Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2 sets of firewalls using the same DMZ switch issue

I have a set of ASA that has a DMZ switch which works great on production network.  I have another set of PIX that is used for my backup Internet line, when I plug them into the same switch as the ASA the DMZ servers are unavailable.  I am using OSPF on both the ASA and PIX.  They all have different DMZ addresses on the interfaces.  Why is the DMZ network going down when I plug in the PIX for the backup Internet connection?

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: 2 sets of firewalls using the same DMZ switch issue

Without knowing more about the network topology, I can't say for sure.

Why are you running ospf on your dmz interface?  Are there more networks off of the dmz besides 192.168.0.0? Do you intend to use it as a transport network between the firewalls?  If not, I would turn ospf off on those interfaces and just advertise the connected network.

You probably have to increase the cost on the inside interface to make sure the pix is only used in case of failure.  Check what cost your asa is advertising and go above that.

5 REPLIES
New Member

Re: 2 sets of firewalls using the same DMZ switch issue

Do you have any debugs from the firewalls or the switch?  There's not much to go on here.  Config snippets would be helpful as well.

New Member

Re: 2 sets of firewalls using the same DMZ switch issue

I will not be able to do any debugs becuase it takes down the production network.

ASA interfaces -

interface Ethernet0/0
speed 100
duplex full
nameif Outside
security-level 0
ip address 12.231.141.253 255.255.255.224 standby 12.231.141.254
ospf cost 10
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.253.1 255.255.255.0 standby 10.0.253.2
ospf cost 10
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 50
ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2
ospf cost 10

PIX interface -

interface Ethernet0
speed 100
duplex full
nameif Outside
security-level 0
ip address 64.115.215.10 255.255.255.240 standby 63.115.215.11
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.253.5 255.255.255.0 standby 10.0.253.6
!
interface Ethernet2
speed 100
duplex full
shutdown
nameif DMZ
security-level 50
ip address 192.168.0.3 255.255.255.0 standby 192.168.0.4

New Member

Re: 2 sets of firewalls using the same DMZ switch issue

Are there any erronious ospf routes geting inserted by the asa?  It sounds like you might be ending up with asymetric routing.  That would cause issues since you're going through a stateful firewall.

New Member

Re: 2 sets of firewalls using the same DMZ switch issue

Rick,

If I put an OSPF cost 20 in the interfaces of the PIX will that stop the asymmetric routing?

Thank you

New Member

Re: 2 sets of firewalls using the same DMZ switch issue

Without knowing more about the network topology, I can't say for sure.

Why are you running ospf on your dmz interface?  Are there more networks off of the dmz besides 192.168.0.0? Do you intend to use it as a transport network between the firewalls?  If not, I would turn ospf off on those interfaces and just advertise the connected network.

You probably have to increase the cost on the inside interface to make sure the pix is only used in case of failure.  Check what cost your asa is advertising and go above that.

196
Views
0
Helpful
5
Replies
CreatePlease to create content