Solved

pix active/standby for 2 links

Posted on 2009-03-31
9
427 Views
Last Modified: 2012-05-06
hi there,
Topology View:

Router 1 --> Pix 1 --> Switch 1 & 2--> Internet Link 1
Router 2 --> Pix 2 --> Switch 2 & 1 --> Internet Link 2

Can I use the active/standby failover design in pix in the given deisng ... question basically boils down to the outside interface of pix ... From my understanding, the active and standby interface of the pix should be in the same subnet
... Ive a case where i have got 2 internet links and both of them are in different subnets ... can i use active/standby in this case ?
And basically where does the active/standby provide redundancy ? Just between the two pix interfaces or between 2 internet links ???
0
Comment
Question by:nabeel92
  • 4
  • 3
9 Comments
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24030422
Version?  Update level/environment?  Often, I find the release notes to be viable references, and unclear about your environment so this "may" shed some light.  If I misunderstood, sorry.
http://www.cisco.com/en/US/docs/security/pix/pix61/hw/installation/guide/inst.html
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix708rn.html
PIX/ASA: Active/Active Failover Configuration Example - https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
If I missed the boat here, sorry.  ":0)  Asta
0
 

Author Comment

by:nabeel92
ID: 24034747
No U're ok .. I was actually unable to give complete info i guess of what i was looking for ... attached in the diagram is my given scenario ...
There are 2 Pix firewalls and 2 core routers that are connected to them ... behind the core routers is IP WAN to which all our branch sites connect (branch sites are not show in the pic) ... now as u can see

In usual active/standby configs, for an outside interface of pix connecting to the internet links, they both have to be in the same subnet .... so that we can give commands like
interface outside
 ip address 1.1.1.1 255.0.0.0 standby 1.1.1.2 (where 1.x.x.x. are both are in same subnet)

Now my first question is;
1. Can Pix active/standby work here ?

In my case, ive two different internet links (203.39.52.x and 203.38.242.x) which are obviously not in the same subnet ... Then how can i configure Pix in active/standby mode when the 2 outside I.P addresses would be in different subnets ?  Is it possible to implement active/standby in my scenario !

2. As an alternative, If I use HSRP on the routers and just configure the PIX devices normally as they are ... On which interface should I be configuring HSRP commands ... Is it the interface connecting the two routers or the interfaces connecting to the I.P WAN ? I think it can be either of them ! What do you say ? And If i were to do HSRP and suppose some link fails which triggers HSRP failover, what do i do about the DMZ servers since their default gateway would have the Pix 1 DMZ interface I.P...Now that HSRP is working and all traffic is being sent via Core 2 thru to Pix 2, aren't my DMZ servers gonna be affected because now their gateway should have been the PIX 2 DMZ interface and not the PIX 1 DMZ interface ???

I dont know if i have made it too complex to understand ! :)
image-1.JPG
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24039258
I am sorry, but this is beyond my knowledge, and did note your other question and commented there to see of those Experts can help on this question.  Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24039309
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml definitely taught me more about the environment, configs on subnet, etc. but not enough to help you.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:nabeel92
ID: 24071270
just curious if there are any experts out there ?
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24072411
I have submitted a request to the Moderator to see if this can be sent to another category or to broadcast to other Experts that may be better equipped to help you.  Sorry I could not.  Asta
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 24072611
Under what circumstances do you want the PIX to fail over to the standby unit?

Each PIX is connected to each switch that connects to the "Internet".  Does each PIX have an IP address in each of the ISP's subnets?

If they do NOT, then why do the PIX's have connections to each switch?

Is this an existing  setup or is this a new design that you are working on?
0
 

Author Comment

by:nabeel92
ID: 24074199
1. Under what circumstances do you want the PIX to fail over to the standby unit?
When any of the connected interfaces to the PIX fails, it should trigger a failover. That is in the config section that I've already done.

2. Each PIX is connected to each switch that connects to the "Internet".  Does each PIX have an IP address in each of the ISP's subnets?
Yes, each PIX have IP addresses in each of ISP's subnet. Switches are there so that am able to connect both the PIX outside interfaces
to both internet links at the same time. If I eliminate say switch 1, then I only have connection from PIX 1 to Internet Link 1 but wont
be able to connect PIx2 with Internet Link 1.
Actually, I've figured out the answer to my first question. got the lead from ur question. I have to configure 2 active/standby units.
First, I use PIX 1 link to Internet 1 as active and corresponding standby as the link from PIX 2 to internet 1. This way they both have same
subnet and so this is doable. Second, I configure Link from PIx2 to Internet link 2 as active and and corresponding standby would be link
from Pix2 to Internet Link 1. So part 1 is clear

3. If they do NOT, then why do the PIX's have connections to each switch?
Explained above.

Is this an existing  setup or is this a new design that you are working on?
I'm working on a new design which is slightly different from the current design. In the Current design, there are only 2 core routers connected to their
respective Internet links. but one of them is shutdown.


And I'm just thinking and I think part 2 is clear now.

And If i were to do HSRP and suppose some link fails which triggers HSRP failover, what do i do about the DMZ servers since their default gateway
would have the Pix 1 DMZ interface I.P.

Yes, I see this as a potential issue if i just run HSRP on both routers without any failover config on pix. Coz how are the DMZ servers gonna change
their default gateway (which is PIX DMZ interface) once the HSRP failover is triggered on routers. They will keep sending traffic to PIX 1 even after
failover had been triggered and Router 2 is the active one. Ok, yeah thats clear as well.

Sorry, its just a complex setup so its hard to explain everything but I think i got what am looking for !
Thanks Guyz,

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now