nabeel92
asked on
virtual I.P on PiX DMZ interface
I have 2 PIX firewalls ...
I want to know that just like we have virtual I.P's in HSRP and clients point to that virtual I.P, can we have something similar or like that in PIX firewall as well ? Reason am asking is because the scenario is where ive two PIX firewalls and behind each fix pirewalls is a router (smthg like this given below)
Router 1--> Pix 1--> Internet
Router 2--> Pix 2--> Internet
I want to run HSRP on both routers and only issue I see is that in case of an hsrp failover (i.e. router 1 fails and router 2 becomes the active one), servers in dmz will keep forwarding traffic to Pix 1 DMZ Interface I.P (coz its not gonna know when the HSRP has failed over) whereas it should be sending traffic to Pix 2 DMZ I.P since thats the active one now !
Was i able to explain the issue ?
I want to know that just like we have virtual I.P's in HSRP and clients point to that virtual I.P, can we have something similar or like that in PIX firewall as well ? Reason am asking is because the scenario is where ive two PIX firewalls and behind each fix pirewalls is a router (smthg like this given below)
Router 1--> Pix 1--> Internet
Router 2--> Pix 2--> Internet
I want to run HSRP on both routers and only issue I see is that in case of an hsrp failover (i.e. router 1 fails and router 2 becomes the active one), servers in dmz will keep forwarding traffic to Pix 1 DMZ Interface I.P (coz its not gonna know when the HSRP has failed over) whereas it should be sending traffic to Pix 2 DMZ I.P since thats the active one now !
Was i able to explain the issue ?
debuggerau
PIX has HSRP as well, it is a licensed addition however, and only available on the larger PIX's..
ASKER
how can i check that on my pix ?
firewall1/failovergroup2# sh version
Cisco PIX Security Appliance Software Version 8.0(2) <context>
Device Manager Version 6.0(2)
Compiled on Fri 15-Jun-07 18:25 by builders
firewall1 up 28 days 1 hour
failover cluster up 28 days 10 hours
Hardware: PIX-515E
Licensed features for this user context:
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
GTP/GPRS : Disabled
Configuration last modified by enable_15 at 04:28:50.536 UTC Fri Mar 27 2009
firewall1/failovergroup2# sh version
Cisco PIX Security Appliance Software Version 8.0(2) <context>
Device Manager Version 6.0(2)
Compiled on Fri 15-Jun-07 18:25 by builders
firewall1 up 28 days 1 hour
failover cluster up 28 days 10 hours
Hardware: PIX-515E
Licensed features for this user context:
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
GTP/GPRS : Disabled
Configuration last modified by enable_15 at 04:28:50.536 UTC Fri Mar 27 2009
ASKER
I hope you're not referring to HSRP as Pix Active/Active failover configuration ? because that's what I already have ... I am talking about the HSRP with conventional standby commands, etc
I dont think so, check these other comments:
https://www.experts-exchange.com/questions/21474131/PIX-Failover-Bundel-Dual-HSRP-Feeds-Switching.html
https://www.experts-exchange.com/questions/22057262/PIX-Failover-and-Redundancy-switch-replacemnet.html
wouldn't a least cost route give you the flexibility you need there?
PIX to use router 1 as least cost (10) and router 2 for the next highest (20)..
https://www.experts-exchange.com/questions/21474131/PIX-Failover-Bundel-Dual-HSRP-Feeds-Switching.html
https://www.experts-exchange.com/questions/22057262/PIX-Failover-and-Redundancy-switch-replacemnet.html
wouldn't a least cost route give you the flexibility you need there?
PIX to use router 1 as least cost (10) and router 2 for the next highest (20)..
ASKER
wouldn't a least cost route give you the flexibility you need there? >> Can u elaborate further as am unable to understand what you meant ! my setup is pretty much similar to the one mentioned in the second post ...
ASKER
or if i were to rephrase my question, it would be "does pix have any other way of redundancy except for active/active or active/standby" ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.