Failover配置实例
例1 Failover 配置
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 failover security10
nameif ethernet3 unused security20
enable password xxx encrypted
passwd xxx encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
pager lines 20
no logging timestamp
no logging standby
logging console errors
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 100full
interface ethernet3 10baset
mtu outside 1500
mtu inside 1500
mtu failover 1500
mtu unused 1500
ip address outside 209.165.201.1
255.255.255.224
ip address inside 192.168.2.1 255.255.255.0
ip address failover 192.168.254.1
255.255.255.0
ip address unused 192.168.253.1
255.255.255.252
failover
failover ip address outside 209.165.201.2
failover ip address inside 192.168.2.2
failover ip address failover 192.168.254.2
failover ip address unused 192.168.253.2
failover link failover
arp timeout 14400
global (outside) 1 209.165.201.3 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.165.201.5
192.168.2.5 netmask 255.255.255.255 0 0
access-list acl_out permit tcp any 209.165.201.5 eq 80
access-list acl_out permit icmp any any
access-group acl_out in interface outside
access-list acl_ping permit icmp any any
access-group acl_ping in interface inside
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip failover passive
no rip failover default
route outside 0 0 209.165.201.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00
udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
例2 基于LAN的Failover主PIX配置
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 stateful security10
nameif ethernet3 lanfover security20
enable password xxx encrypted
passwd xxx encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
pager lines 20
no logging timestamp
no logging standby
logging console errors
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
mtu outside 1500
mtu inside 1500
mtu failover 1500
mtu unused 1500
ip address outside 209.165.201.1 255.255.255.224
ip address inside 192.168.2.1 255.255.255.0
ip address failover 192.168.254.1 255.255.255.0
ip address unused 192.168.253.1 255.255.255.252
failover
failover ip address outside 209.165.201.2
failover ip address inside 192.168.2.2
failover ip address stateful 192.168.254.2
failover ip address lanfover 192.168.253.2
failover link stateful
failover lan unit primary
failover lan interface lanfover
failover lan key 12345678
failover lan enable
arp timeout 14400
global (outside) 1 209.165.201.3 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0 0
access-list acl_out permit tcp any 209.165.201.5 eq 80
access-list acl_out permit icmp any any
access-group acl_out in interface outside
access-list acl_ping permit icmp any any
access-group acl_ping in interface inside
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip failover passive
no rip failover default
route outside 0 0 209.165.201.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00
udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
telnet timeout 5
terminal width 80
例3 基于LAN的Failover备用PIX配置
nameif ethernet3 stateful security20
interface ethernet3 100full
ip address lanfover 192.168.253.1 255.255.255.252
failover ip address lanfover 192.168.254.2
failover lan unit primary
failover lan interface lanfover
failover lan key 12345678
failover lan enable
failover
(全文完)