Xin chào ! Nếu đây là lần đầu tiên bạn đến với diễn đàn, xin vui lòng danh ra một phút bấm vào đây để đăng kí và tham gia thảo luận cùng VnPro.

Announcement

Collapse
No announcement yet.

Routing giữa 2 đường Internet trên ASA 5510

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Routing giữa 2 đường Internet trên ASA 5510

    Dear all,

    Hiện tại mình đang có 1 ASA 5510 dùng 2 line internet (FPT và VNPT).
    Hiện tại mình đang cấu hình ưu tiên line FPT trước theo Metric. Khi nào line FPT down thì sẽ tự động dùng qua VNPT.
    Vấn đề của mình là khi line FPT tốt trở lại, ASA vẫn dùng của VNPT chứ không trả lại FPT như ban đầu.

    Các bạn nào có kinh nghiệm thì share cho mình với.
    Tks,
    Thắng - thangbeckham@yahoo.com
    Tags: None
  • #2
    Bạn có thể post cấu hình ASA lên đây?
    CÔNG TY CỔ PHẦN THẾ GIỚI NĂNG LƯỢNG MỚI
    64 Huỳnh Khương An, phường 3, Tp. Vũng Tàu
    www.ennolite.com.vn

    Comment

    • #3
      bạn tham khảo đoạn cấu hình sau:
      vd:
      outside_1 interface wan vnpt
      outside_2 interface wan fpt

      access-list ICMP extended permit icmp any any
      access-group ICMP in interface outside_1
      access-group ICMP in interface outside_2

      route outside_1 0.0.0.0 0.0.0.0 ip_nexthop_wan1 1 track 100
      route outside_2 0.0.0.0 0.0.0.0 ip_nexthop_wan2 10
      sla monitor 1
      type echo protocol ipIcmpEcho ip_dns_public interface outside_1
      sla monitor schedule 1 life forever start-time now
      track 100 rtr 1 reachability

      với cách giám sát icmp này,tuyến chính bị down thì tuyến phụ sẽ active,khi tuyến chính up trở lại,khoảng 3-5s,tuyến chính sẽ lấy lại quyền active,
      Hugo

      Comment

      • #4
        Hi các bạn,

        Nếu cấu hình ASA ngay từ ban đầu thì không có gì phải nói nhưng vấn đề là trên thiết bị này đang chạy và đã được cấu hình rồi. Các bạn xem file cấu hình như bên dưới. Tks các bạn đã giúp.

