Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
7
Replies

Is it possible to configure PIX Failover with three or more PIX boxes?

pmoy
Level 1
Level 1

‎07-14-2003 07:49 AM - edited ‎02-20-2020 10:51 PM

Hello everyone,

One of my networks is spread over two locations in NY City. Verizon is providing me a OC-12 fiber handoff so that I can extend one of my VLAN's across these two offices.

The current release of the PIX software supports failover via Ethernet which gives me an option to place a PIX at each location to back each other up.

However, I really don't feel comfortable having a only a single PIX in my main office.

An ideal solution would be to have 2 PIX'es in my main office and one in the remote all talking with one another. They will share all the same ACL's.

Has anyone ever see or heard of such a "clustered" implementation with PIX?

Thanks,

-Peter

0 Helpful
7 Replies 7

tbissett
Level 1
Level 1

‎07-14-2003 08:31 AM

I don't think it's possible, mainly because the PIX commands specify a Primary unit and a failover unit, and there are no commands to add a third failover unit.

Your best bet would be to implement Primary-Failover pairs at each office, then use dynamic routing to determine the optimum path to the Internet.

0 Helpful

tvanginneken
Level 4
Level 4

‎07-14-2003 11:29 AM

Hi,

this is not possible with the Pix failover bundle.

Two is the maximum for that kind of setup.

If you want more than two pixes in a fail-over setup, you will need third party equipment like Alteon or Radware. I don't think that this supports statefull failover, so existing connection will be lost.

Kind Regards,

Tom

0 Helpful

dlockerby
Level 1
Level 1

‎07-14-2003 12:16 PM

Currently, the PIX failover option only works with one additional PIX and is setup in an active/standby scenario. If you want to have more than one "failover" PIX, you will need to introduce a third-party (or Cisco) load-balancer.

We utilize F5 Big IP products to intelligently switch traffic to/from our PIX firewalls. We looked at Radware (great product), however the F5 BIg IP product line was a better fit for our IT needs.

Look at the following F5 products: Big IP Application Switch 1000, Big IP Link Controller, and Big IP Fireguard switches. We chose the Link controllers to go behind our routers and in front of our PIX firewalls. We chose the Big IP Application Switch vs. the Big IP Fireguard 520 to go behind our PIX firewalls. The above scenario creates a "firewall sandwich" where all inbound and outbound traffic gets balanced between mulitple firewalls. You have both static and dynamic ways to load balance traffic.

0 Helpful

pmoy
Level 1
Level 1
In response to dlockerby

‎07-14-2003 12:23 PM

Thank you all for the replies. This certainly gives me a better understanding of what needs to be done.

-Peter

0 Helpful

l.mourits
Level 5
Level 5
In response to pmoy

‎07-14-2003 12:57 PM

Peter,

I would like to add another solution to your problem

Why not keep it simple, take three Cisco routers, with IP firewall feature set, and configure them as your firewalls, and use HSRP as your backup maganisme on your inside, and configure BGP on your outside.

It´s just a thought of course.

Okay, you would not have statefull failover

Kind Regards,

Leo

0 Helpful

dlockerby
Level 1
Level 1

‎07-14-2003 01:22 PM

F5 Link Controllers will allow multi-homing to ISPs without having to introduce BGP. F5's algorithms offer much more granularity in selecting the best path to a destination vs. BGP. Downside is that F5 products can be expensive.

0 Helpful

pmoy
Level 1
Level 1
In response to dlockerby

‎07-15-2003 05:38 AM

More details regarding our network.

Thank you all for the suggestions.

Our PIX implementation actually does not involve Internet access and ISP's.

We have two sites, a primary and a backup. We have customers that run private dedicated lines into the primary and backup offices.

Up until this point, some customers would run 2 private lines into the main office for redundancy, then another one or two lines into the backup office for failover in case we lose the main office.

As you can imagine, the cost to run these lines adds up.

What we have done for some customers is have them run one line into our main office, and a backup line into our other office. If we lose the main circuit, we re-route via an internal WAN and reconnect to the customer using their circuit in the backup office.

I have a 3 PIX'es that sit in between the customer network from the internal network. A main failover pair in the main office, and a single PIX in the backup office.

I have to duplicate all the ACL's between the two PIX'es. Now that we are getting OC-12 connectivity between our offices, my thinking is to combine this customer VLAN between the sites and use one PIX pair to control all inbound traffic. But having only one PIX at the main site is not making me comfortable.

-Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card