本文转自:https://blog.51cto.com/luojinghappy/1045230
ASA failover可以通过一根交叉线直连,或者通过LAN的方式来实现。两种方式各有利弊,个人比较倾向LAN的方式,下面是一个LAN方式实现的配置实例。
如下图,两台ASA上的outside口,Inside口以及DMZ口都必须分别在同一网段。可以用独立交换机分开,也可以用VLAN实现。
在主ASA上的配置:
A.A.A.A与B.B.B.B, C.C.C.C与D.D.D.D, E.E.E.E与F.F.F.F G.G.G.G与H.H.H.H要分别在同一个网段内。
interface Ethernet0/0
description Outside Public Network
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.0 standby B.B.B.B
interface Ethernet0/1
description Inside Private Network
nameif inside
security-level 100
ip address C.C.C.C 255.255.255.0 standby D.D.D.D
interface Ethernet0/2
description LAN/STATE Failover Interface
interface Ethernet0/3
nameif dmz
security-level 50
ip address E.E.E.E 255.255.255.0 standby F.F.F.F
failover
failover lan unit primary
failover lan interface lanfo Ethernet0/2
failover key mytest
failover replication http
failover link lanfo Ethernet0/2
failover interface ip lanfo G.G.G.G 255.255.255.0 standby H.H.H.H
在辅ASA上的配置:
failover
failover lan unit secondary
failover lan interface lanfo Ethernet0/2
failover key mytest
测试:出现Active,Standby Ready状态说明配置成功:
ASA# show failover state
State Last Failure Reason Date/Time
This host – Primary
Active None
Other host – Secondary
Standby Ready None
评论