ASA dual-link SLA configuration test

Source: Internet
Author: User

I. Overview:

In actual work, it is estimated that two ISP lines, such as China Telecom and China Netcom, are often connected using ASA, and there is not enough budget to buy load balancing equipment, however, we want to achieve load sharing and automatic switching of links. We want to return traffic from China Telecom, from China Telecom to China Telecom, and from China Netcom to China Telecom. When one of the lines fails, all traffic never goes through a faulty line.
Ii. Basic Ideas:
A. Use OSPF to simulate the carrier network, mainly to avoid manually adding routes

B. Add the default route to the China Telecom line, monitor the gateway of the China Telecom line, and use the high metric default route to the China Netcom line:

-- The traffic from China Telecom needs to be configured manually by C to work with the static route of China Telecom)

-- When the telecommunication link fails, go to the China Netcom line

C. Add the static route of China Netcom to go through the China Netcom line and monitor the gateway of the China Netcom line:

-- The traffic from China Netcom goes back to China Netcom

-- When the Netcom link fails, it uses the default route of the telecom line

D. For static NAT, the actual environment can be accessed only when both ISP lines are normal.

E. In the test environment, static NAT can be accessed simultaneously when a line fails. The implementation method is as follows:

-Configure two static NAT addresses for two ASA external interfaces.

-ASA two connected ISP routers publish the network segments NAT by the other ISP and set metric to be larger than the default value of OSPF.

Iii. Test topology:

650) this. width = 650; "class =" aligncenter size-full wp-image-1584139 "title =" 201307130406009425 "src =" http://blog.donews.com/icystar/files/2013/07/201307130406009425.jpg "width =" 456 "height =" 438 "alt =" 2013071304060092.16.jpg"/>

4. Basic Configuration:
A. R1:
① Interface Configuration:
InterfaceLoopback0
Ipaddress1.1.1.1255.20.255.0
InterfaceLoopback61
Ipaddress61.1.3.1255.255.255.0
Ipospfnetworkpoint-to-point
InterfaceLoopback202
Ipaddress202.100.3.1255.255.255.0
Ipospfnetworkpoint-to-point
InterfaceFastEthernet0/0
Ipaddress202.100.2.1255.255.255.0
Noshut
InterfaceFastEthernet0/1
Ipaddress61.1.2.1255.255.255.0
Noshut
② Route Configuration:
Routerospf1
Router-id1.1.1.1
Passive-interfacedefault
Nopassive-interfaceFastEthernet0/0
Nopassive-interfaceFastEthernet0/1
Network61.1.2.10.0.0.0area0
Network61.1.3.10.0.0.0area0
Network202.100.2.10.0.0.0area0
Network202.100.3.10.0.0.0area0
B: R2:
① Interface Configuration:
InterfaceLoopback0
Ipaddress2.2.2.2255.255.255.0
InterfaceFastEthernet0/0
Ipaddress202.100.1.2255.255.255.0
Noshut
InterfaceFastEthernet0/1
Ipaddress202.100.2.2255.255.255.0
Noshut
InterfaceFastEthernet1/0
Ipaddress23.1.1.1255.20.252
Noshut
② Route Configuration:
Routerospf1
Router-id2.2.2.2
Log-adjacency-changes
Passive-interfacedefault
Nopassive-interfaceFastEthernet0/1
Nopassive-interfaceFastEthernet1/0
Network23.1.1.10.0.0.0area0
Network202.100.1.20.0.0.0area0
Network202.100.2.20.0.0.0area0
C. R3:
① Interface Configuration:
InterfaceLoopback0
Ipaddress3.3.32.16255.255.0
InterfaceFastEthernet0/0
Ipaddress61.1.1.32.16255.255.0
Noshut
InterfaceFastEthernet0/1
Ipaddress61.1.2.3255.255.255.0
Noshut
InterfaceFastEthernet1/0
Ipaddress23.1.1.220.255.255.252
Noshut
② Route Configuration:
Routerospf1
Router-id3.3.3.3
Passive-interfacedefault
Nopassive-interfaceFastEthernet0/1
Nopassive-interfaceFastEthernet1/0
Network23.1.1.1_0.0.0area0
Network61.1.1.30.0.0.0area0
Network61.1.2.30.0.0.0area0
D. ASA842:
① Interface Configuration:
InterfaceGigabitEthernet0
NameifInside
Security-level100
Ipaddress10.1.1.10255.255.255.0
Noshut
InterfaceGigabitEthernet1
NameifOutside
Security-level0
Ipaddress202.100.1.10255.255.255.0
Noshut
InterfaceGigabitEthernet2
NameifBackup
Security-level0
Ipaddress61.1.1.10255.255.255.0
Noshut
② Dynamic PAT configuration of the two lines:
Objectnetworkinside_net
Subnet0.0.0.00.0.0.0
Objectnetworkinside_any
Subnet0.0.0.00.0.0.0
Objectnetworkinside_net
Nat (Inside, Outside) dynamicinterface
Objectnetworkinside_any
Nat (Inside, Backup) dynamicinterface
③ Static NAT configurations of the two lines:
ObjectnetworkInside_host_outside
Host10.1.1.4
ObjectnetworkInside_host_backup
Host10.1.1.4
ObjectnetworkOutside-to-backup
Host10.1.1.4
ObjectnetworkBackup-to-outside
Host10.1.1.4
ObjectnetworkInside_host_outside
Nat (Inside, Outside) static202.100.1.4
ObjectnetworkInside_host_backup
Nat (Inside, Backup) static61.1.1.4
ObjectnetworkOutside-to-backup
Nat (Inside, Outside) static61.1.1.4
ObjectnetworkBackup-to-outside
Nat (Inside, Backup) static202.100.1.4
-- Two NAT entries are configured for each line to ensure that both static NAT entries can be accessed when an ISP line fails.
④ Firewall Policy Configuration:

