cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
538
Views
0
Helpful
5
Replies

2 sets of firewalls using the same DMZ switch issue

peter.williams
Level 1
Level 1

I have a set of ASA that has a DMZ switch which works great on production network.  I have another set of PIX that is used for my backup Internet line, when I plug them into the same switch as the ASA the DMZ servers are unavailable.  I am using OSPF on both the ASA and PIX.  They all have different DMZ addresses on the interfaces.  Why is the DMZ network going down when I plug in the PIX for the backup Internet connection?

Thank you

1 Accepted Solution

Accepted Solutions

Without knowing more about the network topology, I can't say for sure.

Why are you running ospf on your dmz interface?  Are there more networks off of the dmz besides 192.168.0.0? Do you intend to use it as a transport network between the firewalls?  If not, I would turn ospf off on those interfaces and just advertise the connected network.

You probably have to increase the cost on the inside interface to make sure the pix is only used in case of failure.  Check what cost your asa is advertising and go above that.

View solution in original post

5 Replies 5

Rick Arps
Level 4
Level 4

Do you have any debugs from the firewalls or the switch?  There's not much to go on here.  Config snippets would be helpful as well.

I will not be able to do any debugs becuase it takes down the production network.

ASA interfaces -

interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
ip address 12.231.141.253 255.255.255.224 standby 12.231.141.254
ospf cost 10
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.253.1 255.255.255.0 standby 10.0.253.2
ospf cost 10
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
ospf cost 10

PIX interface -

interface Ethernet0
speed 100
duplex full
nameif Outside
security-level 0
ip address 64.115.215.10 255.255.255.240 standby 63.115.215.11
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.253.5 255.255.255.0 standby 10.0.253.6
!
interface Ethernet2
speed 100
duplex full
shutdown
nameif DMZ
security-level 50
ip address 192.168.0.3 255.255.255.0 standby 192.168.0.4

Are there any erronious ospf routes geting inserted by the asa?  It sounds like you might be ending up with asymetric routing.  That would cause issues since you're going through a stateful firewall.

Rick,

If I put an OSPF cost 20 in the interfaces of the PIX will that stop the asymmetric routing?

Thank you

Without knowing more about the network topology, I can't say for sure.

Why are you running ospf on your dmz interface?  Are there more networks off of the dmz besides 192.168.0.0? Do you intend to use it as a transport network between the firewalls?  If not, I would turn ospf off on those interfaces and just advertise the connected network.

You probably have to increase the cost on the inside interface to make sure the pix is only used in case of failure.  Check what cost your asa is advertising and go above that.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: