Our network is going to be redesigned. We have about 50 employees with remote agents using 501.
Our new design will be something like:
INTERNET -- ROUTER -- PIX -- L3 SWITCH -- LAN
My main problem is that there is another router connected to the L3 SWITCH (2651XM). I need to determine when the internet router is down so my data is sent through the 2651XM automatically (using something like HSRP or GLBP if possible). I thought about using a routing protocol but I am not aware that a Pix runs EIGRP (which is what we are currently running) but OSPF.
Here are my questions:
1. Would changing the routing protocol be worth the headache and get the work done?
2. Would you recommend another Pix, ASA or just keeping the one I have?
I would like to know whether changing my existing Pix will benefit my company.
It could work if you ran object tracking on the 2651 and moved it in between the Pix and the 3550. Your default route in the 2651 would be the inside of Pix as long as an icmp track was up to the upstream neighbor of your 1760. When that track failed, the default route would move to your Dallas connection. If I understood you correctly, I think that's what you want, correct me if I'm wrong. This may not be the best solution, but probably the cheapest.
I'd think about investing in a couple of switches - one live and one as a hot standby. Then you can have your internet go into the switch - then use both your routers connected into the switch using HSRP(now VRRP), and then back into your switch and one cable out into your ASA. I would then think about purchasing a second ASA box and have them in an Active-Active config (same as your routers) - and then into your L3 switch. Now the switch at your external facing edge is the single point of failure (but you have a hot standby) - and both your router and your ASA (being the most complicated and critical components) have redundancy. Of course your L3 switch is also a single point of failure which you may also want to look at but is entirely up to the budget :P
Mightymouse, your solution sound really good but expensive; althouhg, I am open to buy another type of Pix or ASA if needed.
Acomiskey, I undestand what you are saying but the reason why this router is not in between the Pix and the Internet router is because it will handle my PRI and any routing to Dallas; therefore, I just wanted dedicated to that since it will handle (in the future) a point-to-point connection.
Now, I now that if I run OSPF on the Pix I would probably be able to get the job done. What is your feedback on that?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :