RE: [nsp] REG: PIX Failover Bundle.

From: A Routerman (routerman@visto.com)
Date: Sat Apr 21 2001 - 09:12:21 EDT


Not sure if I fully understand your question but here goes.
When you have two PIX firewalls interconnected in a failover scenario - one is active and one is passive. In order for the PIX's to talk to each other and distinguish themselves you have to apply a different IP address to the interface and to the failover link. Assume the following:

ip address outside x.x.x.1 255.255.255.0
ip address inside y.y.y.1 255.255.255.0
ip address crosslink z.z.z.1 255.255.255.0
ip address backchannel w.w.w.1 255.255.255.0
failover
failover timeout 0:00:00
failover ip address outside x.x.x.2
failover ip address inside y.y.y.2
failover ip address crosslink z.z.z.2
failover ip address backchannel w.w.w.2
failover link inside

In this scenario you have and outside interface on PIX #1 with an address of x.x.x.1 and a failover address for the outside interface of x.x.x.2 - This .2 address becomes the address for the outside interface on PIX #2. You will need to assign different IP's as mentioned above.

Also in this scenario it assumes you have a network z.z.z.0 that is an interconnect (100 mb ethernet) between your PIX's for stateful failover. In my configs I use the 192.168.10.0 network for the crosslink and 192.168.20.0 for the backchannel and 192.168.30.0 for the inside - then use NAT, PAT and statics as needed. This gives you a large amount of address space to use without having to worry about running out of IP's. As long as you have enough outside public IP's for your global and statics you are fine.

Hope this helps,

Ian

-----Original Message-----
From: Vinod Anthony Joseph Cherunni vac@dsqworld.com
Sent: Sat, 21 Apr 2001 11:38:17 +0530
To: cisco-nsp@puck.nether.net
CC: routerman@visto.com, persiko@bvsd.k12.co.us, djirku@cisco.com
Subject: RE: [nsp] REG: PIX Failover Bundle.

Dear All,

Thank you everybody for all the valuble advice. As mentioned in the config
by Mr. Ian as below -

ip address outside x.x.x.1 255.255.255.0
ip address inside y.y.y.1 255.255.255.0
ip address crosslink z.z.z.1 255.255.255.0
ip address backchannel w.w.w.1 255.255.255.0

failover
failover timeout 0:00:00
failover ip address outside x.x.x.2
failover ip address inside y.y.y.2
failover ip address dmz-web z.z.z.2
failover ip address dmz-auth w.w.w.2
failover link inside

Can't the IP address of the interfaces belonging to a particular LAN, be
the same for the primary, & secondary (failover) be the same, because
otherwise how would seamless failover happen. Because the systems in a LAN
(example insdie LAN) would be using the default gateway as the IP address
of the active PIX interface, & if that's down, then how would all the
systems forward to the IP of the failover PIX. Because giving two IP
addresses on each system becomes a little complex.

Note that Adaptive Security remains in effect when using the "nat 0"
command.

Can this explained to me pls. I am a little unclear about it.

Kindly provide your valuble suggestions.

With warm regards,

Vinod.

___________________________________________________________________________
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:35 EDT