Failover Options

[kcbs76]

I am new to PIX and excuse me if I make some dumb assumptions. I want to implement failover to my PIX setup. I know failover works with two and exactly two, firewalls witht the same model. I also read that PIX 501, 506 and 506E does not support failover. Now I have a PIX 506E and a cisco router can I implement HSRP or something like that to deal with failovers?

 

[NetworkGhost]

Yes but you will need to purchase another router if you wish to use HSRP. If the goal is to have an external link if your screen router was to go down then definitly get a second device. Only issue with that would mean another line coming in if you wanted the transition to be "seemless". another option is to get a backup DSL line but this would also take some planning in case of an outage. The backup DSL could actually plug into your pix DMZ (virtual int) or screen rtr and could be used in a link failure/hardware failure. A cheaper alternative than a second T1/3 coming in.

 

[kcbs76]

Thank you for the reply. Lets say I choose the second option and get another interface and configure it as DMZ on the same PIX right? But the DMZ interface is between the outside and inside interfaces right? How can it be configured to access the internet without going through the outside interface? Bare with me for these question. I am new to pix.. only three days .

 

[NetworkGhost]

You would have to set up nat on that interface and also a second default route pointing torward the DMZ int (I am not 100% sure if this can be done) If not it would have to be after the fact and either way a failure of service would occur until sessions were rebuilt in the new subnet. If it was a preference I would do this on your router rather than the Pix this would allow for an almost seemless failover and would also allow for some better routing entries . But it is possible. Does your main line have issues often?