Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Static commands with failover...

Hell-o,

We are converting our PIX515 firewall to two PIX515e's with failover.

I just need confirmation on an doc I read regarding static commands and the failover method.

Is it true that with a failover configuration I need to add a static line for every protocol or port used, with the static command and acl command?

If I intend to pass www, smtp, and ftp on the following example, do I need to do the following conversions?

Example: Present configuration;

static (inside,outside) 198.137.152.1 10.0.0.3 netmask 255.255.255.255 0 0

Would this line now need 3 separate entries? Along with the acl commands?

static (inside,outside) tcp interface 80 198.137.152.1 80

static (inside,outside) tcp interface 25 198.137.152.1 25

static (inside,outside) tcp interface 21 198.137.152.1 21

If so, should the ip here be the external or internal?

TIA

2 REPLIES

Re: Static commands with failover...

Nothing needs to be changed with your config in regards to IPs, nat, global etc.

Just add the failover config.

Keep the static command as you have it in your current config. If you don't add ports it will create a static for all IP, but if you only want the static rule for a specific port(s), use ports.

Both work (all IP or specific ports), ports only narrow the static rule down and is good for redirection (ie. different ports going to different internal hosts but using one NAT IP - eg. NAT IP x.x.x.x port telnet going to host A and NAT IP x.x.x.x port smtp going to host B).

Use ports if you are using redirection, otherwise go with the standard static as per your current statics (using an acl to lock it down).

Failover config example:

ip address outside x.x.x.67 255.255.255.224

ip address inside 10.15.0.253 255.255.0.0

ip address DMZ1 192.168.7.1 255.255.255.0

ip address stateful 172.16.1.1 255.255.255.252

failover

failover poll 15

failover ip address outside x.x.x.68

failover ip address inside 10.15.0.254

failover ip address DMZ1 192.168.7.2

failover ip address stateful 172.16.1.2

failover link stateful

LAN failover config would be sligthly different.

Hope it helps.

Steve

Anonymous
N/A

Re: Static commands with failover...

Thank you Steve, really appreciate you guys and this forum.

Gary

167
Views
0
Helpful
2
Replies
CreatePlease to create content