通过加密和自动备份构建安全、安心的网络

通过虚拟路由协议(VRRP)进行Internet备份

正常时
↓发生故障・恢复↑
备份时1
备份时2
备份时3

对办公室之间的通信进行加密,从而使机密信息不会泄漏至外部。据点端用一台路由器容纳两根线路,根据线路故障自动切换线路。
中心端设置两台路由器,应对线路及设备的故障。切换后通信也保持加密,能够维持安全的互联网连接。

RTX1200(A)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
(使用LAN1端口)
ip lan1 address 192.168.0.2/24
DMZ的
接口的设置
(使用LAN3端口)
ip lan3 address 192.168.10.1/24
VRRP的设置 ip lan1 vrrp 1 192.168.0.1 priority=200
ip lan1 vrrp shutdown trigger 1 pp 1
WAN(ISP1)的
接口的设置
(使用LAN2端口)
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接ISP1的ID) (连接ISP1的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ip pp address (全局地址1) # 注释1
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
ip route default gateway pp 1
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 (全局地址1)
nat descriptor masquerade static 1 1 192.168.0.2 udp 500
nat descriptor masquerade static 1 2 192.168.0.2 esp
nat descriptor masquerade static 1 3 192.168.10.2 tcp www # 注释3
VPN(IPsec)的设置 ipsec auto refresh on
ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.0.2
ipsec ike pre-shared-key 1 text (密码1)
ipsec ike remote address 1 any
ipsec ike remote name 1 kyoten1-1
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
tunnel backup lan1 192.168.0.3 # 注释5
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.1.0/24 gateway tunnel 1
DNS的设置 dns server (ISP1所指定的DNS服务器的IP地址)
dns private address spoof on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.0.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 1
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 1
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.0.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1 reject-nolog lan3 * * * *
ip policy filter 2 pass-nolog * lan3 * 192.168.10.2 www
ip policy filter 3 pass-nolog * lan3 * 192.168.10.2 telnet # 注释4
ip policy filter 4 static-pass-nolog * lan3 * * *
ip policy filter 5 pass-nolog * lan3 * * *
ip policy filter 6 static-pass-nolog * local * * *
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 2300 reject-nolog tunnel* * * * *
ip policy filter 2330 pass-nolog * tunnel* * * *
ip policy filter 2340 pass-nolog * local * * *
ip policy filter 2350 pass-nolog * lan1 * * *
ip policy filter 2360 reject-nolog * pp1 * * *
ip policy filter 2400 pass-nolog local * * * *
ip policy filter 2410 static-pass-nolog * lan1 * * *
ip policy filter 2430 static-pass-nolog * pp1 * * 104
ip policy filter 2600 pass-nolog * pp1 * * *
ip policy filter 2650 reject-nolog pp* * * * *
ip policy filter 2660 static-pass-nolog * local * * 104
ip policy filter 2670 pass-log * lan1 * * 101
ip policy filter 3000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 1122 2600 3 1130] 2650 [2670 2 2660] 1 [6] 2300 [2340 2350 2360 5 2330] 2400 [2410 2430 4] 3000
ip policy filter set enable 101

RTX1200(B)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
(使用LAN1端口)
ip lan1 address 192.168.0.3/24
VRRP的设置
(使用LAN1端口)
ip lan1 vrrp 1 192.168.0.1 priority=100
WAN(ISP2)的
接口的设置
(使用LAN2端口)
pp select 1
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接ISP2的ID) (连接ISP2的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ip pp address (全局地址2) # 注释2
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
ip route default gateway pp 1
NAT的设置 nat descriptor type 1 masquerade
nat descriptor address outer 1 (全局地址2)
nat descriptor masquerade static 1 1 192.168.0.3 udp 500
nat descriptor masquerade static 1 2 192.168.0.3 esp
VPN(IPsec)的设置 ipsec auto refresh on
ipsec ike local address 1 192.168.0.3
ipsec ike pre-shared-key 1 text (密码2)
ipsec ike remote address 1 any
ipsec ike remote name 1 kyoten1-2
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.1.0/24 gateway tunnel 1
DNS的设置 dns server (ISP2所指定的DNS服务器的IP地址)
dns private address spoof on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.0.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 1
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 1
策略过滤的设置 iip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.0.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.0.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp1 * * *
ip policy filter 1500 reject-nolog pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1530 static-pass-nolog * local * * 104
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1680 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 104
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1140 1130] 1500 [1520 1530] 1600 [1640 1650 1680 1630] 1700 [1710 1750] 2000
ip policy filter set enable 101

