Solved

pix active/standby for 2 links

Posted on 2009-03-31
9
426 Views
Last Modified: 2012-05-06
hi there,
Topology View:

Router 1 --> Pix 1 --> Switch 1 & 2--> Internet Link 1
Router 2 --> Pix 2 --> Switch 2 & 1 --> Internet Link 2

Can I use the active/standby failover design in pix in the given deisng ... question basically boils down to the outside interface of pix ... From my understanding, the active and standby interface of the pix should be in the same subnet
... Ive a case where i have got 2 internet links and both of them are in different subnets ... can i use active/standby in this case ?
And basically where does the active/standby provide redundancy ? Just between the two pix interfaces or between 2 internet links ???
0
Comment
Question by:nabeel92
  • 4
  • 3
9 Comments
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24030422
Version?  Update level/environment?  Often, I find the release notes to be viable references, and unclear about your environment so this "may" shed some light.  If I misunderstood, sorry.
http://www.cisco.com/en/US/docs/security/pix/pix61/hw/installation/guide/inst.html
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix708rn.html
PIX/ASA: Active/Active Failover Configuration Example - https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
If I missed the boat here, sorry.  ":0)  Asta
0
 

Author Comment

by:nabeel92
ID: 24034747
No U're ok .. I was actually unable to give complete info i guess of what i was looking for ... attached in the diagram is my given scenario ...
There are 2 Pix firewalls and 2 core routers that are connected to them ... behind the core routers is IP WAN to which all our branch sites connect (branch sites are not show in the pic) ... now as u can see

In usual active/standby configs, for an outside interface of pix connecting to the internet links, they both have to be in the same subnet .... so that we can give commands like
interface outside
 ip address 1.1.1.1 255.0.0.0 standby 1.1.1.2 (where 1.x.x.x. are both are in same subnet)

Now my first question is;
1. Can Pix active/standby work here ?

In my case, ive two different internet links (203.39.52.x and 203.38.242.x) which are obviously not in the same subnet ... Then how can i configure Pix in active/standby mode when the 2 outside I.P addresses would be in different subnets ?  Is it possible to implement active/standby in my scenario !

2. As an alternative, If I use HSRP on the routers and just configure the PIX devices normally as they are ... On which interface should I be configuring HSRP commands ... Is it the interface connecting the two routers or the interfaces connecting to the I.P WAN ? I think it can be either of them ! What do you say ? And If i were to do HSRP and suppose some link fails which triggers HSRP failover, what do i do about the DMZ servers since their default gateway would have the Pix 1 DMZ interface I.P...Now that HSRP is working and all traffic is being sent via Core 2 thru to Pix 2, aren't my DMZ servers gonna be affected because now their gateway should have been the PIX 2 DMZ interface and not the PIX 1 DMZ interface ???

I dont know if i have made it too complex to understand ! :)
image-1.JPG
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24039258
I am sorry, but this is beyond my knowledge, and did note your other question and commented there to see of those Experts can help on this question.  Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24039309
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml definitely taught me more about the environment, configs on subnet, etc. but not enough to help you.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:nabeel92
ID: 24071270
just curious if there are any experts out there ?
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24072411
I have submitted a request to the Moderator to see if this can be sent to another category or to broadcast to other Experts that may be better equipped to help you.  Sorry I could not.  Asta
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 24072611
Under what circumstances do you want the PIX to fail over to the standby unit?

Each PIX is connected to each switch that connects to the "Internet".  Does each PIX have an IP address in each of the ISP's subnets?

If they do NOT, then why do the PIX's have connections to each switch?

Is this an existing  setup or is this a new design that you are working on?
0
 

Author Comment

by:nabeel92
ID: 24074199
1. Under what circumstances do you want the PIX to fail over to the standby unit?
When any of the connected interfaces to the PIX fails, it should trigger a failover. That is in the config section that I've already done.

2. Each PIX is connected to each switch that connects to the "Internet".  Does each PIX have an IP address in each of the ISP's subnets?
Yes, each PIX have IP addresses in each of ISP's subnet. Switches are there so that am able to connect both the PIX outside interfaces
to both internet links at the same time. If I eliminate say switch 1, then I only have connection from PIX 1 to Internet Link 1 but wont
be able to connect PIx2 with Internet Link 1.
Actually, I've figured out the answer to my first question. got the lead from ur question. I have to configure 2 active/standby units.
First, I use PIX 1 link to Internet 1 as active and corresponding standby as the link from PIX 2 to internet 1. This way they both have same
subnet and so this is doable. Second, I configure Link from PIx2 to Internet link 2 as active and and corresponding standby would be link
from Pix2 to Internet Link 1. So part 1 is clear

3. If they do NOT, then why do the PIX's have connections to each switch?
Explained above.

Is this an existing  setup or is this a new design that you are working on?
I'm working on a new design which is slightly different from the current design. In the Current design, there are only 2 core routers connected to their
respective Internet links. but one of them is shutdown.


And I'm just thinking and I think part 2 is clear now.

And If i were to do HSRP and suppose some link fails which triggers HSRP failover, what do i do about the DMZ servers since their default gateway
would have the Pix 1 DMZ interface I.P.

Yes, I see this as a potential issue if i just run HSRP on both routers without any failover config on pix. Coz how are the DMZ servers gonna change
their default gateway (which is PIX DMZ interface) once the HSRP failover is triggered on routers. They will keep sending traffic to PIX 1 even after
failover had been triggered and Router 2 is the active one. Ok, yeah thats clear as well.

Sorry, its just a complex setup so its hard to explain everything but I think i got what am looking for !
Thanks Guyz,

0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now