中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

asa 5500 HA 說明

發布時間:2020-06-27 08:13:02 來源:網絡 閱讀:2211 作者:dengdelei 欄目:安全技術

  1.  ASA5510 + Security Plus License ! ASA系列對高可用性的支持情況
答:
ASA5505 基本許可不支持HA,通過Security Plus license.可以支持stateless Active/Standby and redundant ISP
ASA5510 基本許可不支持HA,通過Security Plus license 可以支持 A/A 和A/S 的FO
ASA5520 以上系列,基本許可就支持A/A 和A/S的 FO。

2.ASA5510到底有幾個端口可用?速率是多少?
答:
Cisco ASA 5510 7.2.2 以前的版本Base License可用3個FE,Plus License可用5個FE。
Cisco ASA 5510 7.2.2 及以后的版本可用5個FE,無論是Base還是Plus。
Cisco ASA 5510 7.2.3 及以后的版本Base可用5個FE,Plus會升級兩個FE端口為GE端口(2GE+3FE)。


3.關于PIX 的HA的授權問題.
答:如果要實現A/A 必須一個防火墻使用UR授權,另一個防火墻使用Failover-Active/Active (FO-A/A)授權,或兩臺設備都是UR license
如果要實現A/S 必須一個防火墻使用UR授權,另一個防火墻使用Failover (FO) 或者Failover-Active/Active (FO-A/A)
如果只有一個防火墻,購買FO或者FO-A/A授權是不能夠使用的,必須與具有UR授權的防火墻一起使用。


4.請問FWSM在multi context 模式下支持路由模式和透明模式共存嗎? 
答:FWSM在3.1版本后multi context 模式下支持路由模式和透明模式混用.


5.ISR路由器的IPS功能只能由IOS軟件來實現嗎?

答:可以選擇IPS模塊。型號為AIM-IPS-K9,使用平臺為ISR 1841、2800、3800系列路由器。


6.在SUP720引擎上面,如何使用電口,就是說那條命令可以讓我從SFP口切換到電口?
答: 具體命令請參見接口配置模式下的media-type {rj45 | sfp}.
是的,Catalyst 6500 可以支持AC和DC混合電源接入。


7.Cisco Catalyst 6500 系列產品的Supervisor Engine 32 PISA引擎是否支持MPLS流量? 
答:是的,可以支持。

8.Supervisor Engine 32 PISA系列引擎產品如果使用NBAR特性,它的PDLM文件哪里可以下載呢?
答:您可以通過下面的鏈接下載:www.cisco.com/cgi-bin/tablebuild.pl/pdlm

9.Cisco Pix升級至8.0版本是否可以支持SSL ×××?

答:Cisco Pix可以升級至最新的8.0版本軟件,但Pix不能支持SSL ×××。

10. 為什么ASA DataSheet上 沒有 Xlate參數?
>> xlates=max conns , 為什么等于? 架構原因:)

11. ASA雙鏈路如何配置?
>> http://www.cisco.com/warp/customer/110/pix-dual-isp.html
http://www.cisco.com/en/US/products/hw/***devc/ps2030/products_configuration_example09186a00806e880b.shtml
http://www.cisco.com/en/US/products/hw/***devc/ps2030/products_configuration_example09186a00806e880b.shtml
http://kbase:8000/paws/servlet/ViewFile/70559/pix-dual-isp.xml?convertPaths=1
http://www.cisco.com/en/US/customer/products/hw/***devc/ps2030/products_configuration_example09186a00806e880b.shtml
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/general/ip.htm#wp1047900

12. 請列出ASA5550支持的抗***Feature,比如抗SYN Flood, Smurf, ipspoof等
>>against denial of service (DoS) attacks, such as SYN floods, Internet Control Message Protocol (ICMP) floods, teardrops, port scans, pings of death, and many other common attacks


13. ASA5510-SEC-PL的作用?答: ASA 5510 Security Plus License w/ HA, GE, more VLANs + conns
Cisco ASA 5510 Security Plus license (provides Active/Active 
and Active/Standby high availability, increased session and 
VLAN capacities, and additional Ethernet interfaces) 
這個許可提升了ASA5510的性能

一: 130,000 個會話數,默認是50,000 
二:包含了2個 contexts
三:5個以太口 2個GE + 3FE
四:100個VLAN,默認是50個
五:××× clustering and load balancing
六:高可用性,支持A/A A/S

14. 防火墻做 A / A時,ARP time out 值確省是14400,最小值是多少?
In answer to your question:
- Cisco recommends keeping the default ARP timeout to 14400 second ( 4
hours). At a minimum, is should be greater than the CAM timeout for your
switches which is 300 seconds (5 minutes).
- The ARP timeout can be seen in the output of a show interface <interface>
- The ARP timeout can be changed using the "arp timeout <seconds>" in the
interface configuration mode.

The following diagram explains on a high-level the ip-address that are assigned to the primary and secondary cisco ASA devices in this example.
asa 5500 HA 說明
In the above diagram:

  • ext0 – Assign your external ip-address to this interface. ext0 indicates that this is connected to the port 0 on the device.
  • int1 – Assign your internal ip-address to this interface. int1 indicates that this is connected to the port 1 on the device.
  • fail3 – Assign an internal ip-address to this interface that will be used between the primary and secondary devices during failover. fail3 indicates that this is connected to the port 3 on the device.

