RE: [nsp] REG: PIX Failover Bundle.

From: Danny Sutantyo (dsutanty@dsutanty-wkst.sc.intel.com)
Date: Sat Apr 21 2001 - 15:29:53 EDT


Will PIX Failover function failover the connection? Let's say someone
establised the connection from PIX to PIX, and in the middle of the
connection, the PIX fail, and failover to the other PIX, will that
connection need to be re-establish? or the connection will automatically
move to diff PIX box?

Thanks
DS

On Fri, 20 Apr 2001, Mark Persiko wrote:

> The security architecture of the PIX seems to be
> built around NAT, but it's not absolutely required
> to use it. There is an option in the "nat" command
> to use "nat 0" for a network and it will not translate
> that network into a private address pool. Furthermore,
> you can use the "static" statement in an identity mode
> to allow inbound connections to a network. For example,
>
> >static (inside,outside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
>
> would allow inbound connections to 192.168.30/24 (not all
> connections, mind you - you still need conduits or access lists
> to open up ports).
>
> Regarding the failover config: use the "failover link <i/f name>"
> command only if you are doing stateful failover, i.e., passing
> state information btwn PIX's over one of the Ethernet links. It's
> probably best to do the failover across a separate Ethernet
> segment, rather than on the inside net, no? This way, if you
> have other network problems on the inside, your failover mechanism
> is still safe. I have a 4-port Ethernet card in my PIX 515 and
> the last Ethernet interface is named failover, so I use
> "failover link failover" in my config.
>
> Thanks,
> Mark
>
> - Mark C. Persiko, persiko@bvsd.k12.co.us
> - MIS Dept, Boulder Valley School District
>
>
>
> -----Original Message-----
> From: A Routerman [mailto:routerman@visto.com]
> Sent: Friday, April 20, 2001 9:29 AM
> To: cisco-nsp@puck.nether.net
> Subject: Re: [nsp] REG: PIX Failover Bundle.
>
>
> It seems that if any one or more of your ports stop responding - the system
> will failover to the standby unit.
>
> I have the standard failover cable between the units as well as an ethernet
> connection between the 520's for stateful information sharing. Works
> pretty well.
>
> Ian
>
>
>
> -----Original Message-----
> From: Vinod Anthony Joseph Cherunni vac@dsqworld.com
> Sent: Fri, 20 Apr 2001 13:09:13 +0530
> To: cisco-nsp@puck.nether.net
> Subject: [nsp] REG: PIX Failover Bundle.
>
>
> Dear All,
>
> In a PIX 520 failover bunder, wherein both the active & standby units are
> populated with a single 4 10/100 Ethernet port adapter each, does the
> failover mean that redundancy is only provided, when the active unit fails
> (Device level redundancy), or else if a port on the active unit fails,
> will a port on the standby unit provide automatic failover.
>
> Kindly enlighten me.
>
> Thanks a lot in advance.
>
> With warm regards,
> Vinod.
>
>
> ___________________________________________________________________________
> Visit http://www.visto.com/info, your free web-based communications center.
> Visto.com. Life on the Dot.
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:35 EDT