Class-mapALL_IP
Matchany
Policy-mapglobal_policy
Classinspection_default
Inspecticmp
ClassALL_IP
Setconnectiondecrement-ttl
Service-policyglobal_policyglobal
Access-listoutsideextendedpermiticmpanyany
Access-listoutsideextendedpermitudpanyanyrange3343433523
Access-listoutsideextendedpermittcpanyobjectInside_host_outsideeqtelnet
Access-groupoutsideininterfaceOutside
Access-groupoutsideininterfaceBackup

E: R4:
① Interface Configuration:
InterfaceLoopback0
Ipaddress192.168.1.20.5.255.255.0
InterfaceFastEthernet0/0
Ipaddress10.1.1.20.5.255.255.0
Noshut
② Route Configuration:
Iproute0.0.0.00.0.0.010.1.1.10
③ Telnet configuration:
Linevty04
Passwordcisco
Login
5. ASA842SLA and route Configuration:
① Sla Configuration:
Slamonitor1
TypeechoprotocolipIcmpEcho202.100.1.2interfaceOutside
Frequency10
Slamonitorschedule1lifeforeverstart-timenow
Slamonitor2
TypeechoprotocolipIcmpEcho61.1.1.3interfaceBackup
Frequency10
Slamonitorschedule2lifeforeverstart-timenow
② Track Configuration:
Track1rtr1reachability
Track2rtr2reachability
③ Static route Configuration:
Routeoutside00202.100.1.21track1
Routebackup0061.1.1.3254
-The default route is the China Telecom line. When the China Telecom line fails, it will automatically switch to the China Netcom line.
Routebackup61.1.2.020.0000061.1.1.31track2
Routebackup61.1.3.020.0000061.1.1.31track2
-When the Netcom line is normal, the data sent to the Netcom network goes through the Netcom line. Otherwise, the default route is adopted by China Telecom.
RouteInside192.168.1.0255.255.255.010.1.1.41
-Add a vro
6. Static NAT:
-To make one of the two lines fail, both of them can be accessed by static NAT addresses. You need:
A. Configure two static NAT entries for each line
-- Previously configured
B. Each connected ISP router releases the network segment NAT by another ISP, and sets metric to be larger than the default value of ospf.
-- This is basically impossible in the actual environment. The two ISPs cannot help customers with this unless the cost is sufficient.
-- You can still play in the test environment.
① R2 router:
Iproute61.1.1.0255.255.255.0202.100.1.10254tag10
Route-mapASA842permit10
Matchtag10
Routerospf1
Redistributestaticmetric130subnetsroute-mapASA842
② R3 router:
Iproute202.100.1.020.0000061.1.1.10254tag10
Route-mapASA842permit10
Matchtag10
Routerospf1
Redistributestaticmetric130subnetsroute-mapASA842

VII. performance test:

A. when the line is normal:

R4 # traceroute202.100.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto202.100.3.1
1202.100.1.2160msecw.msec56msec
2202.100.2.136msec * 24 msec
R4 # traceroute61.1.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto61.1.3.1
161.1.1.3366msec8msec0msec
261.1.2.1112msec * 68 msec
-The traffic to China Telecom goes through China Telecom, and the traffic to China Netcom goes through China Telecom

R1 # traceroute202.100.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
1202.100.2.232msec56msec20msec
2202.100.1.1040msec * 24 msec
3202.100.1.480msec * 16 msec
R1 # traceroute202.100.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
1202.100.2.2140msec180msec80msec
2202.100.1.1064msec * 88 msec
3202.100.1.4140msec * 84 msec
R1 # traceroute61.1.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
161.1.2.3366msec32msec0msec
261.1.1.20.msec * 4 msec
361.1.1.4208msec * 128 msec
R1 # traceroute61.1.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
161.1.2.38msec120msec192msec
261.1.1.100msec * 20 msec
361.1.1.20.2msec * 204 msec
-- Both static NAT addresses can be accessed, and the telecom addresses go through the telecom interface. The Netcom addresses go through the Netcom interface.

B. Abnormal telecommunication lines:

R4 # traceroute202.100.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto202.100.3.1
110.1.1.10188msec * 28 msec
261.1.1.344msec0msec0msec
361.1.2.1108msec * 84 msec
R4 # traceroute61.1.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto61.1.3.1
110.1.1.100msec * 20 msec
261.1.1.3100msec32msec0msec
361.1.2.1108msec * 72 msec
-All traffic destined for Telecom and China Netcom goes through China Netcom.
R1 # traceroute202.100.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
161.1.2.34msec184msec52msec
261.1.1.100msec * 0 msec
3202.100.1.20.2msec * 12 msec
R1 # traceroute202.100.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
161.1.2.336msec4msec16msec
261.1.1.10200msec * 16 msec
3202.100.1.4184msec * 148 msec
R1 # traceroute61.1.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
161.1.2.348msec0msec0msec
261.1.1.20.msec * 32 msec
361.1.1.4148msec * 180 msec
R1 # traceroute61.1.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
161.1.2.376msec52msec0msec
261.1.1.100msec * 16 msec
361.1.1.20.2msec * 112 msec
-- Both China Telecom and China Netcom can be accessed by users of China Telecom and China Netcom through static NAT addresses.

C. When the China Netcom line is abnormal:

R4 # traceroute202.100.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto202.100.3.1
110.1.1.20.msec * 28 msec
2202.100.1.2108msec72msec84msec
3202.100.2.188msec * 128 msec
R4 # traceroute61.1.3.1sourcel0
Typeescapesequencetoabort.
Tracingtherouteto61.1.3.1
110.1.1.100msec * 76 msec
2202.100.1.220.msec96msec24msec
3202.100.2.1248msec * 76 msec
-The traffic for Telecom and China Netcom goes through China Telecom
R1 # traceroute202.100.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
1202.100.2.24msec156msec76msec
2 *
202.100.1.1040msec *
3202.100.1.468msec * 24 msec
R1 # traceroute202.100.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto202.100.1.4
1202.100.2.292msec60msec124msec
2202.100.1.20.msec * 36 msec
3202.100.1.20.2msec * 60 msec
R1 # traceroute61.1.1.4sourcel61
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
1202.100.2.232msec136msec1_msec
2202.100.1.1080msec * 56 msec
361.1.1.4120msec * 120 msec
R1 # traceroute61.1.1.4sourcel202
Typeescapesequencetoabort.
Tracingtherouteto61.1.1.4
1202.100.2.24msec140msecw.msec
2202.100.1.1064msec * 64 msec
361.1.1.20.6msec * 80 msec
-- Both China Telecom and China Netcom can be accessed by users of China Telecom and China Netcom through static NAT addresses.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.