On the Cisco ASA 5520 model, it has 4 ports on the back, marked as 0, 1, 2 and 3. In our example, we’ll be using port 0, 1, and 3 as explained above.

Other than the 4 network ports, you’ll also see slots marked as mgmt, usb, usb, console, aux, flash card.

 

While the example mentioned here was done on Cisco ASA 5520 model, the same configurations will work on other Cisco ASA 5500 series. i.e Cisco ASA 5510, Cisco ASA 5505 etc.,

1. Setup failover interface on Primary ASA

Connect your laptop serial port to the primary ASA device using the console cable that came with the device.

Use PuTTY -> Select “Serial” -> Make sure serial line is set to “Com1″ -> and speed is set to “9600″

Execute the following commands to mark the port 0/3 as failover lan unit primary.

enableconfig tfailover lan unit primaryinterface gigabitEthernet 0/3no shutdown

2. Assign the failover ip-address on Primary ASA using LANFAIL

Execute the following commands which will assign “10.10.1.1″ (the one marked as fail0 in the diagram above) to the 0/3 interface on the primary device. This device should also know what is the failover ip-address of the standby. In this example, it is 10.10.1.2

You should also specify a failover key. Make sure the same key is used when you are configuring failover on the secondary device. In this example, the failover key is “secretkey”

failover lan interface LANFAIL gigabitethernet 0/3failover interfaces ip LANFAIL 10.10.1.1 255.255.255.0 standby 10.10.1.2failover key secretkeyfailover link LANFAILexitshow failover

3. Assign the External ip-address on Primary ASA

Execute the following commands which will assign “174.121.83.47″ (the one marked as ext0 in the diagram above) to the 0/0 interface on the primary device. This device should also know what is the external ip-address of the standby ASA device. In this example, it is 174.121.83.48

show runconfig tinterface gigabitEthernet 0/0nameif externalip address 174.121.83.47 255.255.255.0 standby 174.121.83.48no shutdownexit

4. Assign the Internal ip-address on Primary ASA

Execute the following commands which will assign “192.168.1.47″ (the one marked as int0 in the diagram above) to the 0/1 interface on the primary device. This device should also know what is the internal ip-address of the standby ASA device. In this example, it is 192.168.1.48

interface gigabitEthernet 0/1nameif internalsecurity-level 100ip address 192.168.1.47 255.255.255.0 standby 192.168.1.48no shutdownexitshow run

5. Verify the configuration on Primary ASA

Execute the following commands to verify the failover configuration that has been setup so far on the Cisco ASA primary device.

monitor externalmonitor internalexitshow failoverfailoverexitshow failover interfaceshow failover

6. Setup failover interface on Secondary ASA

Connect your laptop serial port to the secondary ASA device using the console cable that came with the device.

Use putty -> Select “Serial” -> Make sure serial line is set to “Com1″ -> and speed is set to “9600″

Execute the following commands to mark the port 0/3 as failover lan unit secondary

enconfig tno failoverfailover lan unit secondaryinterface gigabitEthernet 0/3no nameifno shutdownfailover lan interface LANFAIL gigabitEthernet 0/3

7. Assign the failover ip-address on Secondary ASA using LANFAIL

Execute the following commands which specifies the primary LANFAIL ip-address is 10.10.1.1 and standby is 10.10.1.2

You should also specify a failover key. Make sure the same key that you used while configuring primary ASA is used here also. In this example, the failover key is “secretkey”

failover interface ip LANFAIL 10.10.1.1 255.255.255.0 standby 10.10.1.2failover key secretkeyfailover link LANFAILfailoverexitshow run

8. Automatic Configuration Copy from Primary to Secondary ASA

On you configure the LANFAIL as shown above, all other configurations are automatically copied from the primary Cisco ASA device to the standby cisco ASA device.

show failoverconfig tinterface gigabitEthernet 0/3no shutdownexitshow failover

9. Setup Additional Configuration on ASA Primary

Setup additional configurations on the Cisco ASA primary device as shown below. This includes, hostname setup, domain name setup, route setup, allow http and ssh on internal ip-address for the cisco ASA primary.

configno monitor managementhostname FW-PRIMARYdomain name thegeekstuff.comrouter external 0.0.0.0 0.0.0.0 174.121.83.0exitconfig thttp 192.168.0.0 255.255.0.0 internalssh 192.168.0.0 255.255.0.0 internal

Note: All the above configuration will be copied over automatically to the Cisco ASA standby device, as the failover is already configured. The only thing you need to setup on Cisco ASA standby is the hostname as “FW-STANDBY” as shown below.

config thostname FW-STANDBY

Finally, view the current running configuration, and write it to the memory as shown below.

show runwrite mem

向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

康马县| 安吉县| 南投市| 乐山市| 商洛市| 舞阳县| 天台县| 河北区| 道孚县| 西丰县| 泾阳县| 西平县| 中宁县| 汕头市| 邯郸市| 蓬莱市| 玉溪市| 台中县| 鸡泽县| 靖安县| 永昌县| 比如县| 承德市| 山西省| 佛学| SHOW| 城固县| 井陉县| 同江市| 涿鹿县| 荥经县| 东方市| 江西省| 固阳县| 深圳市| 宿州市| 彩票| 贵阳市| 溧水县| 乌兰县| 商丘市|