pa_ven
02-12-2009, 01:01 AM
http://i338.photobucket.com/albums/n405/pa_ven/Failover_Configjpeg.jpg
pixfirewall# sho run
: Saved
:
PIX Version 8.0(3)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
speed 100
nameif outside
security-level 0
ip address 209.165.201.1 255.255.255.224
!
interface Ethernet1
speed 100
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
speed 100
no nameif
no security-level
no ip address
!
interface Ethernet3
description STATE Failover Interface
speed 100
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd Y.v/0Fla2jnYmiky encrypted
ftp mode passive
access-list acl_out extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
failover
failover link unused Ethernet3
failover interface ip unused 192.168.253.1 255.255.255.0 standby 0.0.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 209.165.201.3 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 209.165.201.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1c7b1f12992ded856ed95b0ac22e0fc5
: end
pixfirewall#
------------------------------------------------------------
pixfirewall# sho failover
Failover On
Cable status: Normal
Failover unit Primary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(3), Mate Unknown
Last Failover at: 09:20:34 UTC Dec 2 2009
This host: Primary - Active
Active time: 225 (sec)
Interface outside (209.165.201.1): Normal (Waiting)
Interface inside (192.168.2.1): Normal (Waiting)
Other host: Secondary - Failed
Active time: 0 (sec)
Interface outside (0.0.0.0): Unknown (Waiting)
Interface inside (0.0.0.0): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : unused Ethernet3 (Configuration incomplete)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
pixfirewall#
Mình đang tự nghiên cứ về PIX firewall và có thực hiện bài lab config failover: mô hình và config như trên. Song kết quả không được thuận lợi:
- Sau khi config xong ở primary mình có gắn cable từ e3 interface primary-->secondary. Sau đó bật PIX secondary lên và ở Primary gõ lệnh write standby ...=> hai con PIX đứng như phỗng... không đồng bộ được...!
-Chăc chắn là mình đã config thiếu và không biết thiếu những lệnh gì ??? (chỉ biết là địa chỉ interface tương ứng trên PIX secondary chưa được config ở primary... mà ko biết xử lý bằng lệnh nào???).
Mong các Thầy và các bạn giúp đỡ...!
pixfirewall# sho run
: Saved
:
PIX Version 8.0(3)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
speed 100
nameif outside
security-level 0
ip address 209.165.201.1 255.255.255.224
!
interface Ethernet1
speed 100
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
speed 100
no nameif
no security-level
no ip address
!
interface Ethernet3
description STATE Failover Interface
speed 100
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd Y.v/0Fla2jnYmiky encrypted
ftp mode passive
access-list acl_out extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
failover
failover link unused Ethernet3
failover interface ip unused 192.168.253.1 255.255.255.0 standby 0.0.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 209.165.201.3 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 209.165.201.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1c7b1f12992ded856ed95b0ac22e0fc5
: end
pixfirewall#
------------------------------------------------------------
pixfirewall# sho failover
Failover On
Cable status: Normal
Failover unit Primary
Failover LAN Interface: N/A - Serial-based failover enabled
Unit Poll frequency 15 seconds, holdtime 45 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(3), Mate Unknown
Last Failover at: 09:20:34 UTC Dec 2 2009
This host: Primary - Active
Active time: 225 (sec)
Interface outside (209.165.201.1): Normal (Waiting)
Interface inside (192.168.2.1): Normal (Waiting)
Other host: Secondary - Failed
Active time: 0 (sec)
Interface outside (0.0.0.0): Unknown (Waiting)
Interface inside (0.0.0.0): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : unused Ethernet3 (Configuration incomplete)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
pixfirewall#
Mình đang tự nghiên cứ về PIX firewall và có thực hiện bài lab config failover: mô hình và config như trên. Song kết quả không được thuận lợi:
- Sau khi config xong ở primary mình có gắn cable từ e3 interface primary-->secondary. Sau đó bật PIX secondary lên và ở Primary gõ lệnh write standby ...=> hai con PIX đứng như phỗng... không đồng bộ được...!
-Chăc chắn là mình đã config thiếu và không biết thiếu những lệnh gì ??? (chỉ biết là địa chỉ interface tương ứng trên PIX secondary chưa được config ở primary... mà ko biết xử lý bằng lệnh nào???).
Mong các Thầy và các bạn giúp đỡ...!