From: Fabricio Aponte (fabricio@xxxxxxx)
Date: Tue Feb 20 2001 - 00:42:04 GMT-3
Mike!
This is what I would do:
First of all, PIX firewalls do not route, but, as you already know,
checkpoints do, so if you want, use a checkpoint box instead.
This is what I would do:
[BGP]---[BGP]
| |
------[PIX]-----failovercable---[PIX]
| | |
| [ A ]---[ A ]
| | |
--[CPT]---[CPT]--
| |
[ B ]---[ B ]
Use only one PIX firewall, and use a failover cable to connect a redundant
PIX. One thing that I like better about this set up that the one you have,
is that if you have two different PIX firewalls in between this network,
management is going to turn ugly. If you want BGP to route to A or to B, or
if you want network A to route to B, it is going to go through two PIX
firwalls and if the network admin that you are designing this for is not
good, he is going to have a hard time everytime he needs to add a conduit.
With the failover command, all you do is configure one PIX, and the other
one will copy the configuration from the primary. Obviously, the network
connections of the primary PIX are exactly as the ones from the secondary,
so if one fails it should be invisible.
If any questions, call the Houston TAC. Those guys are good ;)
Fab
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Michael Le
Sent: Monday, February 19, 2001 9:55 PM
To: ccielab@groupstudy.com
Subject: Firewall Design Question
Since firewalls shouldn't run routing protocols,
could someone give me advice on how to set up my
proposed redundant firewalls.
Please refer to my ugly ASCII network.
[BGP]---[BGP]
| |
--[PIX]---[PIX]--
| | | |
| [ A ]---[ A ] |
| | | |
--[CPT]---[CPT]--
| |
[ B ]---[ B ]
I plan to have two failover PIXs right behind two
BGP routers to the Internet. On the inside of the PIXs
I have one connection going to Network A and another
going to Network B. But right in front of Network B
(critical production network), I have a load balancing
set of Checkpoint firewalls. The Checkpoints are
connected to both Network A & B, which are actually
6509 w/MSFCs.
I want it done so that the Checkpoint will forward
data to A when destined there and send all other
packets to the PIX. However, if the Checkpoint's link
to the PIX goes down, I want it to be able to send
traffic through network A and to the PIX from
there. I want it to work the other way around for the
PIX going to network B.
My question is, how would I do that if the
firewalls don't run a routing protocol? Do the PIXs
allowing for floating statics?
Thanks for your help.
Michael
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:53 GMT-3