Lan based failover session key encryption for PIX

Unanswered Question
Apr 17th, 2007
User Badges:

My suggestion for session key encryption for a lan based failover connection for the PIX is as follows:


A) Physically connect PIX interfaces to a workgroup amd or enterprise Catalyst 6509 switch, IOS 12.2(18) SXF and higher.


B) Assign static IP addresses within the range of the primary and failover PIX units.


C) Configure session key encryption on the workgroup switch and only allow TCP packet segments via IP protocol number 105/SCPS. Then deny all other TCP/IP segments.


The configurations should be as follows:


Company A 6509#show run

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Company A 6509

!

boot-start-marker

boot-end-marker

!

enable password cisco

!

no aaa new-model

ip subnet-zero

!

no crypto isakmp enable

!

crypto ipsec transform-set encrypt-aes esp-aes esp-sha-hmac

!

!

crypto map pix failover 8 ipsec-manual

set peer 11.11.11.6

set session-key inbound esp 1001 cipher 1234abcd1234abcd authenticator 20

set session-key outbound esp 1000 cipher abcd1234abcd1234 authenticator 20

set transform-set encrypt-aes

match address 101

!

interface gi2/2

speed 100

duplex full

Description PIX failover interface Lan-Based access list applied to protocol 105 for SCPS

ip address 11.11.11.5 255.255.255.252

crypto map pix failover

!

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 11.11.11.12

!

access-list 101 permit ip host 11.11.11.5 host 11.11.11.6 eq 105

access-list 101 permit ip host 11.11.11.6 host 11.11.11.5 eq 105

access-list 101 deny ip any any

access-list 101 permit ip any any

!

line con 0

no login

line aux 0

no login

line vty 0 15

exec-timeout 300

transport input ssh

login


If possible, try this on a home lab, then verify the results.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thomas.chen Mon, 04/23/2007 - 06:23
User Badges:
  • Silver, 250 points or more

The failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a stateful failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.


The security appliance supports two failover configurations, Active/Active Failover and Active/Standby Failover. Each failover configuration has its own method to determine and perform failover. With Active/Active Failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active Failover is only available on units that run in multiple context mode. With Active/Standby Failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby Failover is available on units that run in either single or multiple context mode. Both failover configurations support stateful or stateless (regular) failover.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml


Actions

This Discussion