Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
4
Replies

how pix 7.0 loadbalances

nataraj_v
Level 1
Level 1

‎12-24-2005 02:27 AM - edited ‎02-21-2020 12:36 AM

Dear All,

can anybody explain me.. how pix 7.0 load balances connections..

lets take scenario..

pix-1

intenal interface -172.16.5.3

external inteface- 10.10.10.3

pix 2

intenal interface -172.16.5.4

external inteface- 10.10.10.4

now two pixes. internal interfaces connected to internal switch and external interfaces connected to external switch.. now how loadbalancing works here ????

Regards

Nataraj

0 Helpful
4 Replies 4

mhoda
Level 5
Level 5

‎12-24-2005 05:19 AM

Hello Nataraj,

You need to take care of load-balacing in the network - half of your traffic needs to be pointed to 10.10.10.3 and other half should be pointed to 10.10.10.4 address and same thing goes for the external interface. Now question is how you can achive that ? For that you need to have a layer III device - a router on inside and outside, and you can configure policy routing or equal cost path on the router to load share the traffic.

On the PIX, you need to configure Active/Active FO with ASR turned on which will take care of the session information replication between the PIXen.

Please, let's know if you have any follow-up questions.

Thanks,

Mynul Hoda

CISSP, CCIE # 9159

Author: Cisco Network Security Troubleshooting -http://www.ciscopress.com/title/1587051893

0 Helpful

haithamnofal
Level 3
Level 3

‎12-25-2005 11:49 PM

Hi,

I was actually trying to work on Active-Active configuration on a similar environment.. As you know in order to operate your 2 PIX units in multiple mode by configuring at least 2 contexts. The problem is that different security contexts cannot share some of the configurations like NATting and static tranlsation; this means that you wont be able to publish your DMZ public servers on the 2 contexts because Cisco is expecting you to configure 2 totally different subnets on each context. So, please be aware of that and take this into consideration.

Regards,

Haitham

0 Helpful

mhoda
Level 5
Level 5
In response to haithamnofal

‎12-26-2005 12:08 AM

Hello Haitham,

If I understand the issue correctly, ASR (Asymmetric Routing Support) should take care of that issue as pointed out by my previous post and outlined in the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008045247e.html#wp1096075

Thanks,

Mynul Hoda

CISSP, CCIE # 9159

Author: Cisco Network Security Troubleshooting Handbook -http://www.ciscopress.com/title/1587051893

0 Helpful

haithamnofal
Level 3
Level 3
In response to mhoda

‎12-26-2005 01:32 AM

Hi Mynul,

I'm aware about the asymmetric support, but I'm here talking about the possibility of the different contexts (let's assume we've only 2) to support the same internal network. Suppose you've one internal subnet 10.10.10.0/24 and a DMZ with some public services with only one internet link... Now you want to publish your servers on the public network plus you want to configure Global translation for your internal network, what I'm sure of is that you'll get an error when configuring the same address trnslation on both contexts. This means that the Active-Active is designed for supporting different networks and not for the same internal network. Please correct me if I'm wrong.

Thanks,

Haitham

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card