pix做FAILOVER的配置案例

network · 发表于 2008-2-3 20:45:44

pix做FAILOVER的配置案例

下面是成功的PIX的FAILOVER的配置实例!
PIX Version 7.0(4)
!
hostname pix535
domain-name ciscopix.com
enable password fwW3u9qtA9nhVjo3 encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.146.102 255.255.254.0 standby 192.168.146.103
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 172.16.146.252 255.255.254.0 standby 172.16.146.251
!
interface GigabitEthernet2
description STATE Failover Interface
!
interface Ethernet0
nameif intf2
security-level 4
no ip address
!
interface Ethernet1
shutdown
nameif intf3
security-level 6
no ip address
!
passwd fwW3u9qtA9nhVjo3 encrypted
boot system flash:/image
ftp mode passive
access-list 100 extended permit tcp any host 192.168.146.8 eq sqlnet
access-list 100 extended permit tcp any host 192.168.146.11 eq www
access-list 100 extended permit tcp any host 192.168.146.14 eq 7001
access-list 100 extended permit tcp any host 192.168.146.15 eq 6001
access-list 100 extended permit tcp any host 192.168.146.15 eq 6500
access-list 100 extended permit tcp any host 192.168.146.15 eq 6666
access-list 100 extended permit tcp any host 192.168.146.16 eq 6500
access-list 100 extended permit tcp any host 192.168.146.17 eq 7001
access-list 100 extended permit tcp any host 192.168.146.19 eq 6000
access-list 100 extended permit tcp any host 192.168.146.11 eq 9099
access-list 100 extended permit tcp any host 192.168.146.8 eq 9099
access-list 100 extended permit tcp any host 192.168.146.15 eq 6123
access-list 100 extended permit tcp any host 192.168.146.13 eq 9999
access-list 100 extended permit tcp any host 192.168.146.13 range 19000 20000
access-list 100 extended permit tcp any host 192.168.146.14 range 1025 65535
access-list 100 extended permit tcp any host 192.168.146.29 range 1025 65535
access-list 100 extended permit icmp any any
access-list 100 extended permit tcp any host 192.168.146.41 eq 6200
access-list 100 extended permit tcp host 192.168.147.88 host 192.168.146.3 eq sqln
et
access-list 100 extended deny tcp any host 192.168.146.3 eq 3389
access-list 100 extended permit tcp any host 192.168.146.11 eq https
access-list 100 extended permit tcp any host 192.168.146.15 eq 6234
access-list 100 extended permit tcp host 192.168.147.51 host 192.168.146.34 eq sql
net
access-list 100 extended permit tcp any host 192.168.146.34 eq ssh
access-list 100 extended permit tcp host 192.168.147.68 host 192.168.146.34 eq sql
net
access-list 100 extended permit tcp host 192.168.147.58 host 192.168.146.34 eq sql
net
access-list 100 extended permit tcp host 192.168.146.18 host 192.168.146.3 eq sqln
et
access-list 100 extended permit tcp host 192.168.146.30 host 192.168.146.3 eq sqln
et
access-list 100 extended permit tcp any host 192.168.146.18 range 6665 6666
access-list 100 extended permit tcp any host 192.168.146.15 eq 6060
access-list 100 extended permit tcp host 192.168.147.88 host 192.168.146.34 eq sql
net
access-list 100 extended permit tcp any host 192.168.146.15 eq 6080
access-list 100 extended permit tcp host 192.168.147.51 host 192.168.146.111 eq sq
lnet
access-list 100 extended permit tcp host 192.168.147.51 host 192.168.146.112 eq sq
lnet
access-list 100 extended permit tcp host 192.168.147.51 host 192.168.146.111 eq ss
h
access-list 100 extended permit tcp host 192.168.147.51 host 192.168.146.112 eq ss
h
access-list 100 extended permit tcp host 192.168.147.88 host 192.168.146.111 eq sq
lnet
access-list 100 extended permit tcp host 192.168.147.88 host 192.168.146.112 eq sq
lnet
access-list 100 extended permit tcp host 192.168.147.88 host 192.168.146.111 eq ss
h
access-list 100 extended permit tcp host 192.168.147.88 host 192.168.146.112 eq ss
h
access-list 100 extended permit tcp host 192.168.147.51 host 192.168.146.3 eq sqln
et
access-list 100 extended permit tcp host 192.168.147.160 host 192.168.146.100 eq 2
020
access-list 100 extended permit tcp host 192.168.147.80 host 192.168.146.100 eq 20
20
access-list 100 extended permit tcp host 192.168.147.68 host 192.168.146.3 eq sqln
