Re: Two Gateway

Phoungsakdavin · ‎04-09-2006

Hello,

This is just a local network. I have 5 Switches 2950G which are connected to each other via fiber optic cable. Those Switches connect to their own PC user . There are two Pix 515e connect to the switches.

-Pix 1: connect to a primary server.

-Pix 2: connect to a backup server.

Pix 1 function as a DHCP Server, all clients get the ip address from the pix 1. So the default gateway of every PC is Pix 1's outside ip address.

When the primary server is getting down, the secondary server become active. The problem is how all users pc access to backup server when their default gateway is pix 1's ip address?

Any feed back or solution would be appreciated.

Regards,

VIN

pkhatri · ‎04-10-2006

Vin

Have you considered the use of PIX firewall failover:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72f.html#wp1024836

That seems to be just what you need.

Pls remember to rate posts.

Paresh

Phoungsakdavin · ‎04-10-2006

Paresh,

Thanks for your prompt reply. That is a good solution, but these two Pix do not have failover function. Is there any other possible way?

Regards,

VIN

pkhatri · ‎04-10-2006

Vin,

Probably the only thing I can think of is to put a router between the users and the PIXs. Then, all your clients can just point their default gateway at the router and the router can switch between the PIXs if one of them goes down...

Paresh

Phoungsakdavin · ‎04-10-2006

Ok, good idea. So do you think where should the router stay at? and how to route?

one more question,beside adding a router, can we do something on the switches?

Please check the attached file.

Regards,

VIN

Phoungsakdavin · ‎04-10-2006

please find the attached file.

pkhatri · ‎04-10-2006

Well, you simply need a router with a FastEthernet port that supports dot1q trunking. Then, you could create a sub-interface on the router that is on the same VLAN as your clients. You could create another sub-interface that is on the same VLAN as the PIXes. So you would have to move the PIXes over to this new VLAN. The router would then have default routes pointing to the two PIXes. You could use reliable static routes to detect when the link through the primary PIX goes down so that you can switch to the secondary PIX.

Also, you can configure a DHCP server on the router ...

Pls do remember to rate posts...

Paresh

Phoungsakdavin · ‎04-10-2006

Paresh,

It seems i have to configure vlan in the system. In fact, i don't want to change something especially VLAN configuration, coz i have to restructure some part of the system. Could you check the diagram.

Regards,

VIN

pkhatri · ‎04-10-2006

Well, you will need to do a bit of re-jigging to make this work. Could you advise how your VLANs are setup at the moment, which devices belong to which VLAN etc ?

Paresh.

Phoungsakdavin · ‎04-10-2006

Paresh,

Currently, there is no VLAN configuration on the system.

Regards,

VIN

pkhatri · ‎04-10-2006

Vin,

I'm not sure I understand your setup fully... How do the clients get to the servers ? Are the servers on a separate IP subnet to the clients ? They would have to be since they are sitting on different sides of the firewalls...

Paresh

Phoungsakdavin · ‎04-10-2006

Paresh,

Well, the clients and servers are in seperate ip subnet. This is just a normal configuration on the PIXes. We have a special application software to get to the servers.So we just map ip address and port it is ok.

Any more info, please let me know.

Regards,

VIN

pkhatri · ‎04-10-2006

Ok, Vin, I get it now...

I don't believe there's any where to put a router in the middle without creating additional VLANs...

Paresh

Phoungsakdavin · ‎04-10-2006

Ok, let me try your solution. I am going to put a routing and create VLANs soon as your advice.

Any problem, can i get to you back?

Regards,

VIN

pkhatri · ‎04-10-2006

Absolutely... assistance is provided for free around here :-)

Paresh