05-27-2010 11:35 AM - edited 03-04-2019 08:37 AM
I have a set of ASA that has a DMZ switch which works great on production network. I have another set of PIX that is used for my backup Internet line, when I plug them into the same switch as the ASA the DMZ servers are unavailable. I am using OSPF on both the ASA and PIX. They all have different DMZ addresses on the interfaces. Why is the DMZ network going down when I plug in the PIX for the backup Internet connection?
Thank you
Solved! Go to Solution.
05-27-2010 01:08 PM
Without knowing more about the network topology, I can't say for sure.
Why are you running ospf on your dmz interface? Are there more networks off of the dmz besides 192.168.0.0? Do you intend to use it as a transport network between the firewalls? If not, I would turn ospf off on those interfaces and just advertise the connected network.
You probably have to increase the cost on the inside interface to make sure the pix is only used in case of failure. Check what cost your asa is advertising and go above that.
05-27-2010 12:06 PM
Do you have any debugs from the firewalls or the switch? There's not much to go on here. Config snippets would be helpful as well.
05-27-2010 12:26 PM
I will not be able to do any debugs becuase it takes down the production network.
ASA interfaces -
interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
ip address 12.231.141.253 255.255.255.224 standby 12.231.141.254
ospf cost 10
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.253.1 255.255.255.0 standby 10.0.253.2
ospf cost 10
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
ospf cost 10
PIX interface -
interface Ethernet0
speed 100
duplex full
nameif Outside
security-level 0
ip address 64.115.215.10 255.255.255.240 standby 63.115.215.11
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.253.5 255.255.255.0 standby 10.0.253.6
!
interface Ethernet2
speed 100
duplex full
shutdown
nameif DMZ
security-level 50
ip address 192.168.0.3 255.255.255.0 standby 192.168.0.4
05-27-2010 12:52 PM
Are there any erronious ospf routes geting inserted by the asa? It sounds like you might be ending up with asymetric routing. That would cause issues since you're going through a stateful firewall.
05-27-2010 12:59 PM
Rick,
If I put an OSPF cost 20 in the interfaces of the PIX will that stop the asymmetric routing?
Thank you
05-27-2010 01:08 PM
Without knowing more about the network topology, I can't say for sure.
Why are you running ospf on your dmz interface? Are there more networks off of the dmz besides 192.168.0.0? Do you intend to use it as a transport network between the firewalls? If not, I would turn ospf off on those interfaces and just advertise the connected network.
You probably have to increase the cost on the inside interface to make sure the pix is only used in case of failure. Check what cost your asa is advertising and go above that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide