danielwatts
asked on
Internal IP Failover (Cisco PIX 501)
Hi all,
This isn't the normal question about setting up two PIX firewalls in a failover to each other.
What I would like to know is if the PIX 501 is capable of detecting if the internal server is not responding and, if not, then switching the NAT table to a different IP.
So if say port 80 on 192.168.0.10 stops responding for 30 seconds because Apache crashed, the Firewall will change the external ip associated with this address to 192.168.0.110 (a backup apache server).
The second machine can then be configured to show a nice error/update/status page.
If the above is not possible is there somthing I can get to work with the PIX or do I need to upgrade the PIX itself?
Many thanks,
Daniel
This isn't the normal question about setting up two PIX firewalls in a failover to each other.
What I would like to know is if the PIX 501 is capable of detecting if the internal server is not responding and, if not, then switching the NAT table to a different IP.
So if say port 80 on 192.168.0.10 stops responding for 30 seconds because Apache crashed, the Firewall will change the external ip associated with this address to 192.168.0.110 (a backup apache server).
The second machine can then be configured to show a nice error/update/status page.
If the above is not possible is there somthing I can get to work with the PIX or do I need to upgrade the PIX itself?
Many thanks,
Daniel
Agree with nodisco. There is absolutely no intelligence within the PIX FW to do what you are asking.
You can do it on a router using a variety of features like SA Agents with Object tracking, Server load balancing, WCCP or Distributed Director. Content Server Switches do the same thing. Unfortunately, the PIX has none of these features.
If you've got a Cisco 2600/3600 router laying around that you can beef up the memory on, it can do all of those and more..
The PIX would create a static xlate as it does now to the server, only use the router's IP as if it was the web server. Then the router can make any/all of those decisions and let the proper server serve up its pages..
You can do it on a router using a variety of features like SA Agents with Object tracking, Server load balancing, WCCP or Distributed Director. Content Server Switches do the same thing. Unfortunately, the PIX has none of these features.
If you've got a Cisco 2600/3600 router laying around that you can beef up the memory on, it can do all of those and more..
The PIX would create a static xlate as it does now to the server, only use the router's IP as if it was the web server. Then the router can make any/all of those decisions and let the proper server serve up its pages..
ASKER
So short of upgrading the PIX what could be used at my controllable network level?
The other way I had thought of doing this was at the DNS level. My (external) DNS server can heartbeat my webserver and failover the dns (low ttl) in the event of a failure. The problem is that the external provider's monitoring isn't very reliable and I often get false-failovers which are a disaster.
Does the PIX support any sort of automated remote management? Ie is it possible to write a cron job that logs into the PIX and updates the PIX NAT automatically? If so then this script could be placed within a monitoring program that is triggered upon a failed response from the webserver...
The other way I had thought of doing this was at the DNS level. My (external) DNS server can heartbeat my webserver and failover the dns (low ttl) in the event of a failure. The problem is that the external provider's monitoring isn't very reliable and I often get false-failovers which are a disaster.
Does the PIX support any sort of automated remote management? Ie is it possible to write a cron job that logs into the PIX and updates the PIX NAT automatically? If so then this script could be placed within a monitoring program that is triggered upon a failed response from the webserver...
ASKER
Ah you just beat me to that post =)
That router path could work although looking at the prices I'd like to see if there was a more inexpensive way to solve this. Those routers are still up to $2000+.
That router path could work although looking at the prices I'd like to see if there was a more inexpensive way to solve this. Those routers are still up to $2000+.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Error - "VPN script" should read "VB" script....
ASKER
Hey that is promising! =)
It would be great to have that much control over the failover system. And the script could easily be run from several different hosts to give redundancy in the script itself.
The links are appreciated. Do you happen to have any official-type reference link for writing Cisco scripts? Or in fact anyone who would be willing to knock one up (python/perl/(php?) for a small fee?
It would be great to have that much control over the failover system. And the script could easily be run from several different hosts to give redundancy in the script itself.
The links are appreciated. Do you happen to have any official-type reference link for writing Cisco scripts? Or in fact anyone who would be willing to knock one up (python/perl/(php?) for a small fee?
I'm sure that mikeberhardt and I can cook something up for you.. I'll try to get him to look at this thread, but timezone differences might be tomorrow before we get him in here...
His perl scripts in the EE linked thread are very promising. Just don't need the routerlist to work off of, since it's only one IP address, and we need to refine the commands that need to be input...
