本人这两天在配置一台PIX515,配置好后PIX不工作,只有在config下输入failover active才能工作,可过了一天,PIX又不工作了,要再输入failover active才能工作,本人只用一台PIX515,没有做双机,每次开关机都要手动做一次激活,这是什么问题?请高手指点配置文件:
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security2
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 3T1OFjzBvxAtI7J5 encrypted
passwd 3T1OFjzBvxAtI7J5 encrypted
hostname SSWSC-PIX
domain-name SSWSC
clock timezone CST 8
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip address DMZ 192.168.2.1 255.255.255.0
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address DMZ
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 192.168.0.96 255.255.255.255 outside
pdm location 192.168.1.101 255.255.255.255 inside
pdm location 192.168.1.96 255.255.255.255 inside
pdm location 192.168.2.96 255.255.255.255 DMZ
pdm location 192.168.0.3 255.255.255.255 DMZ
pdm location 192.168.0.98 255.255.255.255 inside
pdm location 192.168.0.99 255.255.255.255 inside
pdm location 192.168.1.1 255.255.255.255 inside
pdm location 192.168.1.1 255.255.255.255 DMZ
pdm location 192.168.0.96 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0
global (DMZ) 1 192.168.2.0
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (DMZ) 1 192.168.2.0 255.255.255.0 0 0
static (DMZ,outside) 192.168.1.3 192.168.2.96 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.0.96 255.255.255.255 inside
snmp-server host inside 192.168.0.96
snmp-server location ShiShi Wather Supply Company,Fujian,China
snmp-server contact Lu Lixin
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 202.101.107.55 202.101.98.55
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:dd32d3dd098975a2d7fbe5b2ed9a6969
SSWSC-PIX(config)# sh ver
Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)
Compiled on Fri 02-Jul-04 00:07 by morlee
SSWSC-PIX up 7 mins 42 secs
Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
Encryption hardware device : VAC+ (Crypto5823 revision 0x1)
0: ethernet0: address is 0013.c43b.32c4, irq 10
1: ethernet1: address is 0013.c43b.32c5, irq 11
2: ethernet2: address is 000d.8810.63f0, irq 11
3: ethernet3: address is 000d.8810.63f1, irq 10
4: ethernet4: address is 000d.8810.63f2, irq 9
5: ethernet5: address is 000d.8810.63f3, irq 5
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 6
Maximum Interfaces: 10
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Failover Only (FO) license.
Serial Number: 809154384 (0x303ab750)
Running Activation Key: 0x2e3000cd 0x8edc0346 0x956a6c36 0xcb44e9ee
Configuration last modified by enable_15 at 11:10:41.321 CST Mon Jun 13 2005
: end
没有做双机,不需要failover的,no failover问题不在这里,估计是其他问题show ver看看This PIX has a Failover Only (FO) license.License不对
做一下升级就可以了,改成ur。。。。This PIX has a Failover Only (FO) license.License不对
FO的不能单独用
要不就不会卖那么便宜了
FO的不能单机使用吗?不能。global (outside) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0global (DMZ) 1 192.168.2.0
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (DMZ) 1 192.168.2.0 255.255.255.0 0 0
static (DMZ,outside) 192.168.1.3 192.168.2.96 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
请问一下,第一、三句是内部地址转化到外部合法地址,那么第二、四句有何讲究?
global (DMZ) 1 192.168.2.0
nat (DMZ) 1 192.168.2.0 255.255.255.0 0 0
第二句:内部访问DMZ区也用NAT访问。第四句:DMZ区可以访问互联网
我有点明白了,是不是这样:他们可以两两之间组合起作用如:global (outside) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
这两句可以实现内网到外网nat;
global (DMZ) 1 192.168.2.0
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
这两句可以实现内部访问DMZ区;
global (outside) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0
nat (DMZ) 1 192.168.2.0 255.255.255.0 0 0
这两句可以实现DMZ区可以访问互联网;
然后,要从底安全性等级段访问高安全性等级段,要用安全策略(如acl或者conduit)也就是这两句:
static (DMZ,outside) 192.168.1.3 192.168.2.96 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.2.96 eq www any
他本来的配置就没有做FAILOVER. FO的不能单用,不过我有个想法,你做个FAILOVER试试,虽然只有一台,不过我觉得如果两台FAILOVER,一台不行了,另外一台代替.那么一台FO的如果做了FAILOVER,是不是如果检测不到,也能够直接成为ACTIVE.我没有环境实验,你试一下.(注:本人胡乱想的,说错了,大家不要用板砖拍我哦!!)对了,哥们,如果试了一定要把结果告诉我一下哦!!试了,不行,我也在想如果主的坏了拿去修,不就只有FO独立运行了,如果这样也要每天重启,然后手动激活不是很惨要是要把它升级到R版本,不知道有没有什么高招本人提供CISCO pix 防火墙 license 升级服务从FO升级到UR,从R升级到UR, 价格绝对比CISCO升级费用便宜.联系方式ckwang_2002@hotmail.com
pix535 FO-> UR RMB15,000
pix535 R-> UR RMB10,000
pix525 FO-> UR RMB10,000
pix525 R-> UR RMB6,000
pix515E FO->UR RMB6,000
pix515E R->UR RMB5,000
Pix520 1K-->UR RMB10,00
从FO到R要多少钱FO就是要每天重新启动的,要不然FO为什么比UR要便宜了.我可以帮你升级到UR,留下电话或email这和failover的特性有关系吗?如果你配置了failover而没有接心跳线的话failover也不会起作用啊!!
为什么FO不能单独用啊,当你两台机器中的主宕机了那不是代表两台都死了啊?