7609上策略路由及使用防火墙NAT进行双出口接入配置

前两天做的，写上点备忘

 

 

 

 

Current configuration : 12453 bytes

!

upgrade fpd auto

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

service counters max age 10

!

hostname 7609

!

enable password *****!

no aaa new-model

svclc vlan-group 1  100,200

firewall multiple-vlan-interfaces

firewall module 2 vlan-group 1

firewall vlan-group 1  100,200

ip subnet-zero

!

!

!

ipv6 mfib hardware-switching replication-mode ingress

vtp mode transparent

mls ip multicast flow-stat-timer 9

no mls flow ip

no mls flow ipv6

no mls acl tcam share-global

mls cef error action freeze

no scripting tcl init

no scripting tcl encdir

!

!

!

!

!

!

!

!

!

!

redundancy

 mode sso

 main-cpu

  auto-sync running-config

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

!

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

!

vlan 100

 name inside

!

vlan 200

 name outside

!

interface GigabitEthernet1/1

 ip address 192.168.0.1 255.255.255.252

 speed nonegotiate

!

interface GigabitEthernet1/2

 ip address 111.111.111.111 255.255.255.252

 ip policy route-map policy

 speed nonegotiate

!

interface GigabitEthernet1/3

 switchport

 switchport access vlan 200

 no ip address

!

interface GigabitEthernet1/4

 no ip address

 shutdown

!

!

...........................!

interface GigabitEthernet1/24

 no ip address

 shutdown

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan100

 ip address 10.10.10.1 255.255.255.252

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.2

ip route 222.222.222.0 255.255.255.0 111.111.111.112

!

no ip http server

!

ip access-list extended cnc

 permit ip any 192.168.0.0 0.0.255.255

ip access-list extended user

 permit ip 222.222.222.0 0.0.0.127  any

!

ipv6 route ::/0 1::2

!

route-map policy deny 10

 match ip address  cnc!

route-map policy permit 20

 match ip address user

 set ip next-hop 10.10.10.2

!

!        

!

control-plane

!

!

!

dial-peer cor custom

!

!

!

!

line con 0

line vty 0 4

 password ****

 logging synchronous

 login

!

!

no cns aaa enable

end

 

 

 

 

FWSM

 

:

FWSM Version 3.1(3) <system>

!

resource acl-partition 12

hostname FWSM

enable password 8Ry2YjIyt7RRXU24 encrypted

!

interface Vlan100

 description inside

!

interface Vlan200

 description outside

!

passwd 2KFQnbNIdI.2KYOU encrypted

class default

  limit-resource All 0

  limit-resource ASDM 5

  limit-resource IPSec 5

  limit-resource Mac-addresses 65535

  limit-resource SSH 5

  limit-resource Telnet 5

!

 

ftp mode passive

pager lines 24

no failover

failover lan unit secondary

no asdm history enable

arp timeout 14400

console timeout 0

 

admin-context tel

context tel

  allocate-interface Vlan100

  allocate-interface Vlan200

  config-url disk:/t

!

 

prompt hostname context

Cryptochecksum:696cbfb47a230159c0dc4c47cb9675db

: end

           

 

 

FWSM Version 3.1(3) <context>

!

hostname tel

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan100

 nameif inside

 security-level 100

 ip address 10.10.10.2 255.255.255.252

!

interface Vlan200

 nameif outside

 security-level 0

 ip address 172.16.0.1 255.255.255.252

!

passwd 2KFQnbNIdI.2KYOU encrypted

access-list cross extended permit ip any any

pager lines 24

mtu inside 1500

mtu outside 1500

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 172.16.1.1 netmask 255.255.255.255

global (outside) 1 172.16.1.2  netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

access-group cross in interface inside

route inside 222.222.222.0 255.255.255.0 111.111.111.111  1

route outside 0.0.0.0 0.0.0.0 172.16.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect skinny

  inspect smtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:7d3148bd5752e63cb3ccb1b2cf93d5ca

: end