RE: [nsp] REG: PIX Failover Bundle.

From: Mark Persiko (persiko@bvsd.k12.co.us)
Date: Fri Apr 20 2001 - 14:43:29 EDT


The security architecture of the PIX seems to be
built around NAT, but it's not absolutely required
to use it. There is an option in the "nat" command
to use "nat 0" for a network and it will not translate
that network into a private address pool. Furthermore,
you can use the "static" statement in an identity mode
to allow inbound connections to a network. For example,

>static (inside,outside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

would allow inbound connections to 192.168.30/24 (not all
connections, mind you - you still need conduits or access lists
to open up ports).

Regarding the failover config: use the "failover link <i/f name>"
command only if you are doing stateful failover, i.e., passing
state information btwn PIX's over one of the Ethernet links. It's
probably best to do the failover across a separate Ethernet
segment, rather than on the inside net, no? This way, if you
have other network problems on the inside, your failover mechanism
is still safe. I have a 4-port Ethernet card in my PIX 515 and
the last Ethernet interface is named failover, so I use
"failover link failover" in my config.

Thanks,
 Mark

- Mark C. Persiko, persiko@bvsd.k12.co.us
- MIS Dept, Boulder Valley School District

-----Original Message-----
From: A Routerman [mailto:routerman@visto.com]
Sent: Friday, April 20, 2001 9:29 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [nsp] REG: PIX Failover Bundle.

It seems that if any one or more of your ports stop responding - the system
will failover to the standby unit.

I have the standard failover cable between the units as well as an ethernet
connection between the 520's for stateful information sharing. Works
pretty well.

Ian

-----Original Message-----
From: Vinod Anthony Joseph Cherunni vac@dsqworld.com
Sent: Fri, 20 Apr 2001 13:09:13 +0530
To: cisco-nsp@puck.nether.net
Subject: [nsp] REG: PIX Failover Bundle.

Dear All,

In a PIX 520 failover bunder, wherein both the active & standby units are
populated with a single 4 10/100 Ethernet port adapter each, does the
failover mean that redundancy is only provided, when the active unit fails
(Device level redundancy), or else if a port on the active unit fails,
will a port on the standby unit provide automatic failover.

Kindly enlighten me.

Thanks a lot in advance.

With warm regards,
Vinod.

___________________________________________________________________________
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:35 EDT