Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
5
Helpful
3
Replies

PIX fail over and HSRP integration

bapatsubodh
Level 1
Level 1

‎05-25-2006 08:59 AM - edited ‎02-21-2020 12:55 AM

This is regarding PIX failover and HSRP put together to have 100 % redundancy. Device connectivity is like this . Two routers having serial links to separate ISP’s ( R1 and R2 ). . Ethernet ports of these routers connected to two separate switches.( outside-sw1 and outside-sw2 ) Two PIX firewalls connected in state-full failover mode. , outside interface ( pix1-outside and Pix2-outside ) of these PIX will be connected to the previously mentioned switches(outside-sw1 and outside-sw2 ) . Similarly Inside interfaces ( pix1-inside and pix2-inside ) of these PIX will be connected to two separate switches. ( inside-sw1 and inside-sw2).

In a nutshell , R1- eth0  outside-sw1 ,

PIX1-outside  outside sw1

And

R2-eth0 - outside-sw2

PIX2 -outside  outside-sw2

And PIX1-inside  inside-sw1

PIX-inside  inside-sw2

PIX1 to PIX2  failover cable and lan cable

inside-sw1 to inside-sw2 cross cable / trunk

outside-sw1 to outside-sw2 cross cable / trunk

So it is a chain of devices running in parallel giving redundancy upto each device level.

Is it possible to configure HSRP with these routers , switches and failover with PIX.

Any link about integration of these devices will be appreciated

please see following slide in attachments

Preview file
13 KB
0 Helpful
3 Replies 3

dominic.caron
Level 5
Level 5

‎05-25-2006 09:23 AM

Hi,

Do you use BGP to peer with your two ISPs. My Internet Edge is designed in a similar way and I tested all possible failure scenario when I designed it. Be glad to help if it match.

0 Helpful

dominic.caron
Level 5
Level 5

‎05-25-2006 02:38 PM

If you are usging BGP and are multihomed with a primary and a backup link, dont use HSRP. Peer with the two isp with eBGP and peer your edge router with iBGP. Between the edge router and the pix, run ospf. The two edge router should send only a default route to the pix. Use a route-map on the 2 router to get them to only sent default if they have the best outside route.

default-information originate metric 5 route-map SEND_DEFAULT

route-map SEND_DEFAULT permit 10

match ip address 1

match ip next-hop 2

access-list 1 permit 0.0.0.0

access-list 2 permit #.#.#.# (ISP 1)

access-list 2 permit #.#.#.# (ISP 2)

On the pix(s), advertise your network with a network-summary statement. Impact on the cpu of the pix will be very small, ospf routing table will have only one entry.

You will have full redendancy this way. In case you have a routing protocol problem, might be a good idea to put a few floating static route...just in case

r-tyrell
Level 1
Level 1
In response to dominic.caron

‎11-27-2006 12:57 PM

We are in the process of bringing up a secondary router and internet connection (same ISP). I do plan on running BGP between these routers and eBGP between their neighbors. I currently have one PIX 515 (6.3) using static routes. Could you post or email me privately the OSPF configuration? Do you run OSPF between your PIX and inside network? Or only run OSPF between the PIX and internet routers? I am unsure of how to provide a different default gateways on the PIX. Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card