SecPath安全产品在双出口下通过策略路由实现
负载分担的典型配置
一、 组网需求:
SecPath1000F防火墙部署在出口,有电信和网通两个出口,要求PC1通过电信的出口,PC2通过网通的出口,在任意一个出口出现故障的时候,需要能够自动切换到另外一个出口。
二、 组网图
radius scheme system
#
精选文库
domain system
#
acl number 3000 //配置nat转换地址范围
rule 0 permit ip source 192.168.1.0 0.0.0.255
rule 1 permit ip source 172.16.1.0 0.0.0.255
rule 2 deny ip
acl number 3001 ACL
rule 0 permit ip source 172.16.1.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
-- //配置策略路由的2
精选文库
#
interface GigabitEthernet0/0
ip address 202.38.1.1 255.255.255.0
nat outbound 3000
#
interface GigabitEthernet0/1
ip address 61.1.1.1 255.255.255.0
nat outbound 3000
#
interface GigabitEthernet1/0
ip address 10.0.0.1 255.255.255.0
ip policy route-policy test #
-- //应用策略路由 3
interface GigabitEthernet1/1
#
interface Encrypt2/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface GigabitEthernet1/0
set priority 85
#
-- 精选文库
4
firewall zone untrust
add interface GigabitEthernet0/0
add interface GigabitEthernet0/1
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DM
-- 精选文库
5
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
route-policy test permit node 10 if-match acl 3001
apply ip-address next-hop 61.1.1.2
#
ip route-static 0.0.0.0 0.0.0.0 202.38.1.2 preference 60
ip route-static 0.0.0.0 0.0.0.0 61.1.1.2 preference 70
-- 精选文库
//配置策略路由 6
精选文库
ip route-static 172.16.1.0 255.255.255.0 10.0.0.2 preference 60
ip route-static 192.168.1.0 255.255.255.0 10.0.0.2 preference 60
#
四、1. 2. 3. -- 配置关键点
在配置nat outbound的时候,必须允许所有的网段进行地址转换; 在内网口应用策略路由;
配置策略路由时,必须应用下一跳地址,不能应用接口地址。
7
