Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

CISCO PIX redundancy

Status
Not open for further replies.
sghezzi

sghezzi

Technical User
Apr 7, 2003
56
DE
Hello,
we are now using CISCO PIX 525 R-BUN with a unique internet provider and we are thinking about a backup for it. PIX is mainly used for Internet, mail and some VPNs.

Taking into account that we are now thinking about having a second Internet provider for redundancy and also setting up a DMZ for our public web server and ftp server, what is the best strategy for achieving this task?

1- buy a Failover PIX and set up the DMZ on both PIX 525 and PIX FO 525 and the configure one Internet provider with the PIX and the other one with the FO? Will they do a kind of load balancing? Will the FO take over once the primary Internet link goes down?

2- Buy another PIX 525 and have a parallel system: will we need to synchronize those PIX manually everytime we implement a change on one of them? is it possible to have load balancing on them? How can the second PIX take over once the primary Internet link goes down?

3- If we buy a second PIX (not a FO), is it a good idea to configure them in a different way: for example one for Internet with the primary ISP and mail, the second PIX dedicated to DMZ and VPN and with Internet with the secondary ISP (in case the first ISP goes down)

Does anybody have a suggestion on what can it be the best strategy?

Thanks in advance
Silvia
 
Sort by date Sort by votes
Silva,

Only you and those at your company know your requirements and acceptable risk; so its difficult to comment on the "right way" to design this solution.

Regarding your questions:

QUOTE
1- buy a Failover PIX and set up the DMZ on both PIX 525 and PIX FO 525 and the configure one Internet provider with the PIX and the other one with the FO? Will they do a kind of load balancing? Will the FO take over once the primary Internet link goes down?
UNQUOTE

The PIX doesn't do load balancing. If you combine the PIX with a load balancing switch (Cisco CSS or CSM) you can load balance over multiple Firewalls. The switch insures that you don't create asymetric loops.

QUOTE
2- Buy another PIX 525 and have a parallel system: will we need to synchronize those PIX manually everytime we implement a change on one of them? is it possible to have load balancing on them? How can the second PIX take over once the primary Internet link goes down?
UNQUOTE

Unless the PIX are in failover configration they won't share the config. You could use a router to create a common pipe that you would use to reach the Internet (via either provider) and put the PIX (maybe in failover) on that connection.

QUOTE
3- If we buy a second PIX (not a FO), is it a good idea to configure them in a different way: for example one for Internet with the primary ISP and mail, the second PIX dedicated to DMZ and VPN and with Internet with the secondary ISP (in case the first ISP goes down)
UNQUOTE

You should configure any Firewall based on a security policy. The types of decisions (separating mail and VPN) you discussed above are IMO good ones to consider.

Also, If you have an R model PIX you have the Restricted version. It doesn't do failover. You need to upgrade to a UR model. The other PIX can either be a FO or a UR model.

Liberty for All,

Brian



 
Upvote 0 Downvote
I would upgrade your PIX to the UR license and buy a PIX 525FO box. This would keep your configuration much simpilar, and be just as redundant. If you run version 6.3.1, you can have your two outside routers (isp1 and isp2) announce default routes to your pix. If one router goes down, the default route will be subtracted and the PIX won't use that route. Since you'll probably be using BGP w/ the two ISPs, you won't need to worry about link failures.
 
Upvote 0 Downvote
Your solution is able to be redundant in case one of the two outside routers go down, but what happens if one of the two ISPs goes down?
This is the major problem we would like to solve.

Thanks
Silvia
 
Upvote 0 Downvote
Are you running BGP with the two ISP's? How are your two routers currently setup?
 
Upvote 0 Downvote
We don't have yet the two routers,the two PIX and the two ISPs, we are in the process of having those but we are still thinking on what is the best way to do that.
That's why my problem raised.
:)
 
Upvote 0 Downvote
Ah... Well it's the router configuration that will supply the ISP redundancy. The PIX won't be in control of that or need to be.

-Bad Dos
 
Upvote 0 Downvote
Do you know what kind of router best fit to this environment. We need to buy one so it would be good to have some advice to buy the best.
 
Upvote 0 Downvote
One is DSL connection, the other one is a wireless connection...no idea what kind... :-(
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
522
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
643
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
697
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
334
AllenH12
AllenH12
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
175
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top