02-17-2008 07:28 AM - edited 03-11-2019 05:03 AM
I have a question for pix Firewall gurus in this forum.
I do not have a pair of UR Pix firewall to test this
so I have to ask.
Scenario:
inside network: 192.168.1.0/24
outside network 129.174.1.0/24
default gateway for inside network: 192.168.1.1
default gatway for outside network 129.174.1.254
Right now I have a pair of Checkpoint SPLAT firewall
running in Active/Active mode via Checkpoint ClusterXL.
network 192.168.1.0/24, when going out to the internet,
is NAT'ed to the checkpoint Cluster External IP address
which is 129.174.1.1 (.2 and .3 is the physical ip
address of the checkpoint SPLAT firewall).
If I initiate an FTP or http connection from let say host
192.168.1.10 to external site such as 4.2.2.2 or
www.oracle.com and download a 1GB file, I can see the
the checkpoint firewall does "load-sharing" on both
firewalls, which is expected. Firewall_1 takes 50%
of the traffics and firewall_2 takes the other 50% of the
traffics from the same host 192.168.1.10
Now, customer would like to migrate from checkpoint to
Pix/ASA and maintain the same load-sharing with Pix/ASA.
is this possible?
Thanks.
02-17-2008 07:51 AM
yes its possible, you need to configure Active/Active Failover configuration where both the units pass the traffic
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html#wp1046889
however extensive load sharing not possible
02-17-2008 11:27 AM
In my "specific" configuration scenario, is it
possible to have 50% of the traffics from
host 192.168.1.10 going through firewall_1 and
the other 50% of the traffics from host
192.168.1.10 going through firewall_2?
Can Pix/ASA do this?
02-17-2008 04:46 PM
yes, as at one time 1 failover group is active that constitute context1 of 1st firewall and conext 2 of second firewall
02-17-2008 05:08 PM
"yes, as at one time 1 failover group is active that constitute context1 of 1st firewall and conext 2 of second firewall"
Can you elaborate on this? The host
192.168.1.10 has the default gateway of
192.168.1.1. How can 50% traffics on host
192.168.1.10 goes out on firewall_1 and
50% of traffics on host 192.168.1.10 goes out
on firewall_2 via one session, like FTP,
ssh or telnet?
I mean truly load-sharing. Let say when
I download a 1GB file size via secure copy,
ssh, at a rate of let say 90mbps, I want
45mbps goes through firewall_1 and 45mbps
goes through firewall_2, AT THE SAME TIME.
Can you provide an example if it can be done?
Thanks.
02-17-2008 05:23 PM
NO, what you trying to achieve is not possible
when you use Active/Active via two or more security contexts the
Internal L3 devices needs to have policy routes to the respective context you want to use.
This would allow load sharing based on our definitions for source VLAN's and want security
context we want to use on each ASA. For example if Context A Failover group 1 is used for
odd internal VLAN's and Context B failover group 2 is used for even VLAN's then internal
policy routing would be as follows:
If source = VLAN odd then set next hop to failover group 1 IP (Context A)
If source = VLAN even hen set next hop to failover group 2 IP (context B).
02-17-2008 05:42 PM
I think I got the idea. Basically, ASA
Active/Active is some what similar to HSRP,
not exactly the same but similar.
When ASA means Active/Active, it means that
it will load-balance traffics for two different network behind the ASA firewalls, similar to
HSRP:
R1:
int f0/1
ip address 10.1.1.2 255.255.255.0
ip address 10.1.2.2 255.255.255.0 secondary
standby 10 ip 10.1.1.1
standby 10 priority 105
standby 10 preempt
standby 10 authentication cisco1
standby 10 name HSRP_1
standby 20 ip 10.1.2.1
standby 20 priority 95
standby 20 preempt
standby 20 authentication cisco2
standby 20 name HSRP_2
R2:
ip address 10.1.1.3 255.255.255.0
ip address 10.1.2.3 255.255.255.0 secondary
ip address 10.1.1.3 255.255.255.0
standby 10 ip 10.1.1.1
standby 10 priority 95
standby 10 preempt
standby 10 authentication cisco1
standby 10 name HSRP_1
standby 20 ip 10.1.2.1
standby 20 priority 105
standby 20 preempt
standby 20 authentication cisco2
standby 20 name HSRP_2
Basically, I can have network 10.1.1.0/24 will
go through R1 while network 10.1.2.0/24
will go through R2, thus achieving
load-sharing.
In other words, ASA uses a similar technique
like HSRP.
Is that the correct assumption? Thanks.
02-17-2008 07:17 PM
You got it..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide