WAAS / Active-Standby PIX Firewalls

brobinson · ‎11-12-2007

Hi -

So we are exploring ways to implement WAAS in our network and our connection into our WAN contains two PIX firewalls in Active/Standby mode with a connection to a single 3560 switch.

I understand WAAS can do failover when connected in a daisychain fashion, but what is we put a WAAS device on each link to the 3560, that way if I PIX fails we can have failover. Would this be feasible? Anyone ever tested something like this?

Thanks!

brobinson · ‎11-12-2007

Forgot to mention also that we would put the devices on the outside of the firewalls. FYI

Zach Seils · ‎11-13-2007

Ben,

The inline module has 2 inline groups, each with a synchronous pair of ports. This allows for redundant physical connections inline through a single WAE.

Zach

rases · ‎11-23-2007

Hi. We have a similar diagram.

We have a stack of switches when connected the internal LAN and DMZ, two ASA5510 in Active/Standby mode and a 2811 router.

We want to put the WAE512 in the inside side of Firewalls managing the traffic of interlan LAN and DMZ, because as we finish the IPSec Tunnels on ASAs we think the WAE can't be located outside the firewalls.

How can we do this??

Our WAE has the Inline network adapter.

Zach Seils · ‎12-03-2007

Rafael,

The WAE can be placed in the inside of the firewalls, so long as the ASAs are running a version of code that supports the 'inspect waas' command. This will allow the ASA to continue to inspect optimized flows.

Zach