pix active/standby for 2 links

hi there,
Topology View:

Router 1 --> Pix 1 --> Switch 1 & 2--> Internet Link 1
Router 2 --> Pix 2 --> Switch 2 & 1 --> Internet Link 2

Can I use the active/standby failover design in pix in the given deisng ... question basically boils down to the outside interface of pix ... From my understanding, the active and standby interface of the pix should be in the same subnet
... Ive a case where i have got 2 internet links and both of them are in different subnets ... can i use active/standby in this case ?
And basically where does the active/standby provide redundancy ? Just between the two pix interfaces or between 2 internet links ???
nabeel92Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Asta CuTechnical consultant & graphic designCommented:
Version?  Update level/environment?  Often, I find the release notes to be viable references, and unclear about your environment so this "may" shed some light.  If I misunderstood, sorry.
http://www.cisco.com/en/US/docs/security/pix/pix61/hw/installation/guide/inst.html
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix708rn.html
PIX/ASA: Active/Active Failover Configuration Example - https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
If I missed the boat here, sorry.  ":0)  Asta
nabeel92Author Commented:
No U're ok .. I was actually unable to give complete info i guess of what i was looking for ... attached in the diagram is my given scenario ...
There are 2 Pix firewalls and 2 core routers that are connected to them ... behind the core routers is IP WAN to which all our branch sites connect (branch sites are not show in the pic) ... now as u can see

In usual active/standby configs, for an outside interface of pix connecting to the internet links, they both have to be in the same subnet .... so that we can give commands like
interface outside
 ip address 1.1.1.1 255.0.0.0 standby 1.1.1.2 (where 1.x.x.x. are both are in same subnet)

Now my first question is;
1. Can Pix active/standby work here ?

In my case, ive two different internet links (203.39.52.x and 203.38.242.x) which are obviously not in the same subnet ... Then how can i configure Pix in active/standby mode when the 2 outside I.P addresses would be in different subnets ?  Is it possible to implement active/standby in my scenario !

2. As an alternative, If I use HSRP on the routers and just configure the PIX devices normally as they are ... On which interface should I be configuring HSRP commands ... Is it the interface connecting the two routers or the interfaces connecting to the I.P WAN ? I think it can be either of them ! What do you say ? And If i were to do HSRP and suppose some link fails which triggers HSRP failover, what do i do about the DMZ servers since their default gateway would have the Pix 1 DMZ interface I.P...Now that HSRP is working and all traffic is being sent via Core 2 thru to Pix 2, aren't my DMZ servers gonna be affected because now their gateway should have been the PIX 2 DMZ interface and not the PIX 1 DMZ interface ???

I dont know if i have made it too complex to understand ! :)
image-1.JPG
Asta CuTechnical consultant & graphic designCommented:
I am sorry, but this is beyond my knowledge, and did note your other question and commented there to see of those Experts can help on this question.  Asta
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

Asta CuTechnical consultant & graphic designCommented:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml definitely taught me more about the environment, configs on subnet, etc. but not enough to help you.
nabeel92Author Commented:
just curious if there are any experts out there ?
Asta CuTechnical consultant & graphic designCommented:
I have submitted a request to the Moderator to see if this can be sent to another category or to broadcast to other Experts that may be better equipped to help you.  Sorry I could not.  Asta
giltjrCommented:
Under what circumstances do you want the PIX to fail over to the standby unit?

Each PIX is connected to each switch that connects to the "Internet".  Does each PIX have an IP address in each of the ISP's subnets?

If they do NOT, then why do the PIX's have connections to each switch?

Is this an existing  setup or is this a new design that you are working on?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nabeel92Author Commented:
1. Under what circumstances do you want the PIX to fail over to the standby unit?
When any of the connected interfaces to the PIX fails, it should trigger a failover. That is in the config section that I've already done.

2. Each PIX is connected to each switch that connects to the "Internet".  Does each PIX have an IP address in each of the ISP's subnets?
Yes, each PIX have IP addresses in each of ISP's subnet. Switches are there so that am able to connect both the PIX outside interfaces
to both internet links at the same time. If I eliminate say switch 1, then I only have connection from PIX 1 to Internet Link 1 but wont
be able to connect PIx2 with Internet Link 1.
Actually, I've figured out the answer to my first question. got the lead from ur question. I have to configure 2 active/standby units.
First, I use PIX 1 link to Internet 1 as active and corresponding standby as the link from PIX 2 to internet 1. This way they both have same
subnet and so this is doable. Second, I configure Link from PIx2 to Internet link 2 as active and and corresponding standby would be link
from Pix2 to Internet Link 1. So part 1 is clear

3. If they do NOT, then why do the PIX's have connections to each switch?
Explained above.

Is this an existing  setup or is this a new design that you are working on?
I'm working on a new design which is slightly different from the current design. In the Current design, there are only 2 core routers connected to their
respective Internet links. but one of them is shutdown.


And I'm just thinking and I think part 2 is clear now.

And If i were to do HSRP and suppose some link fails which triggers HSRP failover, what do i do about the DMZ servers since their default gateway
would have the Pix 1 DMZ interface I.P.

Yes, I see this as a potential issue if i just run HSRP on both routers without any failover config on pix. Coz how are the DMZ servers gonna change
their default gateway (which is PIX DMZ interface) once the HSRP failover is triggered on routers. They will keep sending traffic to PIX 1 even after
failover had been triggered and Router 2 is the active one. Ok, yeah thats clear as well.

Sorry, its just a complex setup so its hard to explain everything but I think i got what am looking for !
Thanks Guyz,

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.