Re: Firewall Design Question

From: mtieast (clarson@xxxxxxxxxxx)
Date: Tue Feb 20 2001 - 11:44:33 GMT-3

• Next message: Wang, Roger: "Lab Swap"
• Previous message: McCallum, Robert: "RE: OSPF Hold-down timer?"
• Maybe in reply to: Michael Le: "Firewall Design Question"
• Next in thread: Frank Jimenez: "Re: Firewall Design Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
For this to work especially if it is to be a statefull failover, the 2 pix's
must be exactly alike and run the same code etc.

-----Original Message-----
From: Fabricio Aponte <fabricio@ev1.net>
To: 'Michael Le' <mmle@sprintparanet.com>; ccielab@groupstudy.com
<ccielab@groupstudy.com>
Date: Monday, February 19, 2001 11:00 PM
Subject: RE: Firewall Design Question

>Mike!
>
>This is what I would do:
>
>First of all, PIX firewalls do not route, but, as you already know,
>checkpoints do, so if you want, use a checkpoint box instead.
>
>This is what I would do:
>
>
> [BGP]---[BGP]
> | |
> ------[PIX]-----failovercable---[PIX]
>| | |
>| [ A ]---[ A ]
>| | |
> --[CPT]---[CPT]--
> | |
> [ B ]---[ B ]
>
>Use only one PIX firewall, and use a failover cable to connect a redundant
>PIX. One thing that I like better about this set up that the one you have,
>is that if you have two different PIX firewalls in between this network,
>management is going to turn ugly. If you want BGP to route to A or to B,
or
>if you want network A to route to B, it is going to go through two PIX
>firwalls and if the network admin that you are designing this for is not
>good, he is going to have a hard time everytime he needs to add a conduit.
>
>With the failover command, all you do is configure one PIX, and the other
>one will copy the configuration from the primary. Obviously, the network
>connections of the primary PIX are exactly as the ones from the secondary,
>so if one fails it should be invisible.
>
>If any questions, call the Houston TAC. Those guys are good ;)
>
>
>Fab
>
>
>
>
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Michael Le
>Sent: Monday, February 19, 2001 9:55 PM
>To: ccielab@groupstudy.com
>Subject: Firewall Design Question
>
>
>Since firewalls shouldn't run routing protocols,
>could someone give me advice on how to set up my
>proposed redundant firewalls.
> Please refer to my ugly ASCII network.
>
> [BGP]---[BGP]
> | |
> --[PIX]---[PIX]--
>| | | |
>| [ A ]---[ A ] |
>| | | |
> --[CPT]---[CPT]--
> | |
> [ B ]---[ B ]
>
> I plan to have two failover PIXs right behind two
>BGP routers to the Internet. On the inside of the PIXs
>I have one connection going to Network A and another
>going to Network B. But right in front of Network B
>(critical production network), I have a load balancing
>set of Checkpoint firewalls. The Checkpoints are
>connected to both Network A & B, which are actually
>6509 w/MSFCs.
> I want it done so that the Checkpoint will forward
>data to A when destined there and send all other
>packets to the PIX. However, if the Checkpoint's link
>to the PIX goes down, I want it to be able to send
>traffic through network A and to the PIX from
>there. I want it to work the other way around for the
>PIX going to network B.
> My question is, how would I do that if the
>firewalls don't run a routing protocol? Do the PIXs
>allowing for floating statics?
> Thanks for your help.
>
> Michael
>

• Next message: Wang, Roger: "Lab Swap"
• Previous message: McCallum, Robert: "RE: OSPF Hold-down timer?"
• Maybe in reply to: Michael Le: "Firewall Design Question"
• Next in thread: Frank Jimenez: "Re: Firewall Design Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:53 GMT-3