        : Saved
        : Written by enable_15 at 02:32:19.785 UTC Wed Oct 14 2009
        !
        ASA Version 8.0(3)
        !
        hostname ciscoasa
        domain-name default.domain.invalid
        enable password 8Ry2YjIyt7RRXU24 encrypted
        names
        dns-guard
        !
        interface Ethernet0/0
        nameif OUTSIDE-MEGAVNN
        security-level 0
        pppoe client vpdn group MEGAVNN
        ip address pppoe setroute
        ospf cost 10
        !
        interface Ethernet0/1
        speed 100
        nameif OUTSIDE-FTTH
        security-level 0
        ip address dhcp setroute
        ospf cost 10
        !
        interface Ethernet0/2
        nameif TRUNK
        security-level 0
        no ip address
        ospf cost 10
        !
        interface Ethernet0/2.60
        vlan 60
        nameif DMZ
        security-level 50
        ip address 10.8.192.254 255.255.255.0
        ospf cost 10
        !
        interface Ethernet0/3
        nameif INSIDE
        security-level 100
        ip address 10.8.1.102 255.255.255.252
        ospf cost 10
        !
        interface Management0/0
        nameif quanly
        security-level 0
        ip address 9.9.9.9 255.255.255.0
        ospf cost 10
        !
        passwd 2KFQnbNIdI.2KYOU encrypted
        boot system disk0:/asa803-k8.bin
        ftp mode passive
        dns server-group DefaultDNS
        domain-name default.domain.invalid
        same-security-traffic permit inter-interface
        access-list INSIDE_access_in extended permit ip any any
        access-list INSIDE_access_in extended permit tcp any any eq pptp inactive
        access-list INSIDE_access_in extended permit tcp any any eq telnet inactive
        access-list OUTSIDE-MEGAVNN_access_in extended permit tcp any any eq ftp
        access-list OUTSIDE-MEGAVNN_access_in extended permit tcp any any eq ftp-data
        access-list OUTSIDE-MEGAVNN_access_in extended permit tcp any any eq ssh
        access-list OUTSIDE-MEGAVNN_access_in extended permit tcp any any eq pptp inactive
        access-list smevpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
        access-list INSIDE_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.8.195.0 255.255.255.0
        access-list INSIDE_nat0_outbound extended permit ip 10.8.1.100 255.255.255.252 10.8.13.160 255.255.255.224
        access-list INSIDE_nat0_outbound extended permit ip host 10.8.5.1 10.8.13.160 255.255.255.224
        access-list INSIDE_nat0_outbound extended permit ip any 10.8.13.160 255.255.255.224
        access-list INSIDE_nat0_outbound extended permit ip any 10.8.195.0 255.255.255.0
        access-list OUTSITE-FTTH_access_in extended permit tcp any any eq ftp
        access-list OUTSITE-FTTH_access_in extended permit tcp any any eq ftp-data
        access-list INSIDE_access_out extended permit ip any any
        access-list hcmoffice_splitTunnelAcl standard permit 10.8.1.100 255.255.255.252
        access-list hcmoffice_splitTunnelAcl standard permit host 10.8.5.1
        access-list hcmvpn_splitTunnelAcl standard permit any
        pager lines 24
        logging enable
        logging asdm informational
        mtu OUTSIDE-MEGAVNN 1500
        mtu OUTSIDE-FTTH 1500
        mtu TRUNK 1500
        mtu DMZ 1500
        mtu INSIDE 1500
        mtu quanly 1500
        ip local pool smevpnpool 10.8.195.1-10.8.195.254 mask 255.255.255.0
        ip local pool smevpnpool1 10.8.194.0-10.8.194.254 mask 255.255.255.0
        ip local pool vpnpool 10.8.13.175-10.8.13.180 mask 255.255.255.0
        no failover
        icmp unreachable rate-limit 1 burst-size 1
        asdm image disk0:/asdm-603.bin
        no asdm history enable
        arp timeout 14400
        global (OUTSIDE-MEGAVNN) 1 interface
        global (OUTSIDE-FTTH) 1 interface
        nat (INSIDE) 0 access-list INSIDE_nat0_outbound
        nat (INSIDE) 1 0.0.0.0 0.0.0.0
        static (INSIDE,OUTSIDE-MEGAVNN) tcp interface ftp 10.8.3.3 ftp netmask 255.255.255.255
        static (INSIDE,OUTSIDE-MEGAVNN) tcp interface ftp-data 10.8.3.3 ftp-data netmask 255.255.255.255
        static (INSIDE,OUTSIDE-MEGAVNN) tcp interface ssh 10.8.5.1 ssh netmask 255.255.255.255
        access-group OUTSIDE-MEGAVNN_access_in in interface OUTSIDE-MEGAVNN
        access-group OUTSITE-FTTH_access_in in interface OUTSIDE-FTTH
        access-group INSIDE_access_in in interface INSIDE
        access-group INSIDE_access_out out interface INSIDE
        !
        router rip
        network 10.0.0.0
        version 2
        !
        route OUTSIDE-FTTH 0.0.0.0 0.0.0.0 118.69.255.126 10
        timeout xlate 3:00:00
        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
        timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
        timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
        timeout uauth 0:05:00 absolute
        dynamic-access-policy-record DfltAccessPolicy
        http server enable
        http 9.9.9.0 255.255.255.0 quanly
