network redundancy

[MichaelDay]

I want to build a connection redundancy with Pix 506E. This is the scenario:
I have T1 line run into my Pix506E right now. Also, besides that I have another DSL line just for backup in case if T1 line cut off then I can use my DSL line turn on.

How do I configure with Pix506E to do this scenario? Any tip?

TIA

 

[robrichardson]

Mmm.. Im guessing you might not get too far with your current setup unfortunately as far as i see it, if anyone can suggest otherwise then I've probably wasted some cash in the past!

The 506E pix only supports 1 outside interface and 1 inside. You would need to upgrade to a 515E (which is a bit of a price hike) Even still there are still difficulties with using the 515 to share/provide backup connections.

Depending on what you require the two links to do, in your case to provide a backup link with just a pix is not really possible (routers would be better). You could however force inside hosts to use the DSL route for services like the internet and depending on where the T1 line connects to (I guess other networks) this would remain the pix's default route. This isnt a great solution but when configured properly can do the job well.

To do what you ultimately require throw in a cisco router with a WIC card and connect both T1 and DSL circuits to the router, the router then connects to your firewall (506E or higher). You could use policy based routing to do some clever stuff load balancing, backup interfaces etc.) Im currently using this setup for something similar although we use an ISDN connection as a backup route for the T1. Using dialing on demand the ISDN connection is established and we filter only essential traffic until the T1 connection is re-established.

If anyone has any thoughs on whether this could be done with a subsequent pix maybe in a failover environment id be interested to hear?

Should be plenty there for you to think about. Hope it helps.

 

[MichaelDay]

Robrichardson,
I like this idea of yours:
"To do what you ultimately require throw in a cisco router with a WIC card and connect both T1 and DSL circuits to the router, the router then connects to your firewall (506E or higher). You could use policy based routing to do some clever stuff load balancing, backup interfaces etc.) Im currently using this setup for something similar although we use an ISDN connection as a backup route for the T1. Using dialing on demand the ISDN connection is established and we filter only essential traffic until the T1 connection is re-established."

Now, my question, where can I find this WIC card and do you ahve any layout for setting up this?

I was thinking of going for "Manually" method. That means manually unplug and plug. Let say, I have T1 line runs into my outside port on Pix506E and this 506e is running with T1 Configuration script.
One day, T1 die out, then I just unplug T1 line and plug DSL line to outside port, then do a "Clear x" on my PIX then reload a saved PIX506E configuration file for DSL.

By doing this, I always have two saved configuration files read to load back and forth.

Do you think that will work?

 

[chicocouk]

It will work, but unless you have appropriate MX records your incoming mail won't. This will also apply to any incoming vpns you may have, site to site, or remote user.

Rob's suggestion is a good one, the best there currently is with a pix (or with several pix in failover for that matter). Redundancy and load balancing are sadly lacking features in the current pix feature set. But it's always said that the pix isn't a router, and that's what routers are for.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[MichaelDay]

OKay, our organization does not have any remote access besides Exchagne email server. One question, can MX record contains 2 IPs? One for T1 and one for DSL?

Also, could you tell me a little more detail about Rob's suggestion? Or is there some reference I can read up?

Thanks so much

 

[Narizz28]

Yes, just weight the second IP address higher than the primary in you DNS registration (most DNS providers can do this). Queries will try the first address and use the second only if the first doesn't work.

 

[robrichardson]

Hi Micheal

Your idea would work, I predict you may come into problems though keeping both configs for each connection up to date and consistent, to help this instead of erasing the full config you could have a script ready which only changes the relevant commands.

Firstly you would issue to no commands for you T1 details

no ip address outside x.x.x.x
no global (outside) x.x.x.x
' etc. etc.

Then in the same script just add the details for the backup line

ip address outside y.y.y.y
global (outside) y.y.y.y

The same could be done to remove/re-add the static for your mail servers etc.

You may also need to re-open the outside interface after switching the physical connections, if I remember correctly:

int ethernet0 auto

With the router solution a WIC card is easy to get hold of from all major network suppliers. Providing a layout for setting this up is not so straightforward as each solution is different.

For true load-balancing (i.e. one packet out one line, the next out the other) you need your ISP to allow the routing protocol to talk between their routers and yours, for example EIGRP would provide load balancing and tolerance if one line goes down. It can be a difficult affair getting your ISP to agree to this and usually only happens for the larger customer.

With a bit of careful planning (keep it simple!) you can set the router to handle outgoing traffic. This means you could set one route for company traffic and the other for web access/email/remote connections. This works well although in most instances (ie. web traffic) you cannot specify the incoming route. I see you don't have remote access so this may not be a worthy solution.

Using static routes with the same cost allows you to use both connections (outbound). You can also setup routes with a higher cost (the backup connecion gateway) as backup routes if the T1 connection is down.

Using a router is the most manageable solution and can be as complicated as you like, if your connection providers let you use EIGRP, OSPF, BGP or another routing protocol most of the hard work is done already, otherwise use static routes to create a form of load balancing.

To stick with just the 506e i suggest you create two scripts which you can just paste into the CLI which switch from one setup to the other respectively.

To be honest as your layout seems reasonably simple I would save the cash and stick with just the pix, if remote access was an issue then it would be viable to purchase a router. Put the effort into the creating a script to alter the PIXs outside connection only. This way you will avoid having to add the running config to these scripts before you switch connections.

 

[MichaelDay]

Thanks so much for your resourcefull info. I would appreciated your time.

I am about 99.9999% going with your route. One quick question that would filled me up to 100%. If alter on, our organization decides to do some VPN, would this be any trouble by stking with 506E? I guess the remote access person would need to know 2 IPs at any rate right? If he/she can not connect with one IP, he/she can try the second backup IP. Correct me if I am wrong.

 

[robrichardson]

Thats correct. The 506 should have no problems terminating the VPNs on theoutside interface

The remote firewall (or any device) could have two vpn tunnels created, as your firewall will only has one tunnel at anytime the remote connection would connect to this automatically, when the connections are switched over it may take a little time but the remote firewall should pick up the new connection. Remember though it could get a little awkward if they had debugging (eg. debug crypto ipsec) switched on at their end.

There is a slight security issue in that if a hacker knew your public IP address and the isakmp key they could possibly spoof your VPN tunnel although they would still need to know what private address range to use to get through your access-lists, this I wouldn't worry about too much.


Glad I could help....