×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Two PIX 525 in Active/Active mode

Unanswered Question
Dec 7th, 2005
User Badges:

Dear all,

I have two pix 525 firewalls ( one with UR license and the second one with FO-AA license) , firewalls are running in active/active mode . this set of Firewall is connected to a perimeter router connected to Internet , My question is how do i configure the perimeter router to talk to both firewalls at the same time ?

i would be very grateful if you could provide me with sample configurations and URLs showing how to configure the perimeter router plus the two pix in active/active mode .

Thanks a lot for your reply and your help.

Regards,

Khaled

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
softnetcorp Sat, 12/10/2005 - 01:22
User Badges:

Hi,

Thanks for your reply ,

i already read this doc and does not not cover release 7.0 , it is related to Active/Standby mode , Not to active/active mode that i am asking about and how the communication with the perimeter or Internet router will be plus Sample Configuration OF the perimeter Router to deal with such Scenario.

Hope you get my point

Regards,

Khaled

haithamnofal Tue, 12/13/2005 - 01:10
User Badges:

Hi Khaled,


I'd suggest you doing one thing regarding the routing; since the PIX Active-Active setup doesn't assign a shared virtual IP between the interfaces (as HSRP for example), you can configure your default route to be through the IP of the first failover group and configure another route with a higher metric number to go through the IP of the other failover group... here's an example:


Suppose you have 2 failover groups with the outside interface shared between these groups... failover group 1 will be active on the first unit where group 2 will be passive on this unit. Things will be exactly the opposite on the second unit (i.e. group 1 will be passive and group 2 will be active). The active IP of the outside interface on PIX 1 is 192.168.1.1 and it's 192.168.1.2 on PIX 2. Now, configure your default route to be through 192.168.1.1, and do a second route through 192.168.1.2 with a higher metric; this will cause all traffic to go through 192.168.1.1 unless there's a failure on this unit. In case you need to use your PIX to load balance traffic, you can configure half of your hosts to go through one IP and the other half to use the other GW, this also applies if you have different internet links. Hope this helps.


For info on Active-Active configuration, browse to the following link:


http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm


Best Regards,

Haitham


Actions

This Discussion