This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

--===============0501873248==
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C6EC8D.98026338"

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C6EC8D.98026338
Content-Type: text/plain


James,

I think it would help if you thought of the Two PIX 535's Primary and
failover as one firewall not two.

Let me explain. A Primary and failover unit do not function as independent
units. They act as one. The scenario you out line in your messages would
require that you purchase a second primary or upgrade your failover license
to a primary for the new site.

Bill Tedeski
ACS Inc.


Message: 1
Date: Mon, 09 Oct 2006 14:04:00 +0100
From: James Burns
Subject: [fw-wiz] PIX Failover & Other Queries
To: Firewall Wizards
Message-ID: <452A48C0.2010101@sunderland.ac.uk>
Content-Type: text/plain; charset=windows-1252; format=flowed

Hi, I'm hoping someone can help...

I'm working at a university, that currently only has a single gig feed
to the outside world. In the interests of resilience, we're soon to be
getting a second feed in, and I was hoping that someone might be able to
offer some advice on the best way of going about it.

We've currently got two Pix 535's as a failover set, one with an
unrestricted (UR) license, the other with a failover (FO) only. As the
new feed is coming into a different site, the failover Pix will be
moved, and we'll do LAN based failover rather than using a failover cable.

*However*, the educational body supplying the new feed has seen fit to
provide the second feed in as a separate OSPF instance to the original
feed. Therefore, each of the two feeds out will have different OSPF
instances, and different IP addresses. For the sake of arguement (which
will likely as not prove to be fact anyway), assume that this is set in
stone, and nothing's going to change it.

So, what I want to know is your thoughts on how best to go about this...
Is it possible to have to firewalls in a failover set failover as
normal, but have the failover Pix have a different outside IP address? I
didn't think that this would be possible, if at all, but especially on a
box with an FO licence? What about upgrading the licence from FO to UR -
would that allow it? The best possible solution I've managed to come up
with so far, is to have two routers (or L3 switches) - just outside each
of the Pix's - configured for HSRP. If the main link goes down, what I
would like to happen is for the other router to take over via HSRP, and
for the firewall pair to failover to the backup. Does that sound feasible?

I hope I'm making sense. Any help is appreciated.

--
James Burns

Network Advisor ? Student & Learning Support
University of Sunderland



------_=_NextPart_001_01C6EC8D.98026338
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable




charset=3Dus-ascii">
5.5.2658.34">
RE: firewall-wizards Digest, Vol 6, Issue 4





James,



I think it would help if you thought of the Two PIX =
535's Primary and failover as one firewall not two.



Let me explain. A Primary and failover unit do not =
function as independent units. They act as one. The scenario you out =
line in your messages would require that you purchase a second primary =
or upgrade your failover license to a primary for the new site. =



Bill Tedeski

ACS Inc.





Message: 1

Date: Mon, 09 Oct 2006 14:04:00 +0100

From: James Burns =
<james.burns@sunderland.ac.uk>


Subject: [fw-wiz] PIX Failover & Other =
Queries


To: Firewall Wizards =
<firewall-wizards@listserv.icsalabs.com>


Message-ID: =
<452A48C0.2010101@sunderland.ac.uk>


Content-Type: text/plain; charset=3Dwindows-1252; =
format=3Dflowed



Hi, I'm hoping someone can help...



I'm working at a university, that currently only has =
a single gig feed


to the outside world. In the interests of =
resilience, we're soon to be


getting a second feed in, and I was hoping that =
someone might be able to


offer some advice on the best way of going about =
it.



We've currently got two Pix 535's as a failover set, =
one with an


unrestricted (UR) license, the other with a failover =
(FO) only. As the


new feed is coming into a different site, the =
failover Pix will be


moved, and we'll do LAN based failover rather than =
using a failover cable.



*However*, the educational body supplying the new =
feed has seen fit to


provide the second feed in as a separate OSPF =
instance to the original


feed. Therefore, each of the two feeds out will have =
different OSPF


instances, and different IP addresses. For the sake =
of arguement (which


will likely as not prove to be fact anyway), assume =
that this is set in


stone, and nothing's going to change it.



So, what I want to know is your thoughts on how best =
to go about this...


Is it possible to have to firewalls in a failover =
set failover as


normal, but have the failover Pix have a different =
outside IP address? I


didn't think that this would be possible, if at all, =
but especially on a


box with an FO licence? What about upgrading the =
licence from FO to UR -


would that allow it? The best possible solution I've =
managed to come up


with so far, is to have two routers (or L3 switches) =
- just outside each


of the Pix's - configured for HSRP. If the main link =
goes down, what I


would like to happen is for the other router to take =
over via HSRP, and


for the firewall pair to failover to the backup. =
Does that sound feasible?



I hope I'm making sense. Any help is =
appreciated.



--

James Burns



Network Advisor ? Student & Learning =
Support


University of Sunderland







------_=_NextPart_001_01C6EC8D.98026338--

--===============0501873248==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

--===============0501873248==--