例2 LAN-Based Failover Configuration Primary设备: interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full interface ethernet3 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 failover security10 nameif ethernet3 state security20 enable password farscape encrypted password crichton encrypted telnet 192.168.2.45 255.255.255.255 hostname pixfirewall ip address outside 209.165.201.1 255.255.255.224 ip address inside 192.168.2.1 255.255.255.0 ip address failover 192.168.254.1 255.255.255.0 ip address state 192.168.253.1 255.255.255.252 failover ip address outside 209.165.201.2 failover ip address inside 192.168.2.2 failover ip address failover 192.168.254.2 failover ip address state 192.168.253.2 failover link state failover lan unit primary failover lan interface failover failover lan key 12345678 failover lan enable failover global (outside) 1 209.165.201.3 netmask 255.255.255.224 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0 0 access-list acl_out permit tcp any host 209.165.201.5 eq 80 access-group acl_out in interface outside route outside 0 0 209.165.201.4 1
Secondary 设备: interface ethernet2 100full nameif ethernet2 failover security10 ip address failover 192.168.254.1 255.255.255.0 failover ip address failover 192.168.254.2 failover lan unit secondary failover lan interface failover failover lan key 12345678 failover lan enable failover
PIX会根据自己的状态选用IP,如果是Active设备,就用ip address定义的地址;如果是standby就用failover ip address定义的IP地址。 还有一种做法,就是failover的IP地址设置为0.0.0.0,如: failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address state 0.0.0.0
