12-30-2005 08:29 AM - edited 03-09-2019 01:29 PM
My current PIX failover solution consists of a small public WAN IP block and internal private IP addresses. I assign public IP addresses to each outside PIX interface and use the rest for the outside (WAN side) switch and for NAT. I can do this since my Internet connection is an ethernet circuit rather then the more traditional T1 point-to-point circuit which only allows for 2 useable IP addresses.
My problem is that we are switching ISPs and the new ISP refuses to provide more than two IPs for the ethernet circuit. Even though it can be done from a technical perspective they say that they will not do it due to administrative reasons.
What can I do to keep my current redundant outside PIXes if I only have one public IP address available?
I guess that what I can do is to assign a private IP to the secondary PIX and switch. The secondary should still be able to switch to the primary's public IP, no? Downside is that I can't manage the secondary from the outside. when not failed over.
Will this work? Are there better options?
Thanks,
Diego
12-30-2005 09:08 AM
Your new ISP is lousy, but you already know that.
The solution you proposed with having a public IP on one PIX and a private on the secondary PIX will not work. The secondary PIX needs its IP address in the same subnet because the PIX exchanges keepalives between the interfaces, so if they are not in the same subnet they will not be able to do the exchange.
A possible week solution might be to put a private IP on both of the firewalls and then do PAT on some device in front of the firewalls but that will prevent you from managing either of the FWs remotely and will probably be problematic.
The best solution would be to start escalating your issue with your ISP until they provide you with a second IP address in the same subnet.
-Mark
12-30-2005 10:38 AM
Is the IP keepalive issue still vaild if I am using the dedicated cable for failover?
Diego
12-30-2005 11:27 AM
Yes it is still an issue. The dedicated cable does config sync and a couple of other things. The main problem with two different IP subnets on the outside interface is that they won't be able to do keepalives so failover will not be able to occur becase one of the NICs (on the secondary PIX I think) will be down.
-Mark
12-31-2005 09:03 AM
Thanks Mark.
Guess I will need to start my new year by hassling the ISP.
Happy New Year!
Diego
01-01-2006 08:20 PM
Hi Diego,
There is a fix to this untill you get an ip address. You can assign any fake ip in the same range as your public ip. This ip though will not be reachable from outside but the pixes will be able to talk to each other and will be able to share the keep alives.
Thanks,
Arun
01-02-2006 05:00 AM
Sounds like a good option to explore.
Thanks!
Diego
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: