Solved

pix active/standby for 2 links

Posted on 2009-03-31
9
434 Views
Last Modified: 2012-05-06
hi there,
Topology View:

Router 1 --> Pix 1 --> Switch 1 & 2--> Internet Link 1
Router 2 --> Pix 2 --> Switch 2 & 1 --> Internet Link 2

Can I use the active/standby failover design in pix in the given deisng ... question basically boils down to the outside interface of pix ... From my understanding, the active and standby interface of the pix should be in the same subnet
... Ive a case where i have got 2 internet links and both of them are in different subnets ... can i use active/standby in this case ?
And basically where does the active/standby provide redundancy ? Just between the two pix interfaces or between 2 internet links ???
0
Comment
Question by:nabeel92
  • 4
  • 3
9 Comments
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24030422
Version?  Update level/environment?  Often, I find the release notes to be viable references, and unclear about your environment so this "may" shed some light.  If I misunderstood, sorry.
http://www.cisco.com/en/US/docs/security/pix/pix61/hw/installation/guide/inst.html
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix708rn.html
PIX/ASA: Active/Active Failover Configuration Example - https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
If I missed the boat here, sorry.  ":0)  Asta
0
 

Author Comment

by:nabeel92
ID: 24034747
No U're ok .. I was actually unable to give complete info i guess of what i was looking for ... attached in the diagram is my given scenario ...
There are 2 Pix firewalls and 2 core routers that are connected to them ... behind the core routers is IP WAN to which all our branch sites connect (branch sites are not show in the pic) ... now as u can see

In usual active/standby configs, for an outside interface of pix connecting to the internet links, they both have to be in the same subnet .... so that we can give commands like
interface outside
 ip address 1.1.1.1 255.0.0.0 standby 1.1.1.2 (where 1.x.x.x. are both are in same subnet)

Now my first question is;
1. Can Pix active/standby work here ?

In my case, ive two different internet links (203.39.52.x and 203.38.242.x) which are obviously not in the same subnet ... Then how can i configure Pix in active/standby mode when the 2 outside I.P addresses would be in different subnets ?  Is it possible to implement active/standby in my scenario !

2. As an alternative, If I use HSRP on the routers and just configure the PIX devices normally as they are ... On which interface should I be configuring HSRP commands ... Is it the interface connecting the two routers or the interfaces connecting to the I.P WAN ? I think it can be either of them ! What do you say ? And If i were to do HSRP and suppose some link fails which triggers HSRP failover, what do i do about the DMZ servers since their default gateway would have the Pix 1 DMZ interface I.P...Now that HSRP is working and all traffic is being sent via Core 2 thru to Pix 2, aren't my DMZ servers gonna be affected because now their gateway should have been the PIX 2 DMZ interface and not the PIX 1 DMZ interface ???

I dont know if i have made it too complex to understand ! :)
image-1.JPG
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24039258
I am sorry, but this is beyond my knowledge, and did note your other question and commented there to see of those Experts can help on this question.  Asta
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 27

Expert Comment

by:Asta Cu
ID: 24039309
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml definitely taught me more about the environment, configs on subnet, etc. but not enough to help you.
0
 

Author Comment

by:nabeel92
ID: 24071270
just curious if there are any experts out there ?
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24072411
I have submitted a request to the Moderator to see if this can be sent to another category or to broadcast to other Experts that may be better equipped to help you.  Sorry I could not.  Asta
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 24072611
Under what circumstances do you want the PIX to fail over to the standby unit?

Each PIX is connected to each switch that connects to the "Internet".  Does each PIX have an IP address in each of the ISP's subnets?

If they do NOT, then why do the PIX's have connections to each switch?

Is this an existing  setup or is this a new design that you are working on?
0
 

Author Comment

by:nabeel92
ID: 24074199
1. Under what circumstances do you want the PIX to fail over to the standby unit?
When any of the connected interfaces to the PIX fails, it should trigger a failover. That is in the config section that I've already done.

2. Each PIX is connected to each switch that connects to the "Internet".  Does each PIX have an IP address in each of the ISP's subnets?
Yes, each PIX have IP addresses in each of ISP's subnet. Switches are there so that am able to connect both the PIX outside interfaces
to both internet links at the same time. If I eliminate say switch 1, then I only have connection from PIX 1 to Internet Link 1 but wont
be able to connect PIx2 with Internet Link 1.
Actually, I've figured out the answer to my first question. got the lead from ur question. I have to configure 2 active/standby units.
First, I use PIX 1 link to Internet 1 as active and corresponding standby as the link from PIX 2 to internet 1. This way they both have same
subnet and so this is doable. Second, I configure Link from PIx2 to Internet link 2 as active and and corresponding standby would be link
from Pix2 to Internet Link 1. So part 1 is clear

3. If they do NOT, then why do the PIX's have connections to each switch?
Explained above.

Is this an existing  setup or is this a new design that you are working on?
I'm working on a new design which is slightly different from the current design. In the Current design, there are only 2 core routers connected to their
respective Internet links. but one of them is shutdown.


And I'm just thinking and I think part 2 is clear now.

And If i were to do HSRP and suppose some link fails which triggers HSRP failover, what do i do about the DMZ servers since their default gateway
would have the Pix 1 DMZ interface I.P.

Yes, I see this as a potential issue if i just run HSRP on both routers without any failover config on pix. Coz how are the DMZ servers gonna change
their default gateway (which is PIX DMZ interface) once the HSRP failover is triggered on routers. They will keep sending traffic to PIX 1 even after
failover had been triggered and Router 2 is the active one. Ok, yeah thats clear as well.

Sorry, its just a complex setup so its hard to explain everything but I think i got what am looking for !
Thanks Guyz,

0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question