1. Home
  2. Networking Firewalls
  3. PIX 520: Failover and Not Enough Ips (Newbie)

PIX 520: Failover and Not Enough Ips (Newbie)

BACKGROUND: I am attempting to setup failover for a couple of pix 520s (similar to the 515) within a start-up business/mission critical network. Due to certain budgetary limitations we do not currently have any routers and are using the pix firewall with nat as a routing hack. The outside interface is assigned the host ip on a /30 (255.255.255.252) and the WAN gateway occupies the other host.

THE QUESTION: Based on my limited readings, it is my understanding that when setting up failover, the secondary pix outside interface is assigned an unused IP within the same subnet as the primary pix outside interface. Since both hosts are occupied, is my only option to purchase a router? Or is there an available hack in the meanwhile?

Reply to
nice.jon
Loading thread data ...

I would suggest that you take this to comp.dcom.sys.cisco .

It depends on your software version, which you did not happen to state.

As the PIX 520 has not been sold for almost 5 years (December 2001), there is a good chance you do not have the most modern software. As you said it was a "start-up" and the equipment cannot be obtained new, you probably got it used -- possibly without taking into account that the software licenses are not normally transferable. You cannot get parts for a 520 (except perhaps from a third party -- Brad Reese might know where to find some), and you cannot purchase software upgrades for it (not even to bring it up to the latest release) and you cannot get a Cisco technical support contract for it. I'm not even sure if you could open a Time and Materials support call for it, as it is End of Life, but -possibly- you could get Cisco Professional Support to take it on; if so that would probably cost a -minimum- of $US500 per "incident".

All in all, -I- think it is a long-term mistake to use a PIX 520 for anything "mission critical" at this point: I suspect that a pair of Cisco ASA 5520 would be about right. Alternately, you could probably find a pair of legitimately-transferable used PIX 515E Unrestricted, or a pair of used 515E and go through the "relicensing program" (Cisco license part# LL-PIX-515-SW-UR -- street price roughly $US3500 per unit). The 515E are still being sold and are supported in the latest software.

It sounds as if the startup is hoping for some near-immediate sales in order to generate revenue to continue on beyond the first couple of months; my (very limited) business understanding is that such a business model very rarely works out. Occasionally a business needs to come to life long enough to demonstrate to a Venture Capitalist that the technology really does work, but my (quite limited) reading suggests that most of the time that approach does not work out either. Certainly there are occasional exceptions, but the great majority of new business run losses for the first couple of years. :(

Reply to
Walter Roberson

We are running 12.0(5) with unrestricted licenses

Business decisions aside is there anyway to accomplish this?

Reply to
nice.jon

That's not a PIX version number.

I think I need the correct version number to determine that.

6.3(5) is too much of a pattern jump from 12.0(5) to seem plausible. 6.2 (matching on the 2) did not reach as high as 6.2(5). 6.1(5) would match the '1' and '5'. 6.0(1) would match the '0' and '1', but too permuted to seem likely. 5.2(5) would match the '2' and '5' in the right order.

I can't find the version numbers for 5.1 or 5.0 at the moment.

4.0(5) would appear to be the tightest match. The 4.0 documentation is not readily available, but for this feature you could use the 4.1 documentation. failover under 4.0 was strictly based upon Cisco's special serial cable, and I seem to recall it was a complete configuration replication involved -- i.e., both hosts had the same IP address.
Reply to
Walter Roberson

Expanding your IP range from your ISP would likely be noticably less expensive than buying a router.

The fact that you have a /30 tells me that the present address range allocation is administrative rather than technical, and could be changed by arrangement with the ISP. For example if you had ASDL using PPPoE then you would likely be working with a /31, not a /30.

Reply to
Walter Roberson

If I understand correctly, your wanting to run 2 pix's, for redundancy in the event one fails??

Your talking about putting a nat router between the pix's and the ISP?

Knowing these facts, then you should think of the following:

The router then becomes a single point of failure, if router fails, doesn't matter if pix's are working or not. If you can't dual everything, then look at the items that have the highest potential for failure.

Next, and again for redundancy, your ISP connection is WAY more likely to fail over the pix's, and can take much longer to repair.

If your wanting simple backup, and staying with one ISP, then I would leave one of the pix's completely cold. This way, if the ISP connection (where is the ethernet coming from, a dsl/cable modem or something??) zaps and shoots a couple thousand volts through to the ethernet port, you have a spare that was not plugged in and is probably still in good shape.

If you do want to look at having two ISP's, then the options get much more complex from here.

As a side question, is this mainly for outbound traffic or is there inbound traffic involved (ie, mail server, web server, etc).

Reply to
Jerry Cloe

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.