Re: Using Pix Firewalls with CSS 11501

pncisco216 · ‎11-06-2006

We currently have two CSS 11501's setup with box-to-box failover redundancy. We wish to add PIX Firewalls betweent the CSS's and their connection to the Internet for added security. What redundancy configurations/topolgies are workable, for the PIX's and the CSS's. Active-Standby? Active-Active? How shoudl they be connected? Should the CSS's and the PIX's be setup for failover? or just one or the other?

Thank you for any suggestions.

dalmada · ‎11-09-2006

Hi,

I use the same scheme with a failover pair( active standby) of PIX 515E in front of a active-standby pair of CSS11501. In this particular case the servers and firewalls are connected directly in the CSS.

David

pncisco216 · ‎11-16-2006

Hello again,

We are planing to use a pair of PIX 525's in active/standby. I am not too familiar with the 515E, but I assume it configures in a similar manner. Our CSS 11501's are also in an active/standby arrangement. When you say that the firewalls and servers are directly connected in the CSS, I assume that you are using the switch built into the CSS, and that is what we are intending to do as well. I am wondering about the connections between the firewalls and the pair of CSS's. Is each PIX connected to each CSS in a criss-cross fashion? I would think this would be required to allow for the failover of the PIX. Also, does each Internet connection connect only to each of the two firewalls? i.e. the Internet connections are redundant as well, with only one in use at a time. This is how I think we will be setting things up, but it would be nice to know that someone else is successfully using such an arrangement. Thanks again for any assistance.

Paul