cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
362
Views
0
Helpful
6
Replies

failover with one public IP?

tato386
Level 6
Level 6

My current PIX failover solution consists of a small public WAN IP block and internal private IP addresses. I assign public IP addresses to each outside PIX interface and use the rest for the outside (WAN side) switch and for NAT. I can do this since my Internet connection is an ethernet circuit rather then the more traditional T1 point-to-point circuit which only allows for 2 useable IP addresses.

My problem is that we are switching ISPs and the new ISP refuses to provide more than two IPs for the ethernet circuit. Even though it can be done from a technical perspective they say that they will not do it due to administrative reasons.

What can I do to keep my current redundant outside PIXes if I only have one public IP address available?

I guess that what I can do is to assign a private IP to the secondary PIX and switch. The secondary should still be able to switch to the primary's public IP, no? Downside is that I can't manage the secondary from the outside. when not failed over.

Will this work? Are there better options?

Thanks,

Diego

6 Replies 6

m.mcconnell
Level 1
Level 1

Your new ISP is lousy, but you already know that.

The solution you proposed with having a public IP on one PIX and a private on the secondary PIX will not work. The secondary PIX needs its IP address in the same subnet because the PIX exchanges keepalives between the interfaces, so if they are not in the same subnet they will not be able to do the exchange.

A possible week solution might be to put a private IP on both of the firewalls and then do PAT on some device in front of the firewalls but that will prevent you from managing either of the FWs remotely and will probably be problematic.

The best solution would be to start escalating your issue with your ISP until they provide you with a second IP address in the same subnet.

-Mark

Is the IP keepalive issue still vaild if I am using the dedicated cable for failover?

Diego

Yes it is still an issue. The dedicated cable does config sync and a couple of other things. The main problem with two different IP subnets on the outside interface is that they won't be able to do keepalives so failover will not be able to occur becase one of the NICs (on the secondary PIX I think) will be down.

-Mark

Thanks Mark.

Guess I will need to start my new year by hassling the ISP.

Happy New Year!

Diego

arunsing
Level 1
Level 1

Hi Diego,

There is a fix to this untill you get an ip address. You can assign any fake ip in the same range as your public ip. This ip though will not be reachable from outside but the pixes will be able to talk to each other and will be able to share the keep alives.

Thanks,

Arun

Sounds like a good option to explore.

Thanks!

Diego

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: