Shulou(Shulou.com)06/01 Report--

After tossing about for a long time, I finally got it out! My heart was abused miserably!

R2:

R2 (config) # int E1 Compact 0

R2 (config-if) # ip ad 192.168.1.100 255.255.255.0

R2 (config-if) # no sh

R2 (config) # ip route 0.0.0.0 0.0.0.0 192.168.1.1

R1:

R1 (config) # int e1and0

R1 (config-if) # ip ad 202.100.1.1 255.255.255.0

R1 (config-if) # no sh

R1 (config) # ip route 0.0.0.0 0.0.0.0 E1 Universe 0

Next is the configuration of the two firewalls, but messed me up, first of all, to do the Failover experiment, the version of the two firewalls must be the same, the second is to support this Failover feature, it requires permission to view for UR,show version, the last!

This platform has an Unrestricted (UR) license.

But Nima when I drag PIX1 and PIX2 out, PIX2 life or death is not UR, always shows R, I use KEY upgrade also always prompt failure, is it a matter of character? ! Here for a long time, and then accidentally deleted PIX1 and PIX2, and then dragged PIX3 and PIX4 out, a start, Nima unexpectedly two are UR, GNS3, you fucking play me! Well, the experiment can go on at last. Here is the configuration: PIX3:pixfirewall#conf t

Pixfirewall (config) # hostname pix3

Pix3 (config) # int e0

Pix3 (config-if) # no sh// form a good habit of activating the port as soon as you enter it, lest you forget it!

Pix3 (config-if) # security-level 0

Pix3 (config-if) # nameif outside

Pix3 (config-if) # ip address 202.100.1.13 255.255.255.0 standby 202.100.1.14 / / configure the primary IP and backup IP of outside

Pix3 (config-if) # int E1 / for heartbeat line

Pix3 (config-if) # no sh

Pix3 (config-if) # int e2

Pix3 (config-if) # security-level 100

Pix3 (config-if) # nameif inside

Pix3 (config-if) # ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2 / configure the primary IP and backup IP of inside

Pix3 (config) # exit

Pix3 (config) # access-list outlist extended permit icmp any interface outside// list outlist allows internal ping external

Pix3 (config) # access-group outlist in interface outside// to release traffic through

Pix3 (config) # failover// starts FAILOVER. If it is not UR, there will be an error.

Pix3 (config) # failover lan unit primary// configures failover to implement heartbeat line through LAN port, and sets this machine as the terminal

Pix3 (config) # failover lan interface flink Ethernet1// configures E1 interface as LAN heartbeat interface and assigns flink name

Pix3 (config) # failover lan enable// activates LAN heartbeat wire interface

Pix3 (config) # failover interface ip flink 10.1.1.1 255.255.255.0 standby 10.1.1.2 / set IP and IP on the active side of the LAN heartbeat line for heartbeat communication

Pix3 (config) # nat-control

Pix3 (config) # nat (inside) 1 192.168.1.0 255.255.255.0 NAT, only 192.168.1.0 network segment is allowed

Pix3 (config) # global (outside) 1 interface// external NAT

Pix3 (config) # route outside 0.0.0.0 0.0.0.0 202.100.1.1 Universe / Route

Here is the PIX4:

Pixfirewall#conf t

Pixfirewall (config) # interface E1 / for heartbeat line

Pixfirewall (config) # no shut

Pixfirewall (config) # exit

Pixfirewall (config) # failover// starts FAILOVER

Pixfirewall (config) # failover lan unit secondary// configures failover to implement heartbeat line through LAN port, and sets this machine as secondary

Pixfirewall (config) # failover lan interface flink Ethernet1// configures E1 interface as LAN heartbeat interface and assigns flink name

Pixfirewall (config) # failover lan enable// activates LAN heartbeat wire interface

Pixfirewall (config) # failover interface ip flink 10.1.1.1 255.255.255.0 standby 10.1.1.2 / set IP and IP on the active side of the LAN heartbeat line for heartbeat communication

All right, all the configuration OK, at first do not understand this, 2B to the PIX e0e2 interface to set IP, Khan. In fact, no, PIX3 will be automatically transmitted to PIX3 through the heartbeat cable!

After a successful configuration, the following information is prompted on the PIX3:

No Response from Mate

Beginning configuration replication: Sending to mate.

End Configuration Replication to mate

/ / indicates that PIX3 has entered the ready switching state

PIX4 displays the following information:

Detected an Active mate

Beginning configuration replication from mate.

End configuration replication from mate.

/ / indicates that PIX4 is on standby.

At this time, all the configuration of PIX3 will be automatically synchronized to PIX4, and any changes made by PIX3 will also be synchronized to the backup firewall immediately. After synchronization, you will find that the name of PIX4 has also become PIX3!

Then you can check their status.

PIX3 (config) # show failover

Failover On

Cable status: NCMA-LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: flink Ethernet1 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 250 maximum

Version: Ours 8.0 (2), Mate 8.0 (2)

Last Failover at: 00:38:39 UTC Apr 27 2013

This host: Primary-Active

Active time: 1500 (sec)

Interface outside (202.100.1.13): Normal

Interface inside (192.168.1.1): Normal

Other host: Secondary-Standby Ready

Active time: 0 (sec)

Interface outside (202.100.1.14): Normal

Interface inside (192.168.1.2): Normal

On PIX4, if you perform an action, you will be prompted:

* * WARNING * Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. This is because after the deployment of Failover, the two firewalls actually work on the main equipment, if the backup firewall is set up, there will be the following error! Next, test Ping R1 on R2! If you stop the PIX3 during the ping process, you can see how many Ping will be lost, and then switch to PIX4. This firewall failure is supposed to monitor the inside and outside ports, but after I dropped the down of this interface in the experiment, there was no switching. Where do I need special configuration? R2#ping 1.1.1.1 repeat 1000 Type escape sequence to abort. Sending 1000, 100-byte ICMP Echos to 1.1.1.1 Timeout is 2 seconds:!. ! !!!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.