Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX redundancy

Hi all,

I have 2 questions to ask, the first is if I use PIX with redundancy feature, Do the two PIX have the same IP on all of the interfaces? The second is, if I use two PIX without redundancy feature (two PIXs have their own IP) in the centeral site for VPN redundancy, Can I just use two "set peer" command to point to the two PIX in remote site PIX under the "crypto map " command? Thank You!

Best Regards

Teru Lei

1 REPLY

Re: PIX redundancy

Hi,

when you have two pixs in a failover configuration, the active pix will always have the same ip address. This address is different from the ip address of the standby unit.

To make ik more clear:

say you have the following situation:

Primary pix - IP address A - Mac Addres B - mode=active

Second pix - IP address C - Mac Addres D - mode=standby

assume something goes wrong with the primary device, then after the failover has occured, you will have this situation:

Primary pix - IP address C - Mac Addres D - mode=standby

Second pix - IP address A - Mac Addres B - mode=active

About the VPN redundancy:

I copied some text from a certain cisco webpage and it mentions that you can use the 'set peer' command to create some kind redundancy. Here it is:

Use the crypto mapset peer command to specify an IPSec peer in a crypto map entry. Use the no crypto mapset peer command to remove an IPSec peer from a crypto map entry.

This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used because, in general, the peer is unknown.

For ipsec-isakmp crypto map entries, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall received either traffic or a negotiation request from for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.

For ipsec-manual crypto entries, you can specify only one peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.

The following example shows a crypto map configuration when IKE will be used to establish the security associations. In this example, a security association could be set up to either the peer at 10.0.0.1 or the peer at 10.0.0.2.

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set my_t_set1

crypto map mymap 10 set peer 10.0.0.1 10.0.0.2

Kind Regards,

Tom

92
Views
0
Helpful
1
Replies
CreatePlease login to create content