Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
1
Replies

PIX failover without using HSRP

sreddy
Community Member

‎09-22-2004 04:49 PM - edited ‎02-20-2020 11:38 PM

Hi,

I need to know if it is possible to use PIX firewalls with failover capability directly connecting to ISP routers.

We do not have our own edge routers – This means there is no HSRP availability for PIX to route all outside traffic to one single address.

Here are the IP addresses:

PIX - Active outside: 192.168.50.1

ISP Edge router 1: 192.168.50.2

PIX – Active inside: 10.10.0.1

PIX – Standby outside: 192.168.60.1

ISP Edge router 2: 192.168.60.2

PIX – Standby inside: 10.10.0.2

Can I use OSPF routing to make failover work?

What will happen when failover occurs? Will the PIX – Standby outside IP address (192.168.60.1) gets overwritten as 192.168.50.1?

Can I omit the failover IP address outside command to prevent this?

Please let me know if anybody has implemented this kind of solution. Any links or tips will be very helpful.

Thanks,

Shekar

0 Helpful
1 Reply 1

ehirsel
Level 11
Level 11

‎09-24-2004 04:58 AM

You cannot have the pix failover heartbeat for a single interface to span subnets. That is you cannot have the active pix outside interface be on the 192.168.50/24 and the standby unit's outside interface be on the .60/24 network.

You can do any of the following:

1. Implement a layer 2 connection between the pix and the isp edge routers - you will need some help from the ISP as they will need to have both router interfaces toward you on the same subnet. The ISP cand run OSPF or RIP v2 between its edge routers and your pix units. It may be easier for your ISP to use HSRP for the routers if you go with this option, as both will have an interface on a common subnet. The point here is that the pix units do not connect direct to a router.

2. Instead of running two pix units in failover mode, run two that are both active at the same time. However you may need to place a load-balancer between your pix units or you have to be careful how you perform nat/pat on the pix units as traffic that flows thru one active pix may flow thru the other instead. This is more complicated to setup, and without a load-balancer to aid you, it can be near impossible, especially if you only have one provider and one set of public addresses.

In my opinion, option 1 is the easiest to maintain, and troubleshoot.

Let me know if this helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card