Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
514
Views
0
Helpful
2
Replies

PIX FAILOVER without HSRP support

sreddy
Level 1
Level 1

‎09-23-2004 02:32 PM - edited ‎02-20-2020 11:38 PM

Hi,

I need to know if it is possible to use PIX firewalls with failover capability directly connecting to ISP routers.

We do not have our own edge routers – This means there is no HSRP availability for PIX to route all outside traffic to one single address.

Here are the IP addresses:

PIX - Active outside: 192.168.50.1

ISP Edge router 1: 192.168.50.2

PIX – Active inside: 10.10.0.1

PIX – Standby outside: 192.168.60.1

ISP Edge router 2: 192.168.60.2

PIX – Standby inside: 10.10.0.2

Can I use OSPF routing to make failover work?

What will happen when failover occurs? Will the PIX – Standby outside IP address (192.168.60.1) gets overwritten as 192.168.50.1?

Can I omit the failover IP address outside command to prevent this?

Please let me know if anybody has implemented this kind of solution. Any links or tips will be very helpful.

Thanks,

Shekar

0 Helpful
2 Replies 2

davecs
Level 1
Level 1

‎09-23-2004 07:41 PM

Hi Shekar,

So long as you only want todo failover and not load balancing you can do it this way.

set primary PIX outside address to say 192.168.0.254, failover address will be 192.168.0.253.

next internconnect the ISP routers and the PIX's via switches - you can use 1 switch if you like but you will have a single point of failure - so use 2 if you can.

the routes to your internal network on the ISP routes will always point at 192.168.0.254.

when failover happens the secondary PIX will automatically take 192.168.0.254 and comm's will still be fine.

i think thats about it! :)

cheers

dave

0 Helpful

a.awan
Level 4
Level 4

‎09-23-2004 11:33 PM

The following points should be kept in mind while deploying a pair of PIX firewalls in a failover configuration:

1. The standby PIX will have its own IP address for each interface, however, for each interface the IP address of the standby PIX needs to be on the same subnet as the IP address of the corresponding interface of the active firewall.

2. When failover happens the standby PIX takes over the IP addresses of the active PIX.

In your particular case the only way to make things work properly without HSRP will be to somehow have the two routers be on the same subnet along with your PIX firewalls. If HSRP can still not be supported by your provider then you will need to run a dynamic protocol like OSPF to make sure the PIX learns the correct default route to send packets out to.

You cannot omit the failover ip address outside command to prevent the ip address of the standby being overridden by that of the active during a failover.

If there is no way the provider is willing to change their side of the configuration i think your best option is to introduce a pair of L3 switches such that you keep the PIX firewalls on their own VLAN while running HSRP for this VLAN on both L3 switches. At the same time you can have L3 ports connected to each provider router on their own subnet range. Load balancing can be achieved over the two internet links using whatever mechanism you deem appropriate (ECMP coupled with a suitable switching path).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card