hoggiee
asked on
Cisco PIX/ASA Firewall Failover
PIX/ASA 1----------------Catalyst Switch 1----------------Cisco Router 1
| | |
PIX/ASA 2----------------Catalyst Switch 2----------------Cisco Router 2
I have the above setup in my network to achieve network redundancy. Both firewalls have failover configured, and firewall 1 is the active one. Both routers are running HSRP, and router 1 is the active one. My question is:
1. If Catalyst Switch 1 fails, will failover happen to firewall 2 and router 2? Can traffic still go from firewall to router (or the other way round)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That means the above setup will not achieve full redundancy isit? If switch 1 fails and no failover, there will be a communication breakdown?
ASKER
The link that you have given for the object tracking on the PIX/ASA is just fastastic. Could provide alternative solution for outgoing Internet access. Can I use that for incoming Internet access, so that outside users can still access to my web server, and also emails can still reach my Exchange server via the backup Internet link?(if I have a backup DNS server which resolves my webserver and exchange server to the set of IP addresses given by ISP 2).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok. one last question..... the object-tracking feature in PIX/ASA only available in version 7.0 and above?
Correct. ASA only comes with 7.x, existing PIX can be upgraded to 7.x
ASKER
Thanks.
"My advise is to use a dynamic routing protocol such as OSPF between the two routers and the ASA's. Run the ASA's in Active/Active mode and let the routing determine the best route"
My understanding from ASA guides is that Active/Active failover mode can only be implemented in multiple context mode. And in multiple context mode, some features might not be available. e.g. VPN, dynamic routing. In this case, how true the above statement is?
"My advise is to use a dynamic routing protocol such as OSPF between the two routers and the ASA's. Run the ASA's in Active/Active mode and let the routing determine the best route"
My understanding from ASA guides is that Active/Active failover mode can only be implemented in multiple context mode. And in multiple context mode, some features might not be available. e.g. VPN, dynamic routing. In this case, how true the above statement is?
I forgot about the multiple context mode requirement...
OK, back to the drawing board, but you can see that making total redundancy is a difficult thing to do.
1 x high availability switch in between the PIX Active/Standby pair and the routers. I'd still use OSPF though.
OK, back to the drawing board, but you can see that making total redundancy is a difficult thing to do.
1 x high availability switch in between the PIX Active/Standby pair and the routers. I'd still use OSPF though.
That's the only way that the PIX would get an interface down event. Same on the router.
However, an interface down event does not necessarily create a failover situation for the ASA or the router.
My advise is to use a dynamic routing protocol such as OSPF between the two routers and the ASA's. Run the ASA's in Active/Active mode and let the routing determine the best route. No need for HSRP on the routers either.
BGP between the two routers and the 2 ISP links.