Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

pix active/standby for 2 links

Posted on 2009-03-31
9
Medium Priority
?
441 Views
Last Modified: 2012-05-06
hi there,
Topology View:

Router 1 --> Pix 1 --> Switch 1 & 2--> Internet Link 1
Router 2 --> Pix 2 --> Switch 2 & 1 --> Internet Link 2

Can I use the active/standby failover design in pix in the given deisng ... question basically boils down to the outside interface of pix ... From my understanding, the active and standby interface of the pix should be in the same subnet
... Ive a case where i have got 2 internet links and both of them are in different subnets ... can i use active/standby in this case ?
And basically where does the active/standby provide redundancy ? Just between the two pix interfaces or between 2 internet links ???
0
Comment
Question by:nabeel92
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24030422
Version?  Update level/environment?  Often, I find the release notes to be viable references, and unclear about your environment so this "may" shed some light.  If I misunderstood, sorry.
http://www.cisco.com/en/US/docs/security/pix/pix61/hw/installation/guide/inst.html
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix708rn.html
PIX/ASA: Active/Active Failover Configuration Example - https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
If I missed the boat here, sorry.  ":0)  Asta
0
 

Author Comment

by:nabeel92
ID: 24034747
No U're ok .. I was actually unable to give complete info i guess of what i was looking for ... attached in the diagram is my given scenario ...
There are 2 Pix firewalls and 2 core routers that are connected to them ... behind the core routers is IP WAN to which all our branch sites connect (branch sites are not show in the pic) ... now as u can see

In usual active/standby configs, for an outside interface of pix connecting to the internet links, they both have to be in the same subnet .... so that we can give commands like
interface outside
 ip address 1.1.1.1 255.0.0.0 standby 1.1.1.2 (where 1.x.x.x. are both are in same subnet)

Now my first question is;
1. Can Pix active/standby work here ?

In my case, ive two different internet links (203.39.52.x and 203.38.242.x) which are obviously not in the same subnet ... Then how can i configure Pix in active/standby mode when the 2 outside I.P addresses would be in different subnets ?  Is it possible to implement active/standby in my scenario !

2. As an alternative, If I use HSRP on the routers and just configure the PIX devices normally as they are ... On which interface should I be configuring HSRP commands ... Is it the interface connecting the two routers or the interfaces connecting to the I.P WAN ? I think it can be either of them ! What do you say ? And If i were to do HSRP and suppose some link fails which triggers HSRP failover, what do i do about the DMZ servers since their default gateway would have the Pix 1 DMZ interface I.P...Now that HSRP is working and all traffic is being sent via Core 2 thru to Pix 2, aren't my DMZ servers gonna be affected because now their gateway should have been the PIX 2 DMZ interface and not the PIX 1 DMZ interface ???

I dont know if i have made it too complex to understand ! :)
image-1.JPG
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24039258
I am sorry, but this is beyond my knowledge, and did note your other question and commented there to see of those Experts can help on this question.  Asta
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 27

Expert Comment

by:Asta Cu
ID: 24039309
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml definitely taught me more about the environment, configs on subnet, etc. but not enough to help you.
0
 

Author Comment

by:nabeel92
ID: 24071270
just curious if there are any experts out there ?
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24072411
I have submitted a request to the Moderator to see if this can be sent to another category or to broadcast to other Experts that may be better equipped to help you.  Sorry I could not.  Asta
0
 
LVL 57

Accepted Solution

by:
giltjr earned 2000 total points
ID: 24072611
Under what circumstances do you want the PIX to fail over to the standby unit?

Each PIX is connected to each switch that connects to the "Internet".  Does each PIX have an IP address in each of the ISP's subnets?

If they do NOT, then why do the PIX's have connections to each switch?

Is this an existing  setup or is this a new design that you are working on?
0
 

Author Comment

by:nabeel92
ID: 24074199
1. Under what circumstances do you want the PIX to fail over to the standby unit?
When any of the connected interfaces to the PIX fails, it should trigger a failover. That is in the config section that I've already done.

2. Each PIX is connected to each switch that connects to the "Internet".  Does each PIX have an IP address in each of the ISP's subnets?
Yes, each PIX have IP addresses in each of ISP's subnet. Switches are there so that am able to connect both the PIX outside interfaces
to both internet links at the same time. If I eliminate say switch 1, then I only have connection from PIX 1 to Internet Link 1 but wont
be able to connect PIx2 with Internet Link 1.
Actually, I've figured out the answer to my first question. got the lead from ur question. I have to configure 2 active/standby units.
First, I use PIX 1 link to Internet 1 as active and corresponding standby as the link from PIX 2 to internet 1. This way they both have same
subnet and so this is doable. Second, I configure Link from PIx2 to Internet link 2 as active and and corresponding standby would be link
from Pix2 to Internet Link 1. So part 1 is clear

3. If they do NOT, then why do the PIX's have connections to each switch?
Explained above.

Is this an existing  setup or is this a new design that you are working on?
I'm working on a new design which is slightly different from the current design. In the Current design, there are only 2 core routers connected to their
respective Internet links. but one of them is shutdown.


And I'm just thinking and I think part 2 is clear now.

And If i were to do HSRP and suppose some link fails which triggers HSRP failover, what do i do about the DMZ servers since their default gateway
would have the Pix 1 DMZ interface I.P.

Yes, I see this as a potential issue if i just run HSRP on both routers without any failover config on pix. Coz how are the DMZ servers gonna change
their default gateway (which is PIX DMZ interface) once the HSRP failover is triggered on routers. They will keep sending traffic to PIX 1 even after
failover had been triggered and Router 2 is the active one. Ok, yeah thats clear as well.

Sorry, its just a complex setup so its hard to explain everything but I think i got what am looking for !
Thanks Guyz,

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question