Help request: Cisco 1801 for fail-over

Unanswered Question
Oct 17th, 2008

Hi All,


I was wondering if anyone might be able to help me through my fail-over hell!


I'm trying to configure a 1801 router to fail-over between a main connection, via the fa 0 port and a backup via the ADSL port. I've been able to achieve this with the attached config, using NAT on the router to translate between the two external ip add ranges.


The NAT on the router is configured as:

10.10.0.1 for the vlan

10.10.0.2 for the pix (this handles the internal nat)

10.10.0.3 for the exchange server.


The PIX then performs it's own NAT to the existing internal network. This all seems to work fine, but the client has a second firewall that is used to create a VPN link to another network. I need to be able to keep my fail-over config but i also need to present the 2nd firewall with a non natted / DMZ IP address from the backup link.


Any thoughts, comments or ideas would be greatly appreciated!



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchin345 Thu, 10/23/2008 - 08:42

You will use Active/Standby failover method to keep your fail-over configuration in secondary firewall (PIX).

Active/Standby Failover lets you use a standby security appliance to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for a transparent firewall, the management IP address) and MAC addresses of the failed unit and begins to pass traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. PIX Security Appliance with 7.x version and above supports failover.

For further information click this link.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#regu


Dean Watson Fri, 10/24/2008 - 04:00

Hi and thank you for the input, but i think i need to clarify. Failover is not being done on the pix, it is being done on the Cisco 1801 router between the fa0 interface (primary) and the atm0 (backup) interface.


I have attached a diagram to clarify.



Actions

This Discussion