You need to take care of load-balacing in the network - half of your traffic needs to be pointed to 10.10.10.3 and other half should be pointed to 10.10.10.4 address and same thing goes for the external interface. Now question is how you can achive that ? For that you need to have a layer III device - a router on inside and outside, and you can configure policy routing or equal cost path on the router to load share the traffic.
On the PIX, you need to configure Active/Active FO with ASR turned on which will take care of the session information replication between the PIXen.
Please, let's know if you have any follow-up questions.
I was actually trying to work on Active-Active configuration on a similar environment.. As you know in order to operate your 2 PIX units in multiple mode by configuring at least 2 contexts. The problem is that different security contexts cannot share some of the configurations like NATting and static tranlsation; this means that you wont be able to publish your DMZ public servers on the 2 contexts because Cisco is expecting you to configure 2 totally different subnets on each context. So, please be aware of that and take this into consideration.
I'm aware about the asymmetric support, but I'm here talking about the possibility of the different contexts (let's assume we've only 2) to support the same internal network. Suppose you've one internal subnet 10.10.10.0/24 and a DMZ with some public services with only one internet link... Now you want to publish your servers on the public network plus you want to configure Global translation for your internal network, what I'm sure of is that you'll get an error when configuring the same address trnslation on both contexts. This means that the Active-Active is designed for supporting different networks and not for the same internal network. Please correct me if I'm wrong.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :