pix支持vlan ＋ Cable-Based Stateful failover配置实例

hb120973135

　　pix os6.3之后的版本增加了对vlan的支持。结合failover做了个测试。

物理拓扑：

inside－－|－－－DMZ
pix1－－switch－－pix2
outsie－－|

switch为3550，c3550-i5k2l2q3-mz.121-20.EA1.bin
pix1为pix525，os 6.33 UR 2FE
pix2为pix525，os 6.33 FO 2FE

pix1、2的outside分别接switch的f0/1、2，inside分别接f0/5、6
inside、outside、DMZ分别使用一台25路由器。


交换机上配置

1、配置vlan10、vlan20、vlan30，分别对应outside、inside、DMZ

2、no ip routing。

3、配置f0/5、6口为trunk，不允许vlan10通过。pix只支持dot1q。

4、开启f0/1、2、5、6口的spantree portfast。


具体配置：

！1－4属于vlan10，outside
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
!5－8属于vlan20，inside
interface FastEthernet0/5
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20,30
switchport mode trunk
spanning-tree portfast trunk
!
interface FastEthernet0/6
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20,30
switchport mode trunk
spanning-tree portfast trunk
!
interface FastEthernet0/7
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 20
switchport mode access
!9－12属于vlan30，DMZ
interface FastEthernet0/9
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 30
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 30
switchport mode access
!

!各vlan接口用于测试目的。不开启routing。
interface Vlan1
ip address 10.200.2.1 255.255.255.0
no ip route-cache
!
interface Vlan10
ip address 10.100.50.3 255.255.255.0
no ip route-cache
!
interface Vlan20
ip address 10.55.20.3 255.255.255.0
no ip route-cache
!
interface Vlan30
ip address 10.55.90.3 255.255.255.0
!



pix配置步骤：

1、激活硬件接口，并设置速率与双工。
interface ethernet0 100full ※用于trunk的接口建议使用100full
interface ethernet1 100full ※用于state link的接口要求使用100full

2、添加逻辑接口，分别对应vlan号
interface ethernet0 vlan20 logical
interface ethernet0 vlan30 logical

3、命名接口
nameif ethernet0 UnUsed security5
nameif ethernet1 outside security0
nameif vlan20 inside security100
nameif vlan30 DMZ security50

4、配置接口ip address，以上完成对vlan的支持
ip address UnUsed 192.168.1.1 255.255.255.0
ip address outside 10.100.50.254 255.255.255.0
ip address inside 10.55.20.254 255.255.255.0
ip address DMZ 10.55.90.254 255.255.255.0

5、关闭pix2，连接心跳线缆。以下为failover配置

6、配置failover ip address
failover ip address UnUsed 192.168.1.2
failover ip address outside 10.100.50.253
failover ip address inside 10.55.20.253
failover ip address DMZ 10.55.90.253

7、指定state link。不允许使用logical或trunk类型的接口。所以这里只能使用outside。另外一种

配置方法是inside、dmz和outside都在一个物理接口上，state link独占一个物理接口。inside和

outside汇聚在一个物理接口上，势必造成安全隐患；state link和outside合用一个物理接口，如果

outside接口处发生故障，则无法实现stateful的failover。这两种配置只应该用于实验中，不推荐工

作机使用。
failover link outside

8、修改poll时间，为加快failover转换，减小poll时间值。适用于实验中
failover poll 3

9、激活failover，开启pix2电源
failover
10、等Sync completed之后，保存配置
write mem



具体配置:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet0 vlan20 logical
interface ethernet0 vlan30 logical
interface ethernet1 100full
nameif ethernet0 UnUsed security5
nameif ethernet1 outside security0
nameif vlan20 inside security100
nameif vlan30 DMZ security50
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname P1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list permiticmp permit icmp any any
pager lines 24
icmp permit any UnUsed
icmp permit any outside
mtu UnUsed 1500
mtu outside 1500
ip address UnUsed 192.168.1.1 255.255.255.0
ip address outside 10.100.50.254 255.255.255.0
ip address inside 10.55.20.254 255.255.255.0
ip address DMZ 10.55.90.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 3
failover ip address UnUsed 192.168.1.2
failover ip address outside 10.100.50.253
failover ip address inside 10.55.20.253
failover ip address DMZ 10.55.90.253
failover link outside
pdm history enable
arp timeout 14400
nat (outside) 0 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0
access-group permiticmp in interface UnUsed
access-group permiticmp in interface outside
access-group permiticmp in interface inside
access-group permiticmp in interface DMZ
route outside 0.0.0.0 0.0.0.0 10.100.50.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d0ba7371b36eb668d3be097dd56099ec
: end
[OK]



　　LAN－based failover的配置

在完成cable－based failover的配置后，修改为lan－based failover。
1、拔掉心跳线

2、配置pix1为primary：

failover lan unit primary
failover lan interface outside
※也不允许使用logical或trunk类型的接口。
failover lan key ********
※两台pix上配置key要一样
failover lan enable

3、激活pix1的failover

failover

4、配置pix2为secondary：

failover lan unit secondary
failover lan interface outside
failover lan key ********
failover lan enable

5、激活pix2的failover

failover

6、show failover lan detail


pix1具体配置：
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet0 vlan20 logical
interface ethernet0 vlan30 logical
interface ethernet1 100full
nameif ethernet0 UnUsed security5
nameif ethernet1 outside security0
nameif vlan20 inside security100
nameif vlan30 DMZ security50
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname P1
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list permiticmp permit icmp any any
pager lines 24
icmp permit any UnUsed
icmp permit any outside
mtu UnUsed 1500
mtu outside 1500
ip address UnUsed 192.168.1.1 255.255.255.0
ip address outside 10.100.50.254 255.255.255.0
ip address inside 10.55.20.254 255.255.255.0
ip address DMZ 10.55.90.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 3
failover ip address UnUsed 192.168.1.2
failover ip address outside 10.100.50.253
failover ip address inside 10.55.20.253
failover ip address DMZ 10.55.90.253
failover link outside
failover lan unit primary
failover lan interface outside
failover lan key ********
failover lan enable
pdm history enable
arp timeout 14400
nat (outside) 0 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 0 0.0.0.0 0.0.0.0 0 0
access-group permiticmp in interface UnUsed
access-group permiticmp in interface outside
access-group permiticmp in interface inside
access-group permiticmp in interface DMZ
route outside 0.0.0.0 0.0.0.0 10.100.50.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:fd053682ce164ae3f8ceb3c58f786de5
: end

pix2上相关配置：

failover
failover timeout 0:00:00
failover poll 3
failover ip address UnUsed 192.168.1.2
failover ip address outside 10.100.50.253
failover ip address inside 10.55.20.253
failover ip address DMZ 10.55.90.253
failover link outside
failover lan unit secondary
failover lan interface outside
failover lan key ********
failover lan enable