PIX firewall active/standby pair

Unanswered Question
May 12th, 2009

If there is a need to remove the standby PIX from active-standby position,what are the specific steps to be followed?

It seems removing the standby's physical connections will suffice , but it is not certain if this could problems to normal traffic pattern,which is to be avoided.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
suthomas1 Tue, 05/12/2009 - 04:04

yes,it seems fine.But is there any particular steps to followed viz. shut off the failover and other interface on standby first, followed by physical removal.

handsy Tue, 05/12/2009 - 04:29

'no failover' on Active, then switch off Standby et voila!

suthomas1 Tue, 05/12/2009 - 05:40

Thanks.Few more queries:

1.failover status in ASA shows as standby ready for secondary host. Is it correct, shouldnt it be just Standby status?

2.static (inside,dmz) 192.168.21.2 192.168.21.2 netmask 255.255.255.255

What is the meaning of this line.Understand that this is used for static translation when external access is required to services hosted inside the network.But then why are the 2 ip's same?

Thanks.

handsy Tue, 05/12/2009 - 05:59

1. I assume you've issued the 'no failover' command? If so, then the standby unit would display a wait state as it can no longer contact the primary.

2. This sort of static 1:1 translation is done to advertise an IP address or IP addresses externally from an inside network. It's the nature of Cisco firewalls. All IP addresses are hidden until you static or NAT them.

Actions

This Discussion