RE: pix failover

From: Roberts, Larry (Larry.Roberts@expanets.com)
Date: Mon Dec 29 2003 - 18:13:53 GMT-3

• Next message: Brian McGahan: "RE: BGP remove-priviate-as"
• Previous message: Danny.Andaluz@triaton-na.com: "RE: dialer-watch question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

What about HSRP with 2 different groups each corresponding to a different IP
range.

This will get you back to the router, but I don't know how you would get the
redundancy inbound for your address range.

Im working something similar.

I have 2 3725's each connected to a different provider. In each 3725 I have
the 16 port 10/100/1G card. I cross connect the routers, and also connect
the PIX's between them. Im going to be doing BGP to each provider, and use
as-path prepending to have ISP A be primary for its address range and ISP B
primary for theirs. In the case of T-1 failure on ISP A, the router for ISP
B will take over (preempt and tracking). This gets me outbound. BGP takes
care of the inbound since ISP-A *should* loose the route and stop
advertising.

I also have 2 sets of PIX's in failover each tied to their respective ISP.
ISP-A is the primary outbound, but ISP-B can/will be used if ISP-A
disappears.
I'm doing this via a route-map to make ISP-A preferred if available.

Sure looks good on paper. Can wait to actually turn it up live *with fingers
and toes crossed*

Thanks

Larry

-----Original Message-----
From: Jens Petter Eikeland [mailto:jens-p.eikeland@telio.no]
Sent: Monday, December 29, 2003 10:14 AM
To: security@groupstudy.com; ccielab@groupstudy.com
Subject: pix failover

Hi group ,
 
I am trying to set up two pix in failover modus. On the outside of the
pix'es there is two routers. I am trying to have this 100% redundant, but I
have problem setting up the routing here.l Since the outside interfaces on
the pix needs to be in the same subnet, and because I am having two
different ip ranges on the outside of the routers again, I stumble on to
some routing problems. Have anybody out there set up an fully redundant
solution with two pix fw that can help me on the way here. My isp are
running ospf on the outside of the pix, and I am thinking to intergrate this
on my edge routers. Is this smart, or should I stick to using static routes.
 
Please help me.
 

 <http://www.telio.no>
Jens Petter Eikeland
Network Security Engineer
 <mailto:Jens-P.Eikeland@Telio.no> Jens-P.Eikeland@Telio.no Stortings gate 8
0161 OSLO
NORWAY
mobile: +47 906 577 56
IM: MSN: tbljpe@frisurf.no
www.Telio.no
 

 <http://www.plaxo.com/signature> Powered by Plaxo ... Want a signature like
this?

[GroupStudy removed an attachment of type image/gif which had a name of
image001.gif]

• Next message: Brian McGahan: "RE: BGP remove-priviate-as"
• Previous message: Danny.Andaluz@triaton-na.com: "RE: dialer-watch question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:46 GMT-3