Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
2
Replies

Pix/CSS redundancy

insania2016
Level 1
Level 1

‎05-24-2004 09:59 AM - edited ‎02-20-2020 11:25 PM

I posted this originally in the Content Networking section. I figured since it involved the PIX someone might have some useful info that is related:

Quote -

Greetings all,

I currently have a setup where I have 2 Pix 515 devices that are setup a master/backup failover. I also have 2 CSS 11050 devices setup in similiar fashion. Each CSS has 2 connections, one to the master pix and one to the backup pix so at any given time only one link would be active. I am using ospf for route updates etc. In testing the correct routes would show up if the one pix failed, however, traffic would not flow on the secondary link even though the first was down and not in the route list.

The second link properly showed up in the route list as the default route.

From the firewall I could ping the CSS and other nodes beyond the CSS. I could not do the same with the CSS. I could ping things beyond the firewall, nothing beyond the firewall interface to the CSS.

Basically the only thing that works is if only the same set is active, that is, backup pix/backup css or master pix/master css.

Any ideas?

- End quote

0 Helpful
2 Replies 2

ehirsel
Level 6
Level 6

‎05-24-2004 05:53 PM

The org. that I work for has css and pix devices configured similar to what you want to achieve. What you cannot do on a pix, from what I understand is to have route traffic that used one interface flow onto another - this would break the ASA algorithm. What you need to do if you want to load balance across a firewall, when using the PIX is to do this:

You will need to move one css in front of the pix firewall pair, and purchase a 2nd set of redundant pix units (as only one unit in the pair is active at one time). As an alternate you can upgrade the pix FO licence to a UR license and then use the two pix units as seperate firewalls.

Only when a css is in front of the firewall and another behind it will you achieve firewall load balancing - this is not a pix limitation but inherint as part of the CSS operation.

One other item that I did as part of the css/pix config for my org. is to also use a catalyst switch to connect the firewall and css - this was done to prevent a css failure from causing a firewall failure - in addition I configured redundant-interfaces and redundant-vips on the css. Since I used the catalyst switch, you need to insure that the same css is master for all redundant-ints or -vips or backup for all, otherwise you may find that traffic will be blocked.

If you want more details. I can post them here.

I hope this helps.

0 Helpful

insania2016
Level 1
Level 1
In response to ehirsel

‎05-25-2004 04:38 AM

I'm not looking to load balance my firewall. What I'm trying to achieve is a redundant DMZ. The whole setup works from the firewall itself. In other words, if the one firewall failed and the backup was running then all the routes changed to the other link on the CSS and I could do all sorts of pings from the firewall to the DMZ. However, I could ping anything beyond the CSS on the DMZ and on the inside network I couldn't ping beyond the firewall. The ACLs are the same for both interfaces, DMZ and DMZ_Redundant.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card