PIX Failover/ResilienceQuestion

[maddog32]

Hi,

I don't believe this is possible but I'm hoping someone can prove me wrong!

We want a dual PIX configuration for accessing the internet providing standard firewalling techniques including NAT. However, rather than configuring the PIX's in a failover configuration (i.e. one box sits doing nothing until something goes wrong with the main PIX) I was wondering whether we could configure resilience while incorporating load sharing across the two PIX's, i.e. both PIX's servicing packets but if one goes down the other continues servicing all the packets by itself.

The problem with this configuration is session management, syncronising the routing and NAT tables between the PIX's. Does anyone know if there is a way to achieve this?

Thanks.

 

[yizhar]

HI.

I have no experience with this, but I guess that if you connect the inside interfaces of both pix machines to a fast ethernet router, you can configure 2 routes to the Internet at the router, and connect both outside interfaces of the pix to another router and from there to the Internet.

When one pix goes down, the router will use the other.
The sessions won't be duplicated but as TCP/IP is designed for unreliable networks, the clients will reestablish broken connections as needed.

But again, I have never tryed such thing.

And, as you know, the pix is quite fast, so you first need to ask yourself - do I realy need this?

You should also note that such a configuration will have an additional single point of failiure which is the internal router, and a more complecated network means more dificult troubleshooting and management. Changes to ACL will need to be duplicated on both machines, etc..

So, I guess you'll stay with the failover solution - won't you?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar