1.测试拓扑：

 2.配置步骤：A.测试心跳连通性： ①FW1： interface Ethernet2  nameif failover  ip add 192.168.1.1 255.255.255.0  no shut ②FW2：  interface Ethernet2  nameif failover  ip add 192.168.1.2 255.255.255.0  no shut ③测试： FW1(config-if)# ping 192.168.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 30/40/50 ms FW1(config-if)# ④清除接口配置： (config)# clear configure interface ethernet 2B.primary墙配置： interface Ethernet0  nameif outside  security-level 0  ip address 10.1.1.1 255.255.255.0 standby 10.1.1.254  no shut interface Ethernet1  nameif inside  security-level 100  ip address 20.1.1.1 255.255.255.0 standby 20.1.1.254  no shut interface Ethernet2  no shut failover lan unit primary failover lan interface FO Ethernet2 failover lan enable failover key cisco failover link FO Ethernet2 failover interface ip FO 192.168.1.1 255.255.255.0 standby 192.168.1.2 failover最后敲failoverC.secondary墙配置： failover lan unit secondary failover lan interface FO Ethernet2 failover lan enable failover key cisco failover link FO Ethernet2 failover interface ip FO 192.168.1.1 255.255.255.0 standby 192.168.1.2 failover interface Ethernet2  no shut最后敲failover，并将心跳线no shutdown。

备墙只需以上命令，其余的配置会自动同步过来。3.测试：A.开启icmp审查： FW1(config)# policy-map global_policy FW1(config-pmap)#  class inspection_default FW1(config-pmap-c)# inspect icmp B.R1、R2配置接口地址和默认路由： R1(config)#int f0/0 R1(config-if)#ip add 10.1.1.8 255.255.255.0 R1(config-if)#no sh R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.1.1.1 R2(config)#int f0/0 R2(config-if)#ip add 20.1.1.8 255.255.255.0 R2(config-if)#no sh R2(config-if)#ip route 0.0.0.0 0.0.0.0 20.1.1.1C.在R2上开启ping： R2#ping 10.1.1.8 repeat 10000D.R3上shutdown与FW1连线的接口： R3(config-if)#int f0/2 R3(config-if)#shut R3(config-if)#shutdownE.R2终止ping，可以看到有丢包： R2#ping 10.1.1.8 repeat 10000 Type escape sequence to abort. Sending 10000, 100-byte ICMP Echos to 10.1.1.8, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!..............!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!. Success rate is 97 percent (511/526), round-trip min/avg/max = 4/42/160 ms 4.注意事项： A.不能通过shutdown主墙的接口来使主备切换，这样只能把配置传到备墙，备墙只是把接口shutdown。 B.A/S没有配置抢占的地方 C.终止路由器ping操作的快捷方式为ctrl+shif+6 D.PIX比ASA多一条命令：failover lan enable E.standby 地址在网络中ping不通，备机无法进行管理，备墙的状态通过主机show failover可以看的到。