cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
645
Views
0
Helpful
5
Replies

Pix Failover Configuration with 1 Public

mumbles202
Level 5
Level 5

Have 1 PIX 515e (6.3(3)) in production that is currently assigned ip 1.1.1.2 w/ a 255.255.255.248 mask.  All of my remaining publically assigned ips are being used so I don't have a free ip for the standby ip on the outside interface.  Can I just do the standbys on the inside, failover and stateful link and not worry about having the standby for the outside?  I'll be using lan-based failover w/ a few ports vlan'd out on my 3560 for the failover and stateful links.

5 Replies 5

lcambron
Level 3
Level 3

Hello David,

The Pix firewall is getting to end of life this month, on version 6.3 I don't think this is supported or what will be the behavior on this scenario, on version 7.0 and higher you can use the command:

no monitor-interface if_name

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html#wp1582411

And just monitor the other interfaces.

I hope this helps.

Regards,

Felipe.

Thanks for the information.  We'll likely be moving to ASA's soon, but in the interim we have the 515e so I wanted to use that.  I hadn't planned on upgrading the code to 7.0 or later just yet, but I'll see if that's an option. 

Does anyone know for sure if this will work on 6.3(5)?  I've been told moving to 7 isn't an option at this point and since the ASA upgrade is a few months away at the very least I'd like to get this accomplished using 6.3.(5) in the interim.

Was able to do this in a lab w/ both units have unrestricted licenses so would hope the same would apply w/ 1 UR and 1 Failover only.  The config balks a little about no failover ip being set for the outside interface, but if the primary pix goes down it did failover.

If I were to have a primary unit that is already configured and in production and wanted to do cable based failover to a failover-only licensed 515e what configuration changes would need to be made?  The lan failover seems to be causing an issue each time it is enabled.

Review Cisco Networking for a $25 gift card