• Kiếm tiền với Hostinger

    Kiếm Tiền Cùng Hostinger

    Bạn đang tìm kiếm cách kiếm thêm thu nhập online? Hãy tham gia ngay chương trình Affiliate của Hostinger! Với mỗi khách hàng đăng ký thông qua liên kết của bạn, bạn sẽ nhận được khoản hoa hồng hấp dẫn.

    Hostinger cung cấp các dịch vụ lưu trữ web (hosting) chất lượng cao với mức giá cạnh tranh, giúp bạn dễ dàng giới thiệu và thu hút người dùng.

    Đừng bỏ lỡ cơ hội tuyệt vời này để tăng thêm thu nhập thụ động.

    Tham Gia Ngay

Configure policy-based routing according to Destination Protocol on Cisco ASA

TigerDao

Administrator
Thành viên BQT
The Cisco Firewall firewall model is connected to 2 ISPs as shown on the diagram below:
(IMG)


The requirement is to route Web traffic (HTTP port 80 and HTTP port 443) through ISP01 and all other Internet traffic through ISP02.

Configuration

Step 1 (Step 1)


First let’s configure the interfaces:

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0

interface GigabitEthernet0/1
nameif ISP01
security-level 0
ip address 103.255.180.2 255.255.255.252

interface GigabitEthernet0/2
nameif ISP02
security-level 0
ip address 221.135.1.2 255.255.255.252

Step 2 (Step 2)


Create an Access Control List (ACL) appropriate to the traffic we want to be handled by the PBR policy.

object-group services WEB-ports tcp i>
port-object eq 443
port-object eq 80


access-list PBR_ACL extended permit tcp 192.168.10.0 255.255.255.0 any object-group WEB-ports

The above ACL matches traffic from the internal network (192.168.10.0/24) with destination ports 80 and 443.

Step 3 (Step 3)

Just like PBR on IOS routers, we need to create a route-map that matches the traffic in the ACL created above and then apply a routing policy to the flow. this traffic.

In this case, we will apply a next-hop IP to this traffic flow so that packets will be routed through ISP01 (103.255.180.1).

route-map PBR permit 2 i>
match ip address PBR_ACL i>
set ip next-hop 103.255.180.1 i>

Step 4 (Step 4)

Apply the PBR policy to the “Ingress” interface on which you want to enforce this routing policy. This interface is the “inside” interface (Gig0 / 0) of the internal network.

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
policy-route route-map PBR
i>

Step 5 (Step 5)

We need to configure NAT and also configure appropriate default routes.

nat (inside,ISP01) 1 source dynamic any interface
nat (inside,ISP02) 2 source dynamic any interface


The NAT rules above are dynamic NAT (Port Address Translation-PAT) using the corresponding outbound interface of the ASA for outbound traffic from “inside. inside” to “ISP01” and also “inside. inside” to “ISP02”.

route ISP01 0.0.0.0 0.0.0.0 103.255.180.1 50 i>
route ISP02 0.0.0.0 0.0.0.0 221.135.1.1 i>

The default routes above will send normal traffic through ISP02 (which has a lower AD number of 1 compared to 50 for the first default route). However, traffic that matches the PBR policy (ports 80, 443) will go through ISP01.

Verification command (Verification)

Now let’s look at some verification commands for the configuration we just completed:

– Command show route-map shows a summary of the route map (which ACLs to match and the policy for traffic “next-hop IP”What is this).

– Command packet-tracer will simulate an HTTPs connection going through ISP01.

– Command show run : in nat

Command show run : in route

See more details: Configure routing based on PBR (Policy Based Routing) with Cisco Firewall


Xem tiếp...
 
Top