通过策略路由实现多ISP接入Internet
通过配置NAT和策略路由功能,可以使校园网用户分别接入教育网和Internet。
组网需求
如图1所示,某高校在网络边界处部署了FW作为安全网关,通过教育网接入Internet。同时还从运营商处购买了宽带上网服务,通过运营商网络接入Internet。
具体需求如下:
- 要求学生网络中的PC只能通过教育网访问Internet。
- 要求教师网络中的PC只能通过运营商网络访问Internet。
配置思路
- 配置接口的地址,并将接口加入相应的安全区域。
- 配置策略路由,使学生网络中的PC通过接口GigabitEthernet 1/0/7经由教育网访问Internet,使教师网络中的PC通过接口GigabitEthernet 1/0/1直接访问Internet。
- 配置安全策略,允许学生网络和教师网络中的PC访问Internet。
- 配置NAT策略,提供源地址转换功能。
本例着重介绍策略路由相关的配置,其余配置如NAT请根据实际组网进行配置。
操作步骤
- 配置接口IP地址和安全区域,完成网络基本参数配置。
[FW] interface GigabitEthernet 1/0/1 [FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0 [FW-GigabitEthernet1/0/1] quit [FW] interface GigabitEthernet 1/0/3 [FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0 [FW-GigabitEthernet1/0/3] quit [FW] interface GigabitEthernet 1/0/4 [FW-GigabitEthernet1/0/4] ip address 10.3.1.1 255.255.255.0 [FW-GigabitEthernet1/0/4] quit [FW] interface GigabitEthernet 1/0/7 [FW-GigabitEthernet1/0/7] ip address 2.2.2.2 255.255.255.0 [FW-GigabitEthernet1/0/7] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 1/0/3 [FW-zone-trust] add interface GigabitEthernet 1/0/4 [FW-zone-trust] quit [FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 1/0/7 [FW-zone-untrust] quit [FW] firewall zone name untrust1 [FW-zone-untrust1] set priority 10 [FW-zone-untrust1] add interface GigabitEthernet 1/0/1 [FW-zone-untrust1] quit
- 配置策略路由。
# 配置策略路由,使学生网络中的PC通过接口GigabitEthernet 1/0/7经由教育网访问Internet。
[FW] policy-based-route [FW-policy-pbr] rule name policy_route_1 [FW-policy-pbr-rule-policy_route_1] ingress-interface GigabitEthernet 1/0/3 [FW-policy-pbr-rule-policy_route_1] source-address 10.3.0.0 24 [FW-policy-pbr-rule-policy_route_1] action pbr egress-interface GigabitEthernet 1/0/7 next-hop 2.2.2.254 [FW-policy-pbr-rule-policy_route_1] quit
# 配置策略路由,使教师网络中的PC通过接口GigabitEthernet 1/0/1直接访问Internet。
[FW-policy-pbr] rule name policy_route_2 [FW-policy-pbr-rule-policy_route_2] ingress-interface GigabitEthernet 1/0/4 [FW-policy-pbr-rule-policy_route_2] source-address 10.3.1.0 24 [FW-policy-pbr-rule-policy_route_2] action pbr egress-interface GigabitEthernet 1/0/1 next-hop 1.1.1.254 [FW-policy-pbr-rule-policy_route_2] quit [FW-policy-pbr] quit
- 配置安全策略。
# 配置安全策略,允许学生网络中的PC访问Internet。
[FW] security-policy [FW-policy-security] rule name policy_sec_1 [FW-policy-security-rule-policy_sec_1] source-zone trust [FW-policy-security-rule-policy_sec_1] destination-zone untrust [FW-policy-security-rule-policy_sec_1] source-address 10.3.0.0 24 [FW-policy-security-rule-policy_sec_1] action permit [FW-policy-security-rule-policy_sec_1] quit
# 配置安全策略,允许教师网络中的PC访问Internet。
[FW-policy-security] rule name policy_sec_2 [FW-policy-security-rule-policy_sec_2] source-zone trust [FW-policy-security-rule-policy_sec_2] destination-zone untrust1 [FW-policy-security-rule-policy_sec_2] source-address 10.3.1.0 24 [FW-policy-security-rule-policy_sec_2] action permit [FW-policy-security-rule-policy_sec_2] quit [FW-policy-security] quit
- 配置NAT策略,当学生网络中的PC访问Internet时进行地址转换。
# 配置地址池。
[FW] nat address-group address_1 [FW-address-group-address_1] section 0 2.2.2.10 2.2.2.15 [FW-address-group-address_1] quit
# 配置NAT策略。
[FW] nat-policy [FW-policy-nat] rule name policy_nat_1 [FW-policy-nat-rule-policy_nat_1] source-zone trust [FW-policy-nat-rule-policy_nat_1] destination-zone untrust [FW-policy-nat-rule-policy_nat_1] source-address 10.3.0.0 24 [FW-policy-nat-rule-policy_nat_1] action source-nat address-group address_1 [FW-policy-nat-rule-policy_nat_1] quit [FW-policy-nat] quit
- 配置NAT策略,当教师网络中的PC访问Internet时进行地址转换。
# 配置地址池。
[FW] nat address-group address_2 [FW-address-group-address_2] section 0 1.1.1.10 1.1.1.15 [FW-address-group-address_2] quit
# 配置NAT策略。
[FW] nat-policy [FW-policy-nat] rule name policy_nat_2 [FW-policy-nat-rule-policy_nat_2] source-zone trust [FW-policy-nat-rule-policy_nat_2] destination-zone untrust1 [FW-policy-nat-rule-policy_nat_2] source-address 10.3.1.0 24 [FW-policy-nat-rule-policy_nat_2] action source-nat address-group address_2 [FW-policy-nat-rule-policy_nat_2] quit [FW-policy-nat] quit
配置脚本
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet1/0/4
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/7
ip address 2.2.2.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/7
#
firewall zone name untrust1
set priority 10
add interface GigabitEthernet1/0/1
#
nat address-group address_1
section 0 2.2.2.10 2.2.2.15
nat address-group address_2
section 0 1.1.1.10 1.1.1.15
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
rule name policy_sec_2
source-zone trust
destination-zone untrust1
source-address 10.3.1.0 24
action permit
#
policy-based-route
rule name policy_route_1
ingress-interface GigabitEthernet1/0/3
source-address 10.3.0.0 24
action pbr egress-interface GigabitEthernet1/0/7 next-hop 2.2.2.254
rule name policy_route_2
ingress-interface GigabitEthernet1/0/4
source-address 10.3.1.0 24
action pbr egress-interface GigabitEthernet1/0/1 next-hop 1.1.1.254
#
nat-policy
rule name policy_nat_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action source-nat address-group address_1
rule name policy_nat_2
source-zone trust
destination-zone untrust1
source-address 10.3.1.0 24
action source-nat address-group address_2
#
return
阅读剩余
版权声明:
作者:SE_YT
链接:https://www.cnesa.cn/9293.html
文章版权归作者所有,未经允许请勿转载。
THE END
