My current PIX failover solution consists of a small public WAN IP block and internal private IP addresses. I assign public IP addresses to each outside PIX interface and use the rest for the outside (WAN side) switch and for NAT. I can do this since my Internet connection is an ethernet circuit rather then the more traditional T1 point-to-point circuit which only allows for 2 useable IP addresses.
My problem is that we are switching ISPs and the new ISP refuses to provide more than two IPs for the ethernet circuit. Even though it can be done from a technical perspective they say that they will not do it due to administrative reasons.
What can I do to keep my current redundant outside PIXes if I only have one public IP address available?
I guess that what I can do is to assign a private IP to the secondary PIX and switch. The secondary should still be able to switch to the primary's public IP, no? Downside is that I can't manage the secondary from the outside. when not failed over.
The solution you proposed with having a public IP on one PIX and a private on the secondary PIX will not work. The secondary PIX needs its IP address in the same subnet because the PIX exchanges keepalives between the interfaces, so if they are not in the same subnet they will not be able to do the exchange.
A possible week solution might be to put a private IP on both of the firewalls and then do PAT on some device in front of the firewalls but that will prevent you from managing either of the FWs remotely and will probably be problematic.
The best solution would be to start escalating your issue with your ISP until they provide you with a second IP address in the same subnet.
Yes it is still an issue. The dedicated cable does config sync and a couple of other things. The main problem with two different IP subnets on the outside interface is that they won't be able to do keepalives so failover will not be able to occur becase one of the NICs (on the secondary PIX I think) will be down.
There is a fix to this untill you get an ip address. You can assign any fake ip in the same range as your public ip. This ip though will not be reachable from outside but the pixes will be able to talk to each other and will be able to share the keep alives.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...