防火墙Failover故障切换实战

实验拓扑

实验步骤

1、根据拓扑为防火墙/内网主机/互联网设备配置 IP 地址；
R1：
ip route 0.0.0.0 0.0.0.0 192.168.1.254

2、配置 PIX1 配置访问 INTERNET 基本配置；
PX1:
interface e1
no shutdown
nameif outside
security-level 0
ip address 100.1.1.254 255.255.255.0

interface e0
no shutdown
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0

route outside 0.0.0.0 0.0.0.0 100.1.1.2

access-list NAT permit ip 192.168.1.0 255.255.255.0 any
nat (inside) 1 access-list NAT
global (outside) 1 interface
fixup protocol icmp

3、配置 PIX2 上配置状态化 Failover-STANDBY；
interface e2
no shutdown
interface e3
no shutdown

failover
failover lan enable
failover key cisco
failover lan unit secondary
failover lan interface Failover e2
failover interface ip Failover 10.1.12.1 255.255.255.0 standby 10.1.12.2
failover link sta-failover e3
failover interface ip sta-failover 10.2.12.1 255.255.255.0 standby 10.2.12.2

4、配置 PIX1 上状态化 Failover-ACTIVE。
interface e2
no shutdown
interface e3
no shutdown

failover
failover lan enable
failover key cisco
failover lan unit primary
failover lan interface Failover e2
failover interface ip Failover 10.1.12.1 255.255.255.0 standby 10.1.12.2
failover link sta-failover e3
failover interface ip sta-failover 10.2.12.1 255.255.255.0 standby 10.2.12.2