【每日必学】ASA 动态路由协议配置
发布作者:微思网络 发布时间:2017-04-14 浏览量:0次
ASA 动态路由协议配置
Software Version 7.2(3)
(ASA 路由协议配置和路由器配置命令是一样的,8.0 开始支持 EIGRP)
实验拓扑:
实验目的:
1. 按泉州CCNA培训拓扑配置各设备的 IP 地址,包括 ASA 的接口名字和安全级别
配置 R1: Int e0/0 No sh
Ip address 202.100.1.1 255.255.255.0 Int loo0
Ip add 1.1.1.1 255.255.255.0
配置 R2: Int e0/0 No sh
Ip add 192.168.1.1 255.255.255.0 Int loo0
Ip add 2.2.2.2 255.255.255.0
配置 R3: Int e0/0 No sh
Ip add 10.1.1.1 255.255.255.0
Int loo0
Ip add 3.3.3.3 255.255.255.0
配置 ASA: interface Ethernet0/0 nameif outside security-level 0
ip address 202.100.1.10 255.255.255.0 no sh
interface Ethernet0/1 nameif inside security-level 100
ip address 192.168.1.10 255.255.255.0 no sh
interface Ethernet0/2 nameif dmz security-level 50
ip address 10.1.1.10 255.255.255.0 no sh
2. 在 R2 上配置 RIP
IN.R2(config)#router rip
IN.R2(config-router)#version 2
IN.R2(config-router)#no auto-summary
IN.R2(config-router)#net 2.0.0.0
IN.R2(config-router)#net 192.168.1.0
3. 在 R3 上配置 RIP
DMZ.R3(config)#router rip
DMZ.R3(config-router)#version 2
DMZ.R3(config-router)#no auto-summary
DMZ.R3(config-router)#net 3.0.0.0
DMZ.R3(config-router)#net 10.0.0.0
4. 在 R1 上配置 OSPF area 0
R1.OUT(config)#router ospf 1 R1.OUT(config-router)#network 1.1.1.1 0.0.0.0 area 0 R1.OUT(config-router)#network 202.100.1.1 0.0.0.0 area 0
5. 在 ASA 上配置 E0/0 运行 OSPF,E0/1 运行 RIP version 2,E0/2 运行 RIP version 2
router ospf 1
network 202.100.1.10 255.255.255.255 area 0 注:和路由器不同,这里为正掩码
router rip network 10.0.0.0
network 192.168.1.0 version 2
no auto-summary
6. 在 ASA 上配置路由重分布,使得拓扑中全网路由可达
router ospf 1
redistribute rip subnets
router rip
redistribute ospf 1 metric 1
分别在各设备上查看路由表情况
R1.OUT# show ip route ospf
2.0.0.0/24 is subnetted, 1 subnets
O E2 2.2.2.0 [110/20] via 202.100.1.10, 00:01:38, Ethernet0/0 3.0.0.0/24 is subnetted, 1 subnets
O E2 3.3.3.0 [110/20] via 202.100.1.10, 00:01:38, Ethernet0/0 10.0.0.0/24 is subnetted, 1 subnets
O E2 10.1.1.0 [110/20] via 202.100.1.10, 00:01:38, Ethernet0/0
O E2 192.168.1.0/24 [110/20] via 202.100.1.10, 00:01:38, Ethernet0/0 R1.OUT#
IN.R2#show ip route rip
1.0.0.0/32 is subnetted, 1 subnets
R 1.1.1.1 [120/1] via 192.168.1.10, 00:00:19, Ethernet0/0 3.0.0.0/24 is subnetted, 1 subnets
R 3.3.3.0 [120/2] via 192.168.1.10, 00:00:19, Ethernet0/0
R 202.100.1.0/24 [120/1] via 192.168.1.10, 00:00:19, Ethernet0/0 10.0.0.0/24 is subnetted, 1 subnets
R 10.1.1.0 [120/1] via 192.168.1.10, 00:00:19, Ethernet0/0
IN.R2#
DMZ.R3#show ip route rip
1.0.0.0/32 is subnetted, 1 subnets
R 1.1.1.1 [120/1] via 10.1.1.10, 00:00:13, Ethernet0/0 2.0.0.0/24 is subnetted, 1 subnets
R 2.2.2.0 [120/2] via 10.1.1.10, 00:00:13, Ethernet0/0
R 202.100.1.0/24 [120/1] via 10.1.1.10, 00:00:13, Ethernet0/0
R 192.168.1.0/24 [120/1] via 10.1.1.10, 00:00:13, Ethernet0/0 DMZ.R3#
在 ASA 上查看 OSPF 邻居使用 show ospf neighbor
ASA# show ospf neighbor
|
Neighbor ID |
Pri |
State |
Dead Time |
Address |
Interface |
|
|
|
|
|
|
|
|
|
|
1.1.1.1 |
1 |
FULL/DR |
0:00:31 |
202.100.1.1 |
outside |
|
|
|
|
|
|
|
|
|
在 ASA 上查看路由,使用 show route
ASA# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route
Gateway of last resort is not set
O 1.1.1.1 255.255.255.255 [110/11] via 202.100.1.1, 0:03:07, outside
R 2.2.2.0 255.255.255.0 [120/1] via 192.168.1.1, 0:00:03, inside
R 3.3.3.0 255.255.255.0 [120/1] via 10.1.1.1, 0:00:24, dmz
C 202.100.1.0 255.255.255.0 is directly connected, outside
C 10.1.1.0 255.255.255.0 is directly connected, dmz
C 192.168.1.0 255.255.255.0 is directly connected, inside
ASA#
6. 测试从 In.R2 上可以 ping 1.1.1.1 ,在 R3 上可以 ping 1.1.1.1
为了可以 ping 通 outside 的 1.1.1.1 这里使用 inspect icmp ASA(config)# policy-map global_policy ASA(config-pmap)# class inspection_default ASA(config-pmap-c)# inspect ic
ASA(config-pmap-c)# inspect icmp
在 In.R2 和 Dmz.R3 上测试
IN.R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms IN.R2#
DMZ.R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms DMZ.R3#
DMZ.R3#
