Message-ID: <452A48C0.2010101@sunderland.ac.uk>
Content-Type: text/plain; charset=windows-1252; format=flowed
Hi, I'm hoping someone can help...
I'm working at a university, that currently only has a single gig feed
to the outside world. In the interests of resilience, we're soon to be
getting a second feed in, and I was hoping that someone might be able to
offer some advice on the best way of going about it.
We've currently got two Pix 535's as a failover set, one with an
unrestricted (UR) license, the other with a failover (FO) only. As the
new feed is coming into a different site, the failover Pix will be
moved, and we'll do LAN based failover rather than using a failover cable.
*However*, the educational body supplying the new feed has seen fit to
provide the second feed in as a separate OSPF instance to the original
feed. Therefore, each of the two feeds out will have different OSPF
instances, and different IP addresses. For the sake of arguement (which
will likely as not prove to be fact anyway), assume that this is set in
stone, and nothing's going to change it.
So, what I want to know is your thoughts on how best to go about this...
Is it possible to have to firewalls in a failover set failover as
normal, but have the failover Pix have a different outside IP address? I
didn't think that this would be possible, if at all, but especially on a
box with an FO licence? What about upgrading the licence from FO to UR -
would that allow it? The best possible solution I've managed to come up
with so far, is to have two routers (or L3 switches) - just outside each
of the Pix's - configured for HSRP. If the main link goes down, what I
would like to happen is for the other router to take over via HSRP, and
for the firewall pair to failover to the backup. Does that sound feasible?
I hope I'm making sense. Any help is appreciated.
--
James Burns
Network Advisor ? Student & Learning Support
University of Sunderland
------_=_NextPart_001_01C6EC8D.98026338
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
charset=3Dus-ascii">
5.5.2658.34">
RE: firewall-wizards Digest, Vol 6, Issue 4
James,
I think it would help if you thought of the Two PIX =
535's Primary and failover as one firewall not two.
Let me explain. A Primary and failover unit do not =
function as independent units. They act as one. The scenario you out =
line in your messages would require that you purchase a second primary =
or upgrade your failover license to a primary for the new site. =
Bill Tedeski
ACS Inc.
Message: 1
Date: Mon, 09 Oct 2006 14:04:00 +0100
From: James Burns =
<james.burns@sunderland.ac.uk>
Subject: [fw-wiz] PIX Failover & Other =
Queries
To: Firewall Wizards =
<firewall-wizards@listserv.icsalabs.com>
Message-ID: =
<452A48C0.2010101@sunderland.ac.uk>
Content-Type: text/plain; charset=3Dwindows-1252; =
format=3Dflowed
Hi, I'm hoping someone can help...
I'm working at a university, that currently only has =
a single gig feed
to the outside world. In the interests of =
resilience, we're soon to be
getting a second feed in, and I was hoping that =
someone might be able to
offer some advice on the best way of going about =
it.
We've currently got two Pix 535's as a failover set, =
one with an
unrestricted (UR) license, the other with a failover =
(FO) only. As the
new feed is coming into a different site, the =
failover Pix will be
moved, and we'll do LAN based failover rather than =
using a failover cable.
*However*, the educational body supplying the new =
feed has seen fit to
provide the second feed in as a separate OSPF =
instance to the original
feed. Therefore, each of the two feeds out will have =
different OSPF
instances, and different IP addresses. For the sake =
of arguement (which
will likely as not prove to be fact anyway), assume =
that this is set in
stone, and nothing's going to change it.
So, what I want to know is your thoughts on how best =
to go about this...
Is it possible to have to firewalls in a failover =
set failover as
normal, but have the failover Pix have a different =
outside IP address? I
didn't think that this would be possible, if at all, =
but especially on a
box with an FO licence? What about upgrading the =
licence from FO to UR -
would that allow it? The best possible solution I've =
managed to come up
with so far, is to have two routers (or L3 switches) =
- just outside each
of the Pix's - configured for HSRP. If the main link =
goes down, what I
would like to happen is for the other router to take =
over via HSRP, and
for the firewall pair to failover to the backup. =
Does that sound feasible?
I hope I'm making sense. Any help is =
appreciated.
--
James Burns
Network Advisor ? Student & Learning =
Support
University of Sunderland
------_=_NextPart_001_01C6EC8D.98026338--
--===============0501873248==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards
--===============0501873248==--
