Re: PIX 515E failover pair - is this setup possible? (Please see

networking · ‎12-20-2006

Hi All,

We've been asked to configure a pair of PIX's for a site, and they've just been delivered to us, however they neglected to mention that they are a failover pair, AND they only have 2 Interfaces!

The Two PIX's will be in two geographically seperate buildings (connected with Fibre's)

We need to configure them so that their Outside interfaces are on different subnets... e.g.

Primary Outside = 10.0.0.2/30

Secondary Outside = 10.0.0.6/30

Also, as we only have two Interfaces, can we set up a LAN based Failover with the failover running over a VLAN out of the Inside Interface?

I have attached an example Diagram of what we are trying to do.

Many Thanks

Nick

networking · ‎12-21-2006

Bump.

Can anyone advise as to whether we can use a VLAN subinterface for the failover LAN?

Cheers,

Nick

m-haddad · ‎12-21-2006

Hello,

First of all, all interfaces of the failover and the primary should be on the same subnet. Therefore, the scenario won't work if you have two PIX with different subnets.

As for the failover LAN you need to use a dedicated ethernet interface. You can't use VLAN for this purpose .

Below you can find a link that shows what are the requirements for PIX Failover configuration:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708d8.shtml

This is what is noted in the document

"You have to dedicate an Ethernet interface (and switch ports) to the failover link, and the interface cannot be used for regular traffic. "

Hope this helps and appreciate your rating,

Regards,

PIX 515E failover pair - is this setup possible? (Please see inside)