双WAN线路接入,不同服务通过映射走不同WAN口进入内部网络
链路冗余,主线路中断后流量切换至第二条线路(出站)
通过show run查看接口和VLAN划分情况
interface Vlan1 nameif inside security-level 100 ip address 192.168.15.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.168.3.100 255.255.252.0 ! interface Vlan3 nameif outside1 security-level 0 ip address 172.16.19.2 255.255.255.0
定义两个网络对象
object network obj_any subnet 0.0.0.0 0.0.0.0 object network obj_172 subnet 0.0.0.0 0.0.0.0
用来进行OUTSIDE口IP映射的内部主机192.168.15.11 端口3389
OUTSIDE(0/0)口IP 192.168.3.100 使用的映射IP 192.168.3.101
OUTSIDE1(0/1)口IP 172.16.19.2 使用的映射IP 172.16.19.13
object network 192.168.15.11 host 192.168.15.11 object network 192.168.15.11-2 host 192.168.15.11
object-group service 192.168.3.101 service-object tcp-udp destination eq 3389 object-group service 172.16.19.13 service-object tcp-udp destination eq 3389
访问控制列表规则
access-list outside_access extended permit object-group 192.168.3.101 any object 192.168.15.11 access-list outside_access extended permit object-group 172.16.19.13 any object 192.168.15.11-2 access-list outside_access_in extended permit ip any any
NAT规则
object network obj_any nat (inside,outside) dynamic interface object network 192.168.15.11 nat (inside,outside) static 192.168.3.101 dns
object network obj_172 nat (inside,outside1) dynamic interface object network 192.168.15.11-2 nat (inside,outside1) static 172.16.19.13 dns
在接口上应用规则
access-group outside_access_in in interface outside control-plane access-group outside_access in interface outside
access-group outside_access_in in interface outside1 control-plane access-group outside_access in interface outside1
两条外部接口的静态路由,默认路由接口为OUTSIDE(0/0)
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1 route outside1 0.0.0.0 0.0.0.0 172.16.19.1 2