Cisco PIX 500 Series Configuration Manual page 258

Security appliance command line

Hide thumbs Also See for PIX 500 Series:

Administration manual (653 pages)

Quick start manual (72 pages)

User manual (60 pages)

Table of Contents

Configuring Failover

allocate-interface GigabitEthernet0/2

allocate-interface GigabitEthernet0/3

config-url flash:/admin.cfg

join-failover-group 1

context ctx1

description context 1

allocate-interface GigabitEthernet0/4

allocate-interface GigabitEthernet0/5

config-url flash:/ctx1.cfg

join-failover-group 2

Example 14-2 admin Context Configuration

hostname SecAppA

interface GigabitEthernet0/2

nameif outsideISP-A

security-level 0

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 10.1.0.1 255.255.255.0 standby 10.1.0.11

monitor-interface outside

Example 14-3 ctx1 Context Configuration

hostname SecAppB

interface GigabitEthernet0/4

nameif outsideISP-B

security-level 0

ip address 192.168.2.2 255.255.255.0 standby 192.168.2.1

interface GigabitEthernet0/5

nameif inside

security-level 100

ip address 10.2.20.1 255.255.255.0 standby 10.2.20.11

Figure 14-1 on page 14-37

An outbound session passes through security appliance SecAppA. It exits interface outsideISP-A

(192.168.1.1).

Because of asymmetric routing configured somewhere upstream, the return traffic comes back

through the interface outsideISP-B (192.168.2.2) on security appliance SecAppB.

Normally the return traffic would be dropped because there is no session information for the traffic

on interface 192.168.2.2. However, the interface is configure with the command asr-group 1. The

unit looks for the session on any other interface configured with the same ASR group ID.

The session information is found on interface outsideISP-A (192.168.1.2), which is in the standby

state on the unit SecAppB. Stateful Failover replicated the session information from SecAppA to

Instead of being dropped, the layer 2 header is re-written with information for interface 192.168.1.1

and the traffic is redirected out of the interface 192.168.1.2, where it can then return through the

interface on the unit from which it originated (192.168.1.1 on SecAppA). This forwarding continues

as needed until the session ends.

Cisco Security Appliance Command Line Configuration Guide

shows the ASR support working as follows:

Configuring Failover

Troubleshooting

Asa 5500 series

Cisco PIX 500 Series Configuration Manual page 258

Troubleshooting

Related Manuals for Cisco PIX 500 Series

Related Products for Cisco PIX 500 Series

This manual is also suitable for:

Table of Contents