[fw-wiz] pix/proxy issue - Firewalls

This is a discussion on [fw-wiz] pix/proxy issue - Firewalls ; I have just implemented a new dmz on our pix 535. The two forward proxies that reside in the dmz support internal web queries going out to the internet via virtual ip addresses assigned to each of the boxes. Internal ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [fw-wiz] pix/proxy issue

  1. [fw-wiz] pix/proxy issue

    I have just implemented a new dmz on our pix 535. The two forward
    proxies that reside in the dmz support internal web queries going out to
    the internet via virtual ip addresses assigned to each of the boxes.
    Internal users use dns round robin for a type of load balancing between
    the two boxes. The concept is that if one box goes down the other box
    will take over answering on both virtual ip addresses without the end
    user being impacted. This is working on 3 internal proxies that do not
    use the firewall and also works for 2 reverse proxies in the dmz but
    only accepting traffic from external sources. What is happening is that
    when I fail one box over to the other the traffic seems to not get past
    the firewall but if I switch the configuration back it works again. If
    I add a new virtual ip to test the traffic gets there but again if I try
    to fail it over to the other box no traffic seems to get to the other
    box. I have confirmed that the snmp heartbeat between the two boxes is
    working as it should and the proxy vendor has stated that its got to be
    the firewall preventing this. Does anyone know if it has something to
    do with state table or anything related to the pix settings?

    Default:
    fwd1
    physical ip: 192.168.1.1
    virtual ip master: 192.168.1.3
    virtual ip slave: 192.168.1.4

    fwd2
    physical ip: 192.168.1.2
    virtual ip master: 192.168.1.4
    virtual ip slave: 192.168.1.3

    Failover scenerio would be taking fwd2 out of the loop and the snmp
    heartbeat transistions the virtual ip to the other box.
    fwd1
    physical ip: 192.168.1.1
    virtual ip master: 192.168.1.3
    virtual ip master: 192.168.1.4

    fwd2
    physical ip: 192.168.1.2
    virtual ip slave: 192.168.1.4
    virtual ip slave: 192.168.1.3

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards

  2. Re: [fw-wiz] pix/proxy issue

    My understanding ( correct me if wrong),

    Topology:
    * You have two proxy servers in your PIX DMZ for internal users.
    * The two proxy servers have virtual IPs and are load balanced.
    * If lets say proxy-2 goes down, proxy-1 would take over .Techincally,
    in this case, proxy-1 will respond for proxy-2's Virtual IP.

    Issue:
    * When proxy fails, it is expected that everything should failover to
    teh proxy and it should work.
    *However, with PIX in front of proxies , this doesnt work.

    Suggestions:
    * To start with, after failing over ( and when it doesnt work ) ,
    clear arp and xlate on the PIX. Test and please let me know the
    results.

    Thanks,
    Aditya Govind Mukadam


    On Thu, Jul 31, 2008 at 4:36 PM, bills wrote:
    > I have just implemented a new dmz on our pix 535. The two forward proxies
    > that reside in the dmz support internal web queries going out to the
    > internet via virtual ip addresses assigned to each of the boxes. Internal
    > users use dns round robin for a type of load balancing between the two
    > boxes. The concept is that if one box goes down the other box will take
    > over answering on both virtual ip addresses without the end user being
    > impacted. This is working on 3 internal proxies that do not use the
    > firewall and also works for 2 reverse proxies in the dmz but only accepting
    > traffic from external sources. What is happening is that when I fail one
    > box over to the other the traffic seems to not get past the firewall but if
    > I switch the configuration back it works again. If I add a new virtual ip
    > to test the traffic gets there but again if I try to fail it over to the
    > other box no traffic seems to get to the other box. I have confirmed that
    > the snmp heartbeat between the two boxes is working as it should and the
    > proxy vendor has stated that its got to be the firewall preventing this.
    > Does anyone know if it has something to do with state table or anything
    > related to the pix settings?
    >
    > Default:
    > fwd1
    > physical ip: 192.168.1.1
    > virtual ip master: 192.168.1.3
    > virtual ip slave: 192.168.1.4
    >
    > fwd2
    > physical ip: 192.168.1.2
    > virtual ip master: 192.168.1.4
    > virtual ip slave: 192.168.1.3
    >
    > Failover scenerio would be taking fwd2 out of the loop and the snmp
    > heartbeat transistions the virtual ip to the other box.
    > fwd1
    > physical ip: 192.168.1.1
    > virtual ip master: 192.168.1.3
    > virtual ip master: 192.168.1.4
    >
    > fwd2
    > physical ip: 192.168.1.2
    > virtual ip slave: 192.168.1.4
    > virtual ip slave: 192.168.1.3
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@listserv.icsalabs.com
    > https://listserv.icsalabs.com/mailma...rewall-wizards
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards

+ Reply to Thread
« Re: [fw-wiz] VPN certificates and XAUTH | DHCP server »