04-17-2007 07:32 AM - edited 03-11-2019 03:01 AM
My suggestion for session key encryption for a lan based failover connection for the PIX is as follows:
A) Physically connect PIX interfaces to a workgroup amd or enterprise Catalyst 6509 switch, IOS 12.2(18) SXF and higher.
B) Assign static IP addresses within the range of the primary and failover PIX units.
C) Configure session key encryption on the workgroup switch and only allow TCP packet segments via IP protocol number 105/SCPS. Then deny all other TCP/IP segments.
The configurations should be as follows:
Company A 6509#show run
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Company A 6509
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
no crypto isakmp enable
!
crypto ipsec transform-set encrypt-aes esp-aes esp-sha-hmac
!
!
crypto map pix failover 8 ipsec-manual
set peer 11.11.11.6
set session-key inbound esp 1001 cipher 1234abcd1234abcd authenticator 20
set session-key outbound esp 1000 cipher abcd1234abcd1234 authenticator 20
set transform-set encrypt-aes
match address 101
!
interface gi2/2
speed 100
duplex full
Description PIX failover interface Lan-Based access list applied to protocol 105 for SCPS
ip address 11.11.11.5 255.255.255.252
crypto map pix failover
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 11.11.11.12
!
access-list 101 permit ip host 11.11.11.5 host 11.11.11.6 eq 105
access-list 101 permit ip host 11.11.11.6 host 11.11.11.5 eq 105
access-list 101 deny ip any any
access-list 101 permit ip any any
!
line con 0
no login
line aux 0
no login
line vty 0 15
exec-timeout 300
transport input ssh
login
If possible, try this on a home lab, then verify the results.
04-23-2007 06:23 AM
The failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.
The security appliance supports two failover configurations, Active/Active Failover and Active/Standby Failover. Each failover configuration has its own method to determine and perform failover. With Active/Active Failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active Failover is only available on units that run in multiple context mode. With Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide