Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PIX failover without using HSRP

from [Stong, Ian C. \(Contractor\)] Network Security [Permanent Link]
Subject: RE: PIX failover without using HSRP
Date: Tue, 28 Sep 2004 09:46:14 -0400 
Couple of challenges here.  You could plug both ISP routers into a switch at
your site and then connect both PIX's into that switch.  The PIX's would
support failover with one issue however.  They need to know where to send
traffic which often is performed by configuring a static route on the PIX
that points to the router.  In this case you have two different IP addresses
on two different routers.  You might be able to define two statics on the
PIX that each points to a different router.  Otherwise you may consider
running a routing protocol from you ISP to the PIX to learn which route to
take.
 
 
Thanks,
 
Ian
www.ccie4u.com <http://www.ccie4u.com> 
 

-----Original Message-----
From: steve ruben [mailto:seq404@yahoo.com]
Sent: Monday, September 27, 2004 7:13 PM
To: James Williams
Cc: firewalls@securityfocus.com
Subject: RE: PIX failover without using HSRP


Thanks for the reply...

I know that PIX firewalls have nothing to do with HSRP. 

HSRP usually runs on edge routers. My requirement is to setup a PIX failover
without using this HSRP on edge routers since they belong to ISP. 

IP addresses of Primary link and secondary link belong to different
networks. When the failover occurs the IP address of outside interface on
standby PIX will get overwritten by primary firewall's outside interface IP
address and eventually the standby PIX (currently active) will loose
connectivity to outside world as edge router on backup link is on a differnt
network. 

Here is how network connectivity looks like from our network to ISP network:

 

(ISP PRIMARY router) 192.168.50.1--------192.168.50.2 (primary
pix)-----------inside net

(ISP SECONDARY router) 192.168.60.1--------192.168.60.2 (standby
pix)----inside net

 

A typical solution is to introduce two routers in between pixes and ISP
routers and run HSRP on newly introduced routers on same network.

But I need to know if it is possible to eliminate those two routers and just
connect both PIX firewalls directly to ISP routers and make the failover
work. 

Please let me know if anybody has implemnted this kind of solution without
running HSRP on upstream routers. 

Thanks

S



James Williams <jwilliams@mail.wtamu.edu> wrote: 

PIX firewalls do *not* support HSRP. HSRP stands for 'Hot Standby Routing
Protocol'. PIX firewalls do, however support failover, via serial cable
and/or IP.

Here is a link that will explain how failover works on PIX firewalls.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918
6a0080094ea7.shtml

James Williams, GISF
Network Systems Technician
West Texas A&M University


-----Original Message-----
From: steve ruben [mailto:seq404@yahoo.com] 
Sent: Wednesday, September 22, 2004 7:53 PM
To: firewalls@securityfocus.com
Subject: PIX failover without using HSRP 

Hi,



I need to know if it is possible to use PIX firewalls with failover
capability directly connecting to ISP routers. 



We do not have our own edge routers - This means there is no HSRP
availability for PIX to route all outside traffic to one single address.



Here are the IP addresses:



PIX - Active outside: 192.168.50.1

ISP Edge router 1: 192.168.50.2

PIX - Active inside: 10.10.0.1



PIX - Standby outside: 192.168.60.1

ISP Edge router 2: 192.168.60.2

PIX - Standby inside: 10.10.0.2



Can I use OSPF routing to make failover work?



What will happen when failover occurs? Will the PIX - Standby outside IP
address (192.168.60.1) gets overwritten as 192.168.50.1?



Can I omit the failover IP address outside command to prevent this?



Please let me know if anybody has implemented this kind of solution. Any
links or tips will be very helpful. 



Thanks,

Steve



________________________________

Do you Yahoo!?
New and Improved Yahoo! Mail

_mail/static/efficiency.html> - Send 10MB messages!





  _____  

Do you Yahoo!?
New
<http://us.rd.yahoo.com/mail_us/taglines/100/*http://promotions.yahoo.com/ne
w_mail/static/efficiency.html> and Improved Yahoo! Mail - 100MB free
storage!
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Firewall Logs, Beauford, Jason
Next by Date:  RE: IPTables, Jose Maria Lopez
Previous by Thread:  RE: PIX failover without using HSRP, steve ruben
Next by Thread:  IOS FW vs. PIX or other, Dan Tesch
Indexes:  [Date] [Thread] [Top] [All Lists]