数据是没有办法上行的，这里必须要进行双上联，否则双核心没有任何意义。3.对于DMZ区域的NAT，在配置PAT的时候要注意PAT配置的顺序要优于DMZ NAT的顺序，否则PAT无法生效，具体参考另一篇文章https://blog./pinglife/2507602

由于时间有限，行文潦草，还缺少很多细节，后续再做完善。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。