In our client organization we are going to migrate the new firewall with existing setup. Here, In the existing setup they are having Pix 525 and the new firewall is ASA (Pix is the end of the sales now). As per my understanding we cannot build failover Active/Active or Active/Standby with the different platform or IOS.
So please let me what kind of failover can configure in this scenario.
I have attached the sample diagram for your referance. Thanks
You can't have firewall running in failover mode using different platform of the firewalls. They would need to both run the same model and version of code, and have the same module running on both firewalls to be able to run the native failover feature on the firewalls (whether it's Active/Active or Active/Standby failover).
If you currently have 2 different types of firewall (ie: one PIX and one ASA), the best you can do is to perform manual failover (cold standby),ie: have exactly the same configuration on the PIX and ASA, and only connect one of the devices to the network, and if that device fails, then manually connect the other device into your network. There is no automatic failover with different types of firewalls unfortunately.
Is it possible to configure HSRP in A-switch1 and A-switch2 using IP SLA monitoring to firewall interface for automatic switchover ? If possible will there be any security issue which has security level 100 (B-switch1 and B-Switch2) ?
If there is a security issue. How can i beat this ?
You won't be able to perform that because you can't configure the same IP Address in the PIX on the ASA because the switch and the router wouldn't have the correct active mac address, and even if it's possible, the state information on the connection will not be replicated across, and there will be a lot of packet drops when the failover happens as both PIX and ASA firewalls are a stateful firewall, and it keeps the state of the connection to ensure security. It's not like a router where it only routes traffic across.