Question

Cisco PIX 515 Failover confusion

Asked by: aphix

I have a PIX 515E UR in opperation with 4 ethernet interfaces. After a scare recently i have decided to give it a friend, in the form of the 515E-FO-BUN.

I have read through Ciscos introduction and example of how to set up the failover, however it has left me more confused than i was before. In their example they are taking a PIX that (prior to failover) had only 2 interfaces, inside and outside.

http://www.cisco.com/warp/public/110/failover_01.gif

I have 4 interfaces - Inside, Outside, DMZ1, DMZ2. All of which use secuity access levels, and have no idea how to implement a Failover.

Has anyone had experience with this on multiple interfaces.  

I really need some solid pointers.

Thanks in advance

Rob

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2003-09-08 at 17:46:58ID20732726
Tags

pix

,

515

,

failover

,

cisco

Topics

Network Software Firewalls

,

Cisco PIX Firewall

,

Enterprise Firewalls

Participating Experts
2
Points
250
Comments
9

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco PIX & VLAN
    Site1: Workstation with NIC, globally viewable IP address, Connected to a Cisco 2600 switch. Site2: Private LAN Cisco PIX Firewall How can I make the Workstation at Site1 (Definitely on a different physical network) part of the Private LAN at Site2, and from what I gather,...
  2. Cisco PIX failover
    Hello i am using cisco Pix 515 with UR and i want to configure failover on it for that i have procured two PIX 515 with same hardware and software config and Failover is working between them very nice i.e. once the first active unit fails the secondary usint takes over. Now...
  3. PIX WAN failover
    Does any model of PIX have any type of basic WAN failover - for example I have a 3.5mb primary internnet connection - if I had a DSL as a backup internet...can the PIX be set up to use the DSL as a hot failover?
  4. Failover in PIX
    Hi, Can you please help me to configure Failover between Cisco PIX 525 firewall. Thought of doing Cable based failover... I am going to have PIX OS version 7.0 Please clarrify my below doubts ..!!! 1. Do i need to assign ips in all interface of Primary firewall and Stand...
  5. Cisco PIX/ASA Firewall Failover
    PIX/ASA 1----------------Catalyst Switch 1----------------Cisco Router 1 | | | PIX/ASA 2----------------Catalyst Switch 2----------------Cisco Router 2 I have the above setup in my network ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: lrmoorePosted on 2003-09-08 at 17:57:20ID: 9313716

Yes. You need to make sure the failover PIX is identical to the primary to include the extra 2 interfaces. Ideally, you would have a 5th on each one to support stateful failover, but it works without.
What happens is that you only configure the primary. When you save the config, it is saved to the secondary automatically. When failover happens, the secondary assumes the total identity of the primary including all IP addresses and MAC addresses for every interface.

The GIF above actually shows all 4 interfaces on both PIX's..

 

by: aphixPosted on 2003-09-09 at 01:17:18ID: 9317592

Hi Irmoore,

I understand that both need to be identical.

Primary - PIX 515E UR
Secondary - PIX 515E FO

Both will have same number of interfaces, same IOS and same amount of interfaces.

I understand the principles of how it works, but am unsure of how you would set it up on the network. (sorry i didnt word the question very well)

I am going to go down the statefull FO approach (i have vpn traffic and ssl data and i dont want to terminate sessions)
I will have

I suppose my question was more to do with the switch setup, cisco have used a 3500 catalyst, (i have one i can use) would i take the interface for the DMZ1 from both PIX's into the catalyst 3500, and then take another port from the 3500 into the switch for the DMZ?

What sort of configuration needs to be done on the switch, being failrly new to all this, would anyone be able to shed some light on what cisco mean by Fa3/1 and Fa2/1?

Rob

 

by: adgzer0Posted on 2003-09-09 at 09:37:25ID: 9321975

Hi,

We have a very similar setup. configured as follows;

The switch (4003) is configured with 3 different vlans for security reasons. One for the outside using about 6 ports, one for the DMZ using about six ports and of course the inside which is the default vlan. The number of ports used is entirely up to you & of course you will probably need four vlans. Just cable both PIX firewalls up to the respective vlans and everything should be sweet.

The Fa3/1, etc. refers to the ports configuration on the switch depending on the number of ports & modules you have in your 3500. If you log on to your switch and do a "show run" and "show int" and "sh vlan" you'll be able to see what ports you have got and then work out what you need to do.  

regards
andy

 

by: lrmoorePosted on 2003-09-09 at 15:10:08ID: 9324554

Bottom line:
2 outside interfaces go to same switch/vlan as router
2 inside interface go to same switch/vlan as local lan
2 Dmz1 interfaces go to same switch/vlan as dmz1 hosts
2 Dmz2 interfaced go to same switch/vlan as dmz2 hosts
2 Dmz3 interfaced go to same switch/vlan as dmz3 hosts
stateful failover interfaces cross-connected with crossover cable

I would not trust vlan security with inside/outside vlans on same physical switch, but outside/dmz vlans on same switch is a workable solution.

Set all switchports manually to 100/full and also set the PIX interfaces manually to 100/full
Set all switchports with spanning-tree portfast enabled
Your 3500 switchports are numbered Fa0/1 - 0/x



 

by: aphixPosted on 2003-09-09 at 18:15:11ID: 9325323

Thanks guys, it starts to make sense now, i will play around and see what happens.

Irmoore, you mention having a seperate switch for the inside, this will need to be managable sureley, its allot of money to put say another cisco 3500 catalyst, only to use 3 ports.

If i had a Catalyst 3500 running in the existing inside LAN network, could i not set up a VLAN consiting of 3 ports. One to Primary PIX, one to secondary PIX, and the 3rd, back round to one of the other ports in the switch?

Im new to cisco switching, it comes from having a manager that has never purchased managable switched before, thinking a basic allied telesyn will do the job. :)

Rob

 

by: lrmoorePosted on 2003-09-09 at 20:36:42ID: 9325905

My suggestion:
Use the 3500 with multiple VLAN's for the outside, and the DMZ's.
Get another switch for the inside. I'm assuming you'll need more than just three ports ?
Else, if you have an old Alllied switch that supports VLAN's, put it on the outside to support the outside and DMZs and use the 3500 inside..

 

by: aphixPosted on 2003-09-10 at 01:34:15ID: 9327068

Not a bad idea, but the Allied telesyn dosnt support VLAN's, infact it dosnt do much atall.

I will try and source a cheaper Cisco or 3com that can do VLANS

Thanks again
Rob

 

by: aphixPosted on 2003-09-10 at 14:16:17ID: 9332330

Irmoore, just to check that VLANS are specific only to the switch they are on?

Rob

 

by: lrmoorePosted on 2003-09-10 at 14:43:52ID: 9332519

Not necessarily. If you setup VTP domain, then all switches can share the VLAN information.
By default, all ports are in VLAN 1 until/unless changed. If you establish VLANs on one switch, with all default settings if you plug another switch in, it will know about those other VLAN's, and you can add some of its ports to those vlans without defining them again. VLAN's span switches that way.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...