![[H.S.T.]十六进制信息安全网官方网站](http://www.hexsafe.com/images/logo.gif){kind=logo}
PIX Failover
发布: 2010-1-16 13:31 | 作者: 奕天 | 来源: [H.S.T.]十六进制信息安全网官方网站
A/S模式
一、 实验环境:
1、 1台路由器,2台防火墙,1台WWW服务器
2、 IP地址按图上配置
注:2台防火墙的硬件配置一样,而且主、次版本需相同
二、 实验需求:
1、 实现主备切换
2、 内网可以访问外网
3、 外网可以访问内网的WWW服务
三、 实验步骤:
R1:
interface e0/0
no shutdown
ip address 192.168.96.115 255.255.255.0
exit
PIX 1:
interface Ethernet0
no shutdown
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0 standby 192.168.2.2
exit
interface Ethernet1
no shutdown
description STATE Failover Interface
exit
interface Ethernet2
no shutdown
nameif outside
security-level 0
ip address 202.103.96.112 255.255.255.0 standby 202.103.96.113
exit
failover //开启Failover
failover link state Ethernet1 //指定状态线的接口
failover interface ip state 192.168.1.1 255.255.255.252 standby 192.168.1.2 //为状态线分配地址
route outside 0.0.0.0 0.0.0.0 202.103.96.115 1
nat (inside) 1 192.168.2.0 255.255.255.0
global (outside) 1 202.103.96.114
policy-map global_policy
class inspection_default
inspect icmp
end
static (inside,outside) tcp interface www 192.168.2.5 www netmask 255.255.255.255
access-list tcp extended permit tcp any host 202.103.96.112
access-group tcp in interface outside
PIX 2:
failover
四、 实验结果
PIX1(config)# show failover state
====My State===
Primary | Active |
====Other State===
Secondary | Standby |
====Configuration State===
Sync Done
====Communication State===
Mac set
=========Failed Reason==============
My Fail Reason:
Other Fail Reason:
Comm Failure
1、 备设备加电后,能主动学习主设备的信息。
测试:将主设备断电后,备设备成为活跃防火墙。
在PIX2上 show failover state,得
State Last Failure Reason Date/Time
This host - Secondary
Active None
Other host - Primary
Failed Comm Failure 01:06:19 UTC Jan 1 1993
====Configuration State===
Sync Done - STANDBY
====Communication State===
主设备再次通电后,又会从备设备上学习配置信息,但是它不再成为活跃防火墙。
2、内部用户可以访问外网
3、外网用户也能访问内网的WWW服务