Config of 2 PIX FW on the same private network but seperated geographically
I have a NS location connected to a SS location via T-1. I have a NS PIX515 6.3 and a SS PIX 525 6.3. The NS PIX is the original PIX and has been in place for a couple years. We have 2 internet connections 1 on the SS and 1 on the NS. The SS has the new PIX525 and the new internet connection. I want SS users to use SS internet and NS users to use NS internet but if SS fails then SS users will still be able to access NS internet and vice versa. The 2 internet ISPs are 2 different companies. Any sample cofigs and or best practice. We will also be adding a DMZ after we get the initial config working. Suggestions
Re: Config of 2 PIX FW on the same private network but seperated
You will need to use a router running BGP or similar protocol as the pix itself will only at best listen to RIP updates. Even so it cannot be used as a true router and will only route packets travesing interfaces and not in one-armed mode. Your clients in SS should point to this router as a default gateway which will then decide which gateway to use (pix or router to NS). You could use the NS-SS T1 routers for this if they have enough memory and have the correct IOS feature set.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...