CISCO ASA配置Failover+透明模式
拓扑如下:http://xiaojiejt.blog.51cto.com/e/u261/themes/default/images/spacer.gif
CE12804之间配置了CSS集群,CISCO 2911和CE12804之间运行OSPF。
CISCO FW 主:
1、将防火墙配置为透明模式,##路由模式和透明模式切换的时候配置将全部清除###
firewall transparent##默认为路由模式
2、开启接口,并配置相应的nameif
int g0/1
nameif inside
bridge-group 1 ##配置bridge
no shut
int g0/2
no shut
int g0/3
nameif outside
bridge-group 1
no shut
2、配置failover
failover lan unit primary
failover lan interface ha GigabitEthernet0/2
failover interface ip ha 10.90.255.145 255.255.255.248 standby 10.90.255.146
3、开启failover
failover
4、保存配置
write
CISCO FW 备:
1、配置接口
int g0/2
no shut
2、配置failover
failover lan unit secondary
failover lan interface ha GigabitEthernet0/2
failover interface ip ha 10.90.255.145 255.255.255.248 standby 10.90.255.146
3、开启failover
failover
4、保存配置
write
查看failover命令
show failover
http://xiaojiejt.blog.51cto.com/e/u261/themes/default/images/spacer.gif
配置完成后,R1和SW1之间跑OSPF
FW主:
1、配置bvi地址,相当于桥
interface bvi 1
ip add 10.90.255.51 255.255.255.0 ##和cisco 2811、HW CE12804之间的互联地址同一网段
2、在FW上开启相应策略
配置策略
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any4 any
access-list inside_access_in extended permit ospf any any
access-list global_access extended permit ip any any
access-list global_access extended permit ospf any any
access-list global_access extended permit icmp any4 any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ospf any any
access-list outside_access_in extended permit icmp any4 any
应用策略
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
CISCO 2911和CE12804之间正常配置OSPF和互联地址。
原理解析:
在transparent模式下需的配置
配置BVI接口:
interface bvi 1
ip address X.X.X.X X.X.X.X
BVI和brige-group一一对应
其配置解释:
文档配置举例:
http://xiaojiejt.blog.51cto.com/e/u261/themes/default/images/spacer.gif
注:此bridge-group仅在防火墙为透明模式时需要,且BVI地址需要与上下行设备互联地址在一个地址段。
例:
CISCO 3945的互联地址为10.90.253.50/29
Huawei CE12804的互联地址为10.90.253.49/29
CISCO ASA 5545的BVI地址为10.90.253.51/29
查看方式:show bridge-group
Bridge-grou解析:
http://xiaojiejt.blog.51cto.com/e/u261/themes/default/images/spacer.gif
通过以上信息可以看出,一台CISCO ASA 5545最多建立8个Bridge-group,一个Bridge-group最后加入4个接口
虽然能配置多个Bridge-group,在ASA为透明模式时,仅有一个Bridge-group被使用。
一个接口仅能应用一个bridge-group,无法将一个接口应用在多个brige-group。
要是能在真机上配就好了
页:
[1]