01-10-2011 09:53 PM - edited 03-11-2019 12:33 PM
Hi All,
In our client organization we are going to migrate the new firewall with existing setup. Here, In the existing setup they are having Pix 525 and the new firewall is ASA (Pix is the end of the sales now). As per my understanding we cannot build failover Active/Active or Active/Standby with the different platform or IOS.
So please let me what kind of failover can configure in this scenario.
I have attached the sample diagram for your referance. Thanks
01-10-2011 10:16 PM
Yes, you are absolutely correct.
You can't have firewall running in failover mode using different platform of the firewalls. They would need to both run the same model and version of code, and have the same module running on both firewalls to be able to run the native failover feature on the firewalls (whether it's Active/Active or Active/Standby failover).
If you currently have 2 different types of firewall (ie: one PIX and one ASA), the best you can do is to perform manual failover (cold standby),ie: have exactly the same configuration on the PIX and ASA, and only connect one of the devices to the network, and if that device fails, then manually connect the other device into your network. There is no automatic failover with different types of firewalls unfortunately.
01-10-2011 10:25 PM
Hi Halim,
Thanks for your valid input.
Is it possible to configure HSRP in A-switch1 and A-switch2 using IP SLA monitoring to firewall interface for automatic switchover ? If possible will there be any security issue which has security level 100 (B-switch1 and B-Switch2) ?
If there is a security issue. How can i beat this ?
01-10-2011 10:35 PM
You won't be able to perform that because you can't configure the same IP Address in the PIX on the ASA because the switch and the router wouldn't have the correct active mac address, and even if it's possible, the state information on the connection will not be replicated across, and there will be a lot of packet drops when the failover happens as both PIX and ASA firewalls are a stateful firewall, and it keeps the state of the connection to ensure security. It's not like a router where it only routes traffic across.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide