配置PIX双机failover的要点

　　password crichton encrypted

　　telnet 192.168.2.45 255.255.255.255

　　hostname pixfirewall

　　ip address outside 209.165.201.1 255.255.255.224

　　ip address inside 192.168.2.1 255.255.255.0

　　ip address failover 192.168.254.1 255.255.255.0

　　ip address state 192.168.253.1 255.255.255.252

　　failover ip address outside 209.165.201.2

　　failover ip address inside 192.168.2.2

　　failover ip address failover 192.168.254.2

　　failover ip address state 192.168.253.2

　　failover link state

　　failover lan unit primary

　　failover lan interface failover

　　failover lan key 12345678

　　failover lan enable

　　failover

　　global (outside) 1 209.165.201.3 netmask 255.255.255.224

　　nat (inside) 1 0.0.0.0 0.0.0.0 0 0

　　static (inside,outside) 209.165.201.5 192.168.2.5 netmask 255.255.255.255 0 0

　　access-list acl_out permit tcp any host 209.165.201.5 eq 80

　　access-group acl_out in interface outside

　　route outside 0 0 209.165.201.4 1

　　Secondary 设备：

　　interface ethernet2 100full

　　nameif ethernet2 failover security10

　　ip address failover 192.168.254.1 255.255.255.0

　　failover ip address failover 192.168.254.2

　　failover lan unit secondary

　　failover lan interface failover

　　failover lan key 12345678

　　failover lan enable

　　failover

　　PIX会根据自己的状态选用IP，如果是Active设备，就用ip address定义的地址；如果是standby就用failover ip address定义的IP地址。

　　还有一种做法，就是failover的IP地址设置为0.0.0.0，如：

　　failover ip address outside 0.0.0.0

　　failover ip address inside 0.0.0.0

　　failover ip address state 0.0.0.0

　　这样，standby设备就被隐藏了。

　　还有，就是接口的MAC地址也会切换，Primary的MAC总是跟着active的IP走，这样在failover的时候，外面的设备就不会观察到任何变化。