如下圖,兩臺ASA上的outside口,Inside口以及DMZ口都必須分別在同一網段。可以用獨立交換機分開,也可以用VLAN實現。
在主ASA上的配置:
A.A.A.A與B.B.B.B, C.C.C.C與D.D.D.D, E.E.E.E與F.F.F.F G.G.G.G與H.H.H.H要分別在同一個網段內。
interface Ethernet0/0在輔ASA上的配置:
description Outside Public Network
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.0 standby B.B.B.B
interface Ethernet0/1
description Inside Private Network
nameif inside
security-level 100
ip address C.C.C.C 255.255.255.0 standby D.D.D.D
interface Ethernet0/2
description LAN/STATE Failover Interface
interface Ethernet0/3
nameif dmz
security-level 50
ip address E.E.E.E 255.255.255.0 standby F.F.F.F
failover
failover lan unit primary
failover lan interface lanfo Ethernet0/2
failover key mytest
failover replication http
failover link lanfo Ethernet0/2
failover interface ip lanfo G.G.G.G 255.255.255.0 standby H.H.H.H
failover測試:出現Active,Standby Ready狀態說明配置成功:
failover lan unit secondary
failover lan interface lanfo Ethernet0/2
failover key mytest
ASA# show failover state
State Last Failure Reason Date/Time
This host - Primary
Active None
Other host - Secondary
Standby Ready None