MIKE'S SCRIPT (modified)
$pass="password";
$enable="enable";
$username="[put a username here]"; # login name if needed
$infile="routerlist.txt"; # list of routers to read from <== probably don't need this list
#
# following needs to be edited to use only the PIX IP address instead of LIST
# else, just create a text file with a single line with the PIX IP adress and keep this all as it is
#
use Net::Telnet::Cisco;
open (LIST,"$infile") or die "Couldn't open file $infile";
@list=<LIST>;
foreach (@list) {
($host)=split(/\s+/,$_);
&TELNET;
}
}
sub TELNET {
$t = Net::Telnet::Cisco->new(
Timeout => 10,
Host => $host
);
$t->errmode("return");
print "Trying $host\n";
$t->login($username,$pass)
my @out=$t->enable($enable); <== don't need enable on the PIX
my @out=$t->cmd("copy start tftp"); <== see below for commands
my @out=$t->cmd("xxx.xxx.7.90
my $out=$t->cmd("$station-rou
print "downloading config...\n";
my $out=$t->cmd("");
$t->close;
}
Potential command set:
my @out=$t->cmd("config term"); <== enter config mode
my @out=$t->cmd("clear xlate"); <== clear existing nat xlates (important)
# next line removes existing static xlate to server 1 (now dead)
my @out=$t->cmd("no static (inside,outside) tcp <public ip> 80 192.168.12.12 netmask 255.255.255.255");
# this line creates a new static xlate map to server 2
my @out=$t->cmd(" static (inside,outside) tcp <public ip> 80 192.168.12.13 netmask 255.255.255.255");
my @out=$t->cmd("tftp-server 192.168.12.15/pixconfig.tx
my @out=$t->cmd("write net"); <== saves the config to the tftp server/file listed above
my @out=$t->cmd("write mem"); <== saves the config
my @out=$t->cmd("exit"); <== exit config mode
His perl scripts in the EE linked thread are very promising. Just don't need the routerlist to work off of, since it's only one IP address, and we need to refine the commands that need to be input...
MIKE'S SCRIPT (modified)
$pass="password";
$enable="enable";
$username="[put a username here]"; # login name if needed
$infile="routerlist.txt"; # list of routers to read from <== probably don't need this list
#
# following needs to be edited to use only the PIX IP address instead of LIST
# else, just create a text file with a single line with the PIX IP adress and keep this all as it is
#
use Net::Telnet::Cisco;
open (LIST,"$infile") or die "Couldn't open file $infile";
@list=<LIST>;
foreach (@list) {
($host)=split(/\s+/,$_);
&TELNET;
}
}
sub TELNET {
$t = Net::Telnet::Cisco->new(
Timeout => 10,
Host => $host
);
$t->errmode("return");
print "Trying $host\n";
$t->login($username,$pass)
my @out=$t->enable($enable); <== don't need enable on the PIX
my @out=$t->cmd("copy start tftp"); <== see below for commands
my @out=$t->cmd("xxx.xxx.7.90
my $out=$t->cmd("$station-rou
print "downloading config...\n";
my $out=$t->cmd("");
$t->close;
}
Potential command set:
my @out=$t->cmd("config term"); <== enter config mode
my @out=$t->cmd("clear xlate"); <== clear existing nat xlates (important)
# next line removes existing static xlate to server 1 (now dead)
my @out=$t->cmd("no static (inside,outside) tcp <public ip> 80 192.168.12.12 netmask 255.255.255.255");
# this line creates a new static xlate map to server 2
my @out=$t->cmd(" static (inside,outside) tcp <public ip> 80 192.168.12.13 netmask 255.255.255.255");
my @out=$t->cmd("tftp-server 192.168.12.15/pixconfig.tx
my @out=$t->cmd("write net"); <== saves the config to the tftp server/file listed above
my @out=$t->cmd("write mem"); <== saves the config
my @out=$t->cmd("exit"); <== exit config mode
ASKER
Very much appreciated lrmoore.
If you could get Mike to have a look tomorrow as you said, that would be great.
Points doubled so plenty to go around =)
GMT Timezone here, past midnight, so adieu for now!
If you could get Mike to have a look tomorrow as you said, that would be great.
Points doubled so plenty to go around =)
GMT Timezone here, past midnight, so adieu for now!
Does not look like we're going to get much more participation in this thread, perhaps we can post a pointer in one of the scripting TA's...
ASKER
Which one does Mike participate in? I would be happy to post there.
Thank for your help! Points awarded.
Dan
Thank for your help! Points awarded.
Dan
Thanks!
How 'bout dropping by the Perl TA and getting a true programmer to take a look...
https://www.experts-exchange.com/Programming/Programming_Languages/Perl/
Mike usually watches all the networking TA's, but I don't know where he's been lately...
How 'bout dropping by the Perl TA and getting a true programmer to take a look...
https://www.experts-exchange.com/Programming/Programming_Languages/Perl/
Mike usually watches all the networking TA's, but I don't know where he's been lately...
You could configure IIS to do this - have a look at this link:
http://www.iis-resources.com/modules/AMS/article.php?storyid=236