RTX1200(C)的设置范例

能够只导出下述的设置部分。

ConfigDownload

LAN的
接口的设置
(使用LAN1端口)
ip lan1 address 192.168.1.1/24
WAN(ISP3)的
接口的设置
(使用LAN2端口)
pp select 1
pp backup pp 2 # 注释6
pp always-on on
pppoe use lan2
pp auth accept pap chap
pp auth myname (连接ISP3的ID) (连接ISP3的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ppp ipcp ipaddress on
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 1
ip route default gateway pp 1
WAN(ISP4)的
接口的设置
(使用LAN3接口)
pp select 2
pp always-on on
pppoe use lan3
pp auth accept pap chap
pp auth myname (连接ISP4的ID) (连接ISP4的密码)
ppp lcp mru on 1454
ppp ipcp msext on
ppp ipcp ipaddress on
ip pp mtu 1454
ip pp nat descriptor 1
pp enable 2
NAT的设置 nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.1.1 udp 500
nat descriptor masquerade static 1 2 192.168.1.1 esp
VPN(IPsec)的设置
(共通项目)
ipsec auto refresh on
VPN(IPsec)的设置
(主系)
ipsec ike keepalive use 1 on
ipsec ike local address 1 192.168.1.1
ipsec ike local name 1 kyoten1-1
ipsec ike pre-shared-key 1 text (密码1)
ipsec ike remote address 1 (全局地址1)
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
tunnel select 1
ipsec tunnel 101
tunnel backup tunnel 2 switch-interface=on # 注释7
ipsec ike hash 1 sha
tunnel enable 1
ip route 192.168.0.0/24 gateway tunnel 1
VPN(IPsec)的设置
(从系)
ipsec ike local address 2 192.168.1.1
ipsec ike local name 2 kyoten1-2
ipsec ike pre-shared-key 2 text (密码2)
ipsec ike remote address 2 (全局地址2)
ipsec sa policy 102 2 esp 3des-cbc sha-hmac
tunnel select 2
ipsec tunnel 102
ipsec ike hash 2 sha
tunnel enable 2
DHCP的设置 dhcp service server
dhcp scope 1 192.168.1.2-192.168.1.100/24
DNS的设置 dns server select 1 (ISP3所指定的DNS服务器的IP地址) any . restrict pp 1
dns server select 2 (ISP4所指定的DNS服务器的IP地址) any .
dns private address spoof on
Inbound过滤的设置 ip filter source-route on
ip filter directed-broadcast on
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.1.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
pp select 1
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 1
pp select 2
ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
pp enable 2
策略过滤的设置 ip policy interface group 101 name=Private local lan1
ip policy address group 101 name=Private 192.168.1.0/24
ip policy address group 102 name=Any *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy service group 104 name=IPsec ike esp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.1.0/24 * http
ip policy filter 1130 pass-nolog * tunnel* * * *
ip policy filter 1140 pass-nolog * pp* * * *
ip policy filter 1500 reject-nolog pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1530 static-pass-nolog * local * * 104
ip policy filter 1600 reject-nolog tunnel* * * * *
ip policy filter 1630 pass-nolog * tunnel* * * *
ip policy filter 1640 pass-nolog * local * * *
ip policy filter 1650 pass-nolog * lan1 * * *
ip policy filter 1680 reject-nolog * pp* * * *
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 1750 static-pass-nolog * pp* * * 104
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 1140 1130] 1500 [1520 1530] 1600 [1640 1650 1680 1630] 1700 [1710 1750] 2000
ip policy filter set enable 101
[注释的说明]

注释1、注释2:
需要设置ISP所分配的固定的全局地址。

注释3:
由于NAT的影响,外部无法直接访问内部服务器,因此需要做端口映射以访问WWW服务器。

注释4:
这个过滤为通过用于维护WWW服务器的telnet通信。

注释5:
VPN中发生故障时,传送给另一个路由器的设置。

注释6:
互联网连接中发生故障时,切换到另一个线路的设置。

注释7:
VPN中发生故障时,切换到另一个VPN的设置。

返回顶部