0

我的帖子

个人中心

设置

  发新话题
目前网络双ISP,出口防火墙Juniper SSG520M做了策略路由,192.168.0.x/24网段的终端走联通,172.21.1.x/24网段的终端走电信。由于Juniper防火墙老化严重,想换一台cisco asa5525防火墙(K9),请教一下5525支持策略路由么?如果支持,配置命令是什么?
141117-网络系统拓扑现状简图v1.jpg (15.24 KB)

2016-8-31 10:42

141117-网络系统拓扑现状简图v1.jpg




你这个简单啊,将asa5525划分两个子墙,然后每个子墙走不同网段出口不就行了。



新采购ASA5525IOS版本为9.1(2),此版本不支持策略路由,需升级为9.4(3)。升级后的策略路由配置命令为:
object-group network route-to-LT20
network-object 192.168.0.0 255.255.255.0
network-object 172.21.8.0 255.255.255.0   
access-list PBR-to-LT20 extended permit ip object-group route-to-LT20 any
route-map PBR-to-LT20 permit 10
match ip address PBR-to-LT20
set ip default next-hop 124.x.x.x
interface GigabitEthernet0/2
policy-route route-map PBR-to-LT20









虽然是2016-8-31的老帖子了,但今天因工作需要又搜索到了,根据楼主的问和答得到了思路,问题解决。分享给大家参考一下。

业务场景:
公司有2条固定IP地址的ISP专线线路,一根电信50M、一根移动50M,根据内网网段不同,走不同的ISP出口。

并配置如下:
1、接口配置
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.31.10.1 255.255.255.252 (内网接口)


interface GigabitEthernet0/1
nameif CT
security-level 0
ip address x.x.x.x 255.255.255.252 (电信接口)

interface GigabitEthernet0/2
nameif CM
security-level 0
ip address x.x.x.x 255.255.255.252 (移动接口)


定义走电信出口的网段
object-group network route-to-ct
network-object 10.162.28.0 255.255.255.0
定义走移动出口的网段
object-group network route-to-cm
network-object 10.162.30.0 255.255.255.0

access-list ct_access_in extended permit ip any any
access-list ct_access_in extended permit icmp any any
access-list cm_access_in extended permit ip any any
access-list cm_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any


定义走电信出口的ACL
access-list pbr-to-ct extended permit ip object-group route-to-ct any
定义走移动出口的ACL
access-list pbr-to-cm extended permit ip object-group route-to-cm any

NAT映射共享上网(其实这里加不加after-auto关键字,我测试的结果都一样,有高手望指点一下)
nat (inside,CT) source dynamic any interface
nat (inside,CM) after-auto source dynamic any interface

access-group ct_access_in in interface CT
access-group cm_access_in in interface CM
access-group inside_access_in in interface inside


定义route-map,匹配策略走电信的指定电信的下一跳,走移动的指定移动的下一跳
route-map pbr-to-outside permit 10
match ip address pbr-to-ct
set ip default next-hop 221.224.36.x
route-map pbr-to-outside permit 20
match ip address pbr-to-cm
set ip default next-hop 223.112.107.x

配置默认路由,后面的10 11是指定的优先级,不加优先级添加的话会报错
route CT 0.0.0.0 0.0.0.0 221.224.36.x 10
route CM 0.0.0.0 0.0.0.0 223.112.107.x 11
route inside 10.162.16.0 255.255.240.0 172.31.10.2

将策略应用到in接口上
interface GigabitEthernet0/0
policy-route route-map pbr-to-outside



‹‹ 上一贴:这些知识你懂吗?有木有,有木有!!!! ...   |   下一贴:思科三层对接华为三层,stp匹配接速率上不去 ... ››
  发新话题
快速回复主题
关于我们 | 诚聘英才 | 联系我们 | 网站大事 | 友情链接 |意见反馈 | 网站地图
Copyright©2005-2020 51CTO.COM
本论坛言论纯属发布者个人意见,不代表51CTO网站立场!如有疑义,请与管理员联系:bbs@51cto.com