From: John Kaberna (jkaberna@xxxxxxxxxxxx)
Date: Tue Feb 20 2001 - 18:29:44 GMT-3
Actually I believe on the PIX you can set multiple static routes with
different metrics. If you don't specify a metric it defaults to 1. Anyone
disagree? I'm not quite positive.
John
----- Original Message -----
From: "Michael Le" <mmle@sprintparanet.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, February 20, 2001 10:28 AM
Subject: RE: Firewall Design Question
> Hi All,
>
> Thanks for responding. The two PIXs I have are already doing failover, but
> that's not what I was asking.
> I was just trying to find a way for the PIX to send traffic to the Network
B
> through it's link to the Checkpoint. If, however, that link were to fail,
> then I want it to use the link to Network A as a transit to Network B.
This
> would imply that I need to use some sort of floating static, if there were
> such a thing on the PIX, but I don't think there is.
> I think someone else recommended me doing routing through to the PIX
instead
> of with it, but how would the router detect which link between the PIX is
up
> or down, so I don't see how that would work.
> Any suggestions would be helpful. Or is this too off-topic?
>
> Michael
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Frank Jimenez
> Sent: Tuesday, February 20, 2001 10:17 AM
> To: Peter; Frank Jimenez; CCIE Study Group
> Subject: Re: Firewall Design Question
>
>
> Correct. The original reason that I found this configuration to begin
with
> was to placate a customer who had purchased two PIXs, and was upset that
one
> was sitting idle for failover and not 'load balancing'....
>
> Frank Jimenez
> franjime@cisco.com
>
> At 12:25 AM 02/20/2001 -0600, Peter wrote:
> >Correct but to successfully load balance firewalls, you must have the
> >CSS11000's in front AND behind the FW's. You must sandwich them to make
> >sure all "flows" go through the correct FW. You have the same issue with
> >SSL, which must stick a session to one server, or firewall in this case.
> It
> >is the only to maintain state. This makes for a complex design, why not
> >just get a pair of PIX535's running failover? Throw all the bandwidth
you
> >want at it, plus fault tolerance :)
> >
> >Peter
> >
> >----- Original Message -----
> >From: "Frank Jimenez" <franjime@cisco.com>
> >To: "CCIE Study Group" <ccielab@groupstudy.com>
> >Sent: Monday, February 19, 2001 11:19 PM
> >Subject: RE: Firewall Design Question
> >
> >
> >> Mike,
> >>
> >> One thing that you might consider (Frank puts on his Cisco Sales
> >Hat(tm) for a moment...) is placing a CSS-11000 Content Switching box
> either
> >in front or behind (or both) of the PIXs or CheckPoints. The CSS-11000
has
> >some unique load-balancing features that lend themselves well for
designing
> >highly available networks such as the one you are working up. This gives
> >you the advantage of being able to actually load-balance with the PIXs,
> >instead of using failover.
> >>
> >> I have several documents that show how this is done, but I can't
find
> >any on the external Cisco sites right now. Since this is a little
> off-topic
> >of CCIE lab studies, email me off line and I'll send them to you...
> >>
> >> Frank Jimenez, CCIE #5738
> >> franjime@cisco.com
> >>
> >>
> >> At 10:17 PM 02/19/2001 -0600, Andrew Short wrote:
> >> >On Mon, 19 Feb 2001, Fabricio Aponte wrote:
> >> >
> >> >> Mike!
> >> >>
> >> >> This is what I would do:
> >> >>
> >> >> First of all, PIX firewalls do not route, but, as you already know,
> >> >> checkpoints do, so if you want, use a checkpoint box instead.
> >> >
> >> >Actually, as layer-3 devices, PIX's MUST route if traffic is to be
> passed
> >> >between thier interfaces. They also will (if my memory recalls
> >correctly)
> >> >run RIP. But why you'd run RIP on a PIX is beyond me.
> >> >
> >> >Now...the Lucent firewall (John Chambers forgive me) doesn't route,
but
> >> >then it is a data-link device filtering on network layer information.
> An
> >> >interesting idea. I am going to give it a whirl on a FreeBSD box
soon.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >> This is what I would do:
> >> >>
> >> >>
> >> >> [BGP]---[BGP]
> >> >> | |
> >> >> ------[PIX]-----failovercable---[PIX]
> >> >> | | |
> >> >> | [ A ]---[ A ]
> >> >> | | |
> >> >> --[CPT]---[CPT]--
> >> >> | |
> >> >> [ B ]---[ B ]
> >> >>
> >> >> Use only one PIX firewall, and use a failover cable to connect a
> >redundant
> >> >> PIX. One thing that I like better about this set up that the one
you
> >have,
> >> >> is that if you have two different PIX firewalls in between this
> >network,
> >> >> management is going to turn ugly. If you want BGP to route to A or
to
> >B, or
> >> >> if you want network A to route to B, it is going to go through two
PIX
> >> >> firwalls and if the network admin that you are designing this for is
> >not
> >> >> good, he is going to have a hard time everytime he needs to add a
> >conduit.
> >> >>
> >> >> With the failover command, all you do is configure one PIX, and the
> >other
> >> >> one will copy the configuration from the primary. Obviously, the
> >network
> >> >> connections of the primary PIX are exactly as the ones from the
> >secondary,
> >> >> so if one fails it should be invisible.
> >> >>
> >> >> If any questions, call the Houston TAC. Those guys are good ;)
> >> >>
> >> >>
> >> >> Fab
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> -----Original Message-----
> >> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
Of
> >> >> Michael Le
> >> >> Sent: Monday, February 19, 2001 9:55 PM
> >> >> To: ccielab@groupstudy.com
> >> >> Subject: Firewall Design Question
> >> >>
> >> >>
> >> >> Since firewalls shouldn't run routing protocols,
> >> >> could someone give me advice on how to set up my
> >> >> proposed redundant firewalls.
> >> >> Please refer to my ugly ASCII network.
> >> >>
> >> >> [BGP]---[BGP]
> >> >> | |
> >> >> --[PIX]---[PIX]--
> >> >> | | | |
> >> >> | [ A ]---[ A ] |
> >> >> | | | |
> >> >> --[CPT]---[CPT]--
> >> >> | |
> >> >> [ B ]---[ B ]
> >> >>
> >> >> I plan to have two failover PIXs right behind two
> >> >> BGP routers to the Internet. On the inside of the PIXs
> >> >> I have one connection going to Network A and another
> >> >> going to Network B. But right in front of Network B
> >> >> (critical production network), I have a load balancing
> >> >> set of Checkpoint firewalls. The Checkpoints are
> >> >> connected to both Network A & B, which are actually
> >> >> 6509 w/MSFCs.
> >> >> I want it done so that the Checkpoint will forward
> >> >> data to A when destined there and send all other
> >> >> packets to the PIX. However, if the Checkpoint's link
> >> >> to the PIX goes down, I want it to be able to send
> >> >> traffic through network A and to the PIX from
> >> >> there. I want it to work the other way around for the
> >> >> PIX going to network B.
> >> >> My question is, how would I do that if the
> >> >> firewalls don't run a routing protocol? Do the PIXs
> >> >> allowing for floating statics?
> >> >> Thanks for your help.
> >> >>
> >> >> Michael
> >> >>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:54 GMT-3