et
access-list 100 extended permit tcp host 192.168.147.78 host 192.168.146.34 eq sql
net
access-list 100 extended permit tcp host 192.168.146.88 host 192.168.146.3 eq sqln
et
access-list 100 extended permit tcp host 192.168.147.68 host 192.168.146.111 eq sq
lnet
access-list 100 extended permit tcp host 192.168.147.68 host 192.168.146.112 eq sq
lnet
access-list 100 extended permit tcp host 192.168.147.160 host 192.168.146.111 eq s
qlnet
access-list 100 extended permit tcp host 192.168.147.160 host 192.168.146.112 eq s
qlnet
pager lines 24
logging enable
logging history errors
logging facility 16
logging host inside 172.16.146.31
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
failover
failover link state GigabitEthernet2
failover interface ip state 192.168.253.1 255.255.255.252 standby 192.168.253.2
asdm image flash:/pdm
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 172.16.146.0 255.255.254.0
static (inside,outside) 192.168.146.16 172.16.146.16 netmask 255.255.255.255
static (inside,outside) 192.168.146.19 172.16.146.19 netmask 255.255.255.255
static (inside,outside) 192.168.146.15 172.16.146.15 netmask 255.255.255.255
static (inside,outside) 192.168.146.3 172.16.146.3 netmask 255.255.255.255
static (inside,outside) 192.168.146.11 172.16.146.11 netmask 255.255.255.255
static (inside,outside) 192.168.146.14 172.16.146.14 netmask 255.255.255.255
static (inside,outside) 192.168.146.17 172.16.146.17 netmask 255.255.255.255
static (inside,outside) 192.168.146.8 172.16.146.8 netmask 255.255.255.255
static (inside,outside) 192.168.146.13 172.16.146.13 netmask 255.255.255.255
static (inside,outside) 192.168.146.34 172.16.146.34 netmask 255.255.255.255
static (inside,outside) 192.168.146.29 172.16.146.29 netmask 255.255.255.255
static (inside,outside) 192.168.146.41 172.16.146.41 netmask 255.255.255.255
static (inside,outside) 192.168.146.18 172.16.146.18 netmask 255.255.255.255
static (inside,outside) 192.168.146.111 172.16.146.111 netmask 255.255.255.255
static (inside,outside) 192.168.146.112 172.16.146.112 netmask 255.255.255.255
static (inside,outside) 192.168.146.100 172.16.146.100 netmask 255.255.255.255
access-group 100 in interface outside
route outside 202.1.1.0 255.255.255.0 192.168.146.101 2
route outside 10.201.0.0 255.255.0.0 192.168.146.101 2
route outside 10.10.217.0 255.255.255.0 192.168.146.101 1
route outside 10.10.216.0 255.255.255.0 192.168.146.101 1
route outside 10.10.10.0 255.255.255.0 192.168.146.101 1
route outside 10.10.100.4 255.255.255.255 192.168.146.101 2
route outside 10.10.90.0 255.255.255.0 192.168.146.101 2
route outside 10.50.1.0 255.255.255.0 192.168.146.252 1
route outside 10.40.1.0 255.255.255.0 192.168.146.252 1
route outside 10.30.1.0 255.255.255.0 192.168.146.252 1
route outside 10.20.1.0 255.255.255.0 192.168.146.252 1
route outside 10.10.1.0 255.255.255.0 192.168.146.252 1
route outside 10.1.27.0 255.255.255.0 192.168.146.101 1
route outside 10.1.26.0 255.255.255.0 192.168.146.101 1
route outside 192.168.9.0 255.255.255.0 192.168.146.101 1
route outside 192.0.0.0 255.255.255.0 192.168.146.101 1
route outside 182.76.3.75 255.255.255.255 192.168.146.101 1
route outside 182.18.2.0 255.255.255.0 192.168.146.101 1
route outside 26.20.253.0 255.255.255.0 192.168.146.101 1
route outside 22.0.0.0 255.0.0.0 192.168.146.101 1
route outside 21.0.0.0 255.0.0.0 192.168.146.101 1
route outside 192.168.0.0 255.254.0.0 192.168.146.252 1
route outside 10.24.0.0 255.255.0.0 192.168.146.101 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 172.16.146.30 255.255.255.255 inside
http 172.16.146.31 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community tjepouom-r
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
telnet 172.16.146.0 255.255.254.0 inside
telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
tftp-server outside 192.168.146.76 /tr252
Cryptochecksum:a0cf3893db8ea59e103524cd901dc3fb
: end
pix535(config)#

guazi111 · 发表于 2009-1-8 14:13:36

谢谢提供

账号		自动登录	找回密码
密码			注册