From: Fabricio Aponte (fabricio@xxxxxxx)
Date: Tue Feb 20 2001 - 09:30:09 GMT-3
MIke, here is a good link on PIX firewalls. Go to the failover link:
http://www.cisco.com/warp/customer/110/top_issues/pix/pix_index.shtml
I will send you another link on the routing issue for the PIX later on
today.
fab
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Andrew Short
Sent: Monday, February 19, 2001 10:18 PM
To: CCIE Study Group
Subject: RE: Firewall Design Question
On Mon, 19 Feb 2001, Fabricio Aponte wrote:
> Mike!
>
> This is what I would do:
>
> First of all, PIX firewalls do not route, but, as you already know,
> checkpoints do, so if you want, use a checkpoint box instead.
Actually, as layer-3 devices, PIX's MUST route if traffic is to be passed
between thier interfaces. They also will (if my memory recalls correctly)
run RIP. But why you'd run RIP on a PIX is beyond me.
Now...the Lucent firewall (John Chambers forgive me) doesn't route, but
then it is a data-link device filtering on network layer information. An
interesting idea. I am going to give it a whirl on a FreeBSD box soon.
> This is what I would do:
>
>
> [BGP]---[BGP]
> | |
> ------[PIX]-----failovercable---[PIX]
> | | |
> | [ A ]---[ A ]
> | | |
> --[CPT]---[CPT]--
> | |
> [ B ]---[ B ]
>
> Use only one PIX firewall, and use a failover cable to connect a redundant
> PIX. One thing that I like better about this set up that the one you
have,
> is that if you have two different PIX firewalls in between this network,
> management is going to turn ugly. If you want BGP to route to A or to B,
or
> if you want network A to route to B, it is going to go through two PIX
> firwalls and if the network admin that you are designing this for is not
> good, he is going to have a hard time everytime he needs to add a conduit.
>
> With the failover command, all you do is configure one PIX, and the other
> one will copy the configuration from the primary. Obviously, the network
> connections of the primary PIX are exactly as the ones from the secondary,
> so if one fails it should be invisible.
>
> If any questions, call the Houston TAC. Those guys are good ;)
>
>
> Fab
>
>
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Michael Le
> Sent: Monday, February 19, 2001 9:55 PM
> To: ccielab@groupstudy.com
> Subject: Firewall Design Question
>
>
> Since firewalls shouldn't run routing protocols,
> could someone give me advice on how to set up my
> proposed redundant firewalls.
> Please refer to my ugly ASCII network.
>
> [BGP]---[BGP]
> | |
> --[PIX]---[PIX]--
> | | | |
> | [ A ]---[ A ] |
> | | | |
> --[CPT]---[CPT]--
> | |
> [ B ]---[ B ]
>
> I plan to have two failover PIXs right behind two
> BGP routers to the Internet. On the inside of the PIXs
> I have one connection going to Network A and another
> going to Network B. But right in front of Network B
> (critical production network), I have a load balancing
> set of Checkpoint firewalls. The Checkpoints are
> connected to both Network A & B, which are actually
> 6509 w/MSFCs.
> I want it done so that the Checkpoint will forward
> data to A when destined there and send all other
> packets to the PIX. However, if the Checkpoint's link
> to the PIX goes down, I want it to be able to send
> traffic through network A and to the PIX from
> there. I want it to work the other way around for the
> PIX going to network B.
> My question is, how would I do that if the
> firewalls don't run a routing protocol? Do the PIXs
> allowing for floating statics?
> Thanks for your help.
>
> Michael
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:53 GMT-3