配置PIX双机failover的要点(3)

　　4，配置示例

　　例1 Cable-Based Failover Configuration

　　interface ethernet0 100full

　　interface ethernet1 100full

　　interface ethernet2 shutdown

　　interface ethernet3 100full

　　nameif ethernet0 outside security0

　　nameif ethernet1 inside security100

　　nameif ethernet3 state security20

　　enable password farscape encrypted

　　password crichton encrypted

　　telnet 192.168.2.45 255.255.255.255

　　hostname pixfirewall

　　ip address outside 209.165.201.1 255.255.255.224

　　ip address inside 192.168.2.1 255.255.255.0

　　ip address state 192.168.253.1 255.255.255.252

　　failover ip address outside 209.165.201.2

　　failover ip address inside 192.168.2.2

　　failover ip address state 192.168.253.2

　　failover link state(注意:此处定义的是上文所述的“State Link”)

　　failover

　　global (outside) 1 209.165.201.3 netmask 255.255.255.224

　　nat (inside) 1 0.0.0.0 0.0.0.0 0 0

　　static (inside,outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0 0

　　access-list acl_out permit tcp any 209.165.201.5 eq 80

　　access-group acl_out in interface outside

　　route outside 0 0 209.165.201.4 1

　　例2 LAN-Based Failover Configuration

　　Primary设备：

　　interface ethernet0 100full

　　interface ethernet1 100full

　　interface ethernet2 100full

　　interface ethernet3 100full

　　nameif ethernet0 outside security0

　　nameif ethernet1 inside security100

　　nameif ethernet2 failover security10

　　nameif ethernet3 state security20

　　enable password farscape encrypted

　　password crichton encrypted

　　telnet 192.168.2.45 255.255.255.255

　　hostname pixfirewall

　　ip address outside 209.165.201.1 255.255.255.224

　　ip address inside 192.168.2.1 255.255.255.0

　　ip address failover 192.168.254.1 255.255.255.0

　　ip address state 192.168.253.1 255.255.255.252

　　failover ip address outside 209.165.201.2

　　failover ip address inside 192.168.2.2

　　failover ip address failover 192.168.254.2

　　failover ip address state 192.168.253.2

　　failover link state

　　failover lan unit primary

　　failover lan interface failover

　　failover lan key 12345678

　　failover lan enable

　　failover

　　global (outside) 1 209.165.201.3 netmask 255.255.255.224

　　nat (inside) 1 0.0.0.0 0.0.0.0 0 0

　　static (inside,outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0 0

　　access-list acl_out permit tcp any host 209.165.201.5 eq 80

　　access-group acl_out in interface outside

　　route outside 0 0 209.165.201.4 1

　　Secondary 设备：

　　interface ethernet2 100full

　　nameif ethernet2 failover security10

　　ip address failover 192.168.254.1 255.255.255.0

　　failover ip address failover 192.168.254.2

　　failover lan unit secondary

　　failover lan interface failover

　　failover lan key 12345678

　　failover lan enable

　　failover

　　PIX会根据自己的状态选用IP，如果是Active设备，就用ip address定义的地址；如果是standby就用failover ip address定义的IP地址。

　　还有一种做法，就是failover的IP地址设置为0.0.0.0，如：

　　failover ip address outside 0.0.0.0

　　failover ip address inside 0.0.0.0

　　failover ip address state 0.0.0.0

　　这样，standby设备就被隐藏了。

　　还有，就是接口的MAC地址也会切换，Primary的MAC总是跟着active的IP走，这样在failover的时候，外面的设备就不会观察到任何变化。