        http 10.0.0.0 255.0.0.0 INSIDE
        no snmp-server location
        no snmp-server contact
        snmp-server enable traps snmp authentication linkup linkdown coldstart
        crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
        crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
        crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
        crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
        crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
        crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
        crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
        crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
        crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
        crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
        crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
        crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
        crypto map OUTSIDE-MEGAVNN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
        crypto map OUTSIDE-MEGAVNN_map interface OUTSIDE-MEGAVNN
        crypto isakmp enable OUTSIDE-MEGAVNN
        crypto isakmp policy 10
        authentication pre-share
        encryption 3des
        hash sha
        group 2
        lifetime 86400
        telnet 10.0.0.0 255.0.0.0 INSIDE
        telnet 10.8.1.0 255.255.255.0 INSIDE
        telnet timeout 5
        ssh timeout 5
        console timeout 0
        vpdn group MEGAVNN request dialout pppoe
        vpdn group MEGAVNN localname namhuyen11
        vpdn group MEGAVNN ppp authentication pap
        vpdn username namhuyen11 password megavnn1
        vpdn username Sgfdl-070529-287 password vietnam
        vpdn username Sgfdl-070529-287 password doanhnghiep
        vpdn username Sgfdl-070529-287 password vietnam
        vpdn username Sgfdl-070529-287 password vietnam
        vpdn username Sgfdl-070529-287 password vietnam
        vpdn username Sgfdl-070529-287 password vietnam
        vpdn username Sgfdl-070529-287 password vietnam
        vpdn username Sgfdl-070529-287 password vietnam
        vpdn username sgfdl-070529-287 password vietnam
        vpdn username sgfdl-070529-287 password doanhnghiep
        vpdn username sgfdl-070529-287 password doanhnghiep
        dhcp-client client-id interface OUTSIDE-FTTH
        dhcpd address 9.9.9.10-9.9.9.11 quanly
        dhcpd option 3 ip 9.9.9.9 interface quanly
        dhcpd enable quanly
        !
        no threat-detection basic-threat
        threat-detection statistics access-list
        webvpn
        enable OUTSIDE-MEGAVNN
        enable OUTSIDE-FTTH
        group-policy DfltGrpPolicy attributes
        vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
        group-policy HCMvpn internal
        group-policy HCMvpn attributes
        wins-server value 10.8.4.1 10.4.4.1
        dns-server value 10.8.4.1 10.4.4.1
        vpn-tunnel-protocol IPSec l2tp-ipsec
        default-domain value smesc.vn
        group-policy hcmvpn internal
        group-policy hcmvpn attributes
        vpn-tunnel-protocol IPSec l2tp-ipsec svc
        split-tunnel-policy tunnelspecified
        split-tunnel-network-list value hcmvpn_splitTunnelAcl
        group-policy hcmoffice internal
        group-policy hcmoffice attributes
        vpn-tunnel-protocol IPSec l2tp-ipsec
        split-tunnel-policy tunnelspecified
        split-tunnel-network-list value hcmoffice_splitTunnelAcl
        default-domain value xxxxxxxxxxxxxsc.vn
        group-policy xxxxvpn internal
        group-policy xxxxvpn attributes
        vpn-tunnel-protocol IPSec
        split-tunnel-policy tunnelspecified
        split-tunnel-network-list value xxxxxxxxxx_splitTunnelAcl
        username xxxxxxxxx password QS95twohVrKyTqXu encrypted privilege 0
        username xxxxxxxxx attributes
        vpn-group-policy hcmoffice
        username xxxxxxxxxx password GZDW.e8jkwo4mHrW encrypted privilege 0
        username xxxxxxxxx attributes
        vpn-group-policy smevpn
        tunnel-group hcmvpn type remote-access
        tunnel-group hcmvpn general-attributes
        address-pool xxxxxxxxx
        default-group-policy hcmvpn
        tunnel-group xxxxxxx ipsec-attributes
        pre-shared-key xxxxxxx
        tunnel-group xxxxxxxxxxxxx type remote-access
        tunnel-group xxxxxxxxxxxxx general-attributes
        address-pool xxxxxxxxx
        default-group-policy hcmvpn
        tunnel-group xxxxxxxxxxxxx ipsec-attributes
        pre-shared-key xxxxxx
        !
        class-map inspection_default
        match default-inspection-traffic
        !
        !
        policy-map global_policy
        class inspection_default
        inspect ftp
        inspect icmp
        inspect pptp
        !
        service-policy global_policy global
        prompt hostname context
        Cryptochecksum:94c5828a7a218bd07e099e677e7504cc
        : end

        Comment

        Previous template Next
        Working...
        X