2019/07/19

Sample of PIX Failover

today, I'm going to test of Active/Active failover.

this time two PIX can activate simultaneously.

of course firewall efficiency is good, but you can not use VPN features.



requirements

1. dynamips and pemu, running two PIX.

2. using MS Loopback adapter, connect internet and inside.




firewall mode must be multiple. command is like this.

FW(config)# mode multiple

after command you should reboot.



next configuration is for firewall.

after setup, two firewalls share it's own config each context.







[FW1]==========================================================================

# interface setup. R1 and R2 allocate VLAN 20 and VLAN 30.

int e0
    no sh
int e1
    no sh
int e1.20
    vlan 20
    no sh
int e1.30
    vlan 30
    no sh
int e2
    no sh
    exit



# through Context setup, Active/Standby set both side.

admin-context admin
context admin
config-url admin.cfg
exit

context c1
allocate-interface e0
allocate-interface e1.20
config-url c1.cfg
join-failover-group 1
exit

context c2
allocate-interface e0
allocate-interface e1.30
join-failover-group 2
config-url c2.cfg
exit


# Set MAC address, not put one upon another

mac-address auto


# at Context setup, set IP and firewall policy each.(not setting at global mode)

change context c1

int e0
nameif outside
ip add 1.1.100.10 255.255.255.0 standby 1.1.100.11
int e1.20
nameif inside
ip add 1.1.20.10 255.255.255.0 standby 1.1.20.11
exit

route outside 0 0 1.1.100.1
access-list OUTSIDE-IN per icmp any any
access-group OUTSIDE-IN in int outside
monitor-interface inside


change context c2

int e0
nameif outside
ip add 1.1.100.20 255.255.255.0 standby 1.1.100.21
int e1.30
nameif inside
ip add 1.1.30.10 255.255.255.0 standby 1.1.30.11
exit

route outside 0 0 1.1.100.1
access-list OUTSIDE-IN per icmp any any
access-group OUTSIDE-IN in int outside
monitor-interface inside


# Failover setup.

change system
failover lan unit primary
failover lan int FAILOVER e2
failover lan en
failover link FAILOVER
failover key password
failover int ip FAILOVER 1.1.40.10 255.255.255.0 standby 1.1.40.11


failover group 1
primary
preempt
exit

failover group 2
secondary
preempt
exit


# Failover execution.

failover



[FW2]==========================================================================

# interface setup. at Standby, just open interface.

int e0
    no sh
int e1
    no sh
int e2
    no sh
    exit


# Failover setup and execution.

failover lan int FAILOVER e2
failover lan en
failover key password
failover int ip FAILOVER 1.1.40.10 255.255.255.0 standby 1.1.40.11
failover





It's done.

few second after, you can see message of failover communication.



Failover.zip
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)