topic Re: PIX fail over and HSRP integration in Network Security

PIX fail over and HSRP integration

bapatsubodh — Fri, 21 Feb 2020 08:55:28 GMT

This is regarding PIX failover and HSRP put together to have 100 % redundancy. Device connectivity is like this . Two routers having serial links to separate ISP’s ( R1 and R2 ). . Ethernet ports of these routers connected to two separate switches.( outside-sw1 and outside-sw2 ) Two PIX firewalls connected in state-full failover mode. , outside interface ( pix1-outside and Pix2-outside ) of these PIX will be connected to the previously mentioned switches(outside-sw1 and outside-sw2 ) . Similarly Inside interfaces ( pix1-inside and pix2-inside ) of these PIX will be connected to two separate switches. ( inside-sw1 and inside-sw2).

In a nutshell , R1- eth0  outside-sw1 ,

PIX1-outside  outside sw1

And

R2-eth0 - outside-sw2

PIX2 -outside  outside-sw2

And PIX1-inside  inside-sw1

PIX-inside  inside-sw2

PIX1 to PIX2  failover cable and lan cable

inside-sw1 to inside-sw2 cross cable / trunk

outside-sw1 to outside-sw2 cross cable / trunk

So it is a chain of devices running in parallel giving redundancy upto each device level.

Is it possible to configure HSRP with these routers , switches and failover with PIX.

Any link about integration of these devices will be appreciated

please see following slide in attachments

Re: PIX fail over and HSRP integration

dominic.caron — Thu, 25 May 2006 16:23:57 GMT

Hi,

Do you use BGP to peer with your two ISPs. My Internet Edge is designed in a similar way and I tested all possible failure scenario when I designed it. Be glad to help if it match.

Re: PIX fail over and HSRP integration

dominic.caron — Thu, 25 May 2006 21:38:10 GMT

If you are usging BGP and are multihomed with a primary and a backup link, dont use HSRP. Peer with the two isp with eBGP and peer your edge router with iBGP. Between the edge router and the pix, run ospf. The two edge router should send only a default route to the pix. Use a route-map on the 2 router to get them to only sent default if they have the best outside route.

default-information originate metric 5 route-map SEND_DEFAULT

route-map SEND_DEFAULT permit 10

match ip address 1

match ip next-hop 2

access-list 1 permit 0.0.0.0

access-list 2 permit #.#.#.# (ISP 1)

access-list 2 permit #.#.#.# (ISP 2)

On the pix(s), advertise your network with a network-summary statement. Impact on the cpu of the pix will be very small, ospf routing table will have only one entry.

You will have full redendancy this way. In case you have a routing protocol problem, might be a good idea to put a few floating static route...just in case

Re: PIX fail over and HSRP integration

r-tyrell — Mon, 27 Nov 2006 20:57:09 GMT

We are in the process of bringing up a secondary router and internet connection (same ISP). I do plan on running BGP between these routers and eBGP between their neighbors. I currently have one PIX 515 (6.3) using static routes. Could you post or email me privately the OSPF configuration? Do you run OSPF between your PIX and inside network? Or only run OSPF between the PIX and internet routers? I am unsure of how to provide a different default gateways on the PIX. Thank you.