The failover works by failing over to an entirely different server in the DR site, that part is already taken care of.
The secondary NIC is to make sure the data is replicating I believe.
The only thing I am concerned about is to make sure the server in the HQ side can communicate with the server in the DR side on the second logical interface.
They do not HAVE to be in the same VLAN, but it would be nice for organizational purposes.
We have several servers on the inside already in an existing VLAN and I was thinking we could keep the logical interface on the DMZ in the same VLAN.
Everything is in it's own seperate VLAN here, including the firewall inside interfaces, so everything is routed from the core switches via the SVI.
So the default gatway for the 10.10.10.0 vlan is on the core switch.
On the firewall, I would just route the 10.10.10.0 network to the inside.
If I set up a static NAT to the logical interface DMZ,in the same subnet as the NICs for the servers on the inside network, I will have to put a static route in the core switches to those hosts, and the next hop will be the PIX inside interface (10.10.20.1)
1) If you connect the secndary NIC to an internal vlan which is routed off the core switch then you have in effect bypassed your firewall ie. If somebody could gain access to one of those DMZ servers they would have a direct route into your network.
2) Sorry to be a bit slow but it's been a long day :). I'm not sure why you would need a static NAT if you place the DMZ NIC's into the same internal subnet. If you do place them in the same internal subnet 10.10.10.x then traffic from the core switch will just get switched to these servers ie. it won't go via the firewall inside interface.
I think i may have misunderstood your last point, if so please clarify.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :