A dedicated LAN interface and a dedicated switch/hub (or VLAN) is required to implement LAN-based failover. You cannot use a crossover Ethernet cable to connect the two PIX Firewalls.
Any special reason you can not use crossover cable? (Not that it is any problem to implement this with a hub or switch, I'm just courious about it.)
Another thing that kind of bothers me is configuration of secondary failover unit when using certificates w/ IPSec. Does that mean that now the private key can be sniffed on this hub/switch? As far as I know there is no way to get the private key in a standalone (single PIX) configuration, but in failover since you don't configure anything on the secondary unit, this key must somehow be transmitted over a (less secure?) link?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...