Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PIX failover without using HSRP

from [JGrimshaw] Network Security [Permanent Link]
Subject: RE: PIX failover without using HSRP
Date: Mon, 27 Sep 2004 17:03:55 -0500 
I don't believe that's what he had in mind--at least, I believed he was 
referring to the fact that he did not have administrative control over his 
redundant Internet router connections, and as of such, couldn't set them 
up with HSRP--and thus point the PIX firewalls to a single default gateway 
that HSRP would be advertising.

He then asked about OSPF.

If the edge routers directly connected interfaces were to be configured 
within the same OSPF area as the PIX firewall, then OSPF could work.  The 
edge routers could advertise a default route that the PIX would then 
accept.

I am not sure sure how the PIX would handle multiple default gateways. 
Statically, I know the PIX does not allow for this; for OSPF, I haven't 
tried.

Assuming that the PIX does not handle multiple default gateways learned 
via OSPF (or RIP for that matter), then the edge routers could be 
configured so that one of the routes costs more.

The PIX will pick the cheaper route, and the more expensive one will be 
used in the event the cheaper route went off line.






"James Williams" <jwilliams@mail.wtamu.edu> 
09/27/2004 11:51 AM

To
"'steve ruben'" <seq404@yahoo.com>
cc
<firewalls@securityfocus.com>
Subject
RE: PIX failover without using HSRP






PIX firewalls do *not* support HSRP. HSRP stands for 'Hot Standby Routing
Protocol'. PIX firewalls do, however support failover, via serial cable
and/or IP.

Here is a link that will explain how failover works on PIX firewalls.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918

6a0080094ea7.shtml

James Williams, GISF
Network Systems Technician
West Texas A&M University


-----Original Message-----
From: steve ruben [mailto:seq404@yahoo.com] 
Sent: Wednesday, September 22, 2004 7:53 PM
To: firewalls@securityfocus.com
Subject: PIX failover without using HSRP 

Hi,

 

I need to know if it is possible to use PIX firewalls with failover
capability directly connecting to ISP routers. 

 

We do not have our own edge routers - This means there is no HSRP
availability for PIX to route all outside traffic to one single address.

 

Here are the IP addresses:

 

PIX - Active outside: 192.168.50.1

ISP Edge router 1: 192.168.50.2

PIX - Active inside: 10.10.0.1

 

PIX - Standby outside: 192.168.60.1

ISP Edge router 2: 192.168.60.2

PIX - Standby inside: 10.10.0.2

 

Can I use OSPF routing to make failover work?

 

What will happen when failover occurs? Will the PIX - Standby outside IP
address (192.168.60.1) gets overwritten as 192.168.50.1?

 

Can I omit the failover IP address outside command to prevent this?

 

Please let me know if anybody has implemented this kind of solution. Any
links or tips will be very helpful. 

 

Thanks,

Steve

 

________________________________

Do you Yahoo!?
New and Improved Yahoo! Mail
<
http://us.rd.yahoo.com/mail_us/taglines/10/*http://promotions.yahoo.com/new

_mail/static/efficiency.html>  - Send 10MB messages!
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Tools to review ISA Logs, Troy C
Next by Date:  RE: PIX failover without using HSRP, steve ruben
Previous by Thread:  RE: PIX failover without using HSRP, James Williams
Next by Thread:  RE: PIX failover without using HSRP, steve ruben
Indexes:  [Date] [Thread] [Top] [All Lists]