PIX Set up for Failover to a Secondary Device

PIX failover, as discussed in this and the preceding chapters, is one of the most important characteristics a firewall can have. Failover capabilities allow a network to maintain high availability faced with device failures. For failover to work smoothly, it is important to have the two PIXes sharing the responsibilities of the primary and secondary failover configured correctly before the failure occurs.

This case study shows how a primary PIX Firewall is configured to fail over to a secondary unit. Because at any time, depending on whether a PIX has failed, either the primary or the secondary PIX might be passing traffic, the terms active and standby are used to designate which PIX is passing the traffic.

Here are some things to keep in mind when setting up PIX Firewall failover:

• Hardware/software—Both the PIXes must have the same hardware and software.

• Interface connections—All the interfaces of the two PIXes must be connected to each other in some fashion, even if they are not in use and are in a shutdown state.

• Standby PIX—The standby PIX must not be configured independently. It must be write-erased and configured using the write standby command on the primary PIX.

• Stateful failure—If stateful failover is desired, one interface on each of the two PIXes must be sacrificed and used to connect the two PIXes via an Ethernet cable for this functionality to take place. This cable is in addition to the normal serial cable used to carry the heartbeat between the two devices (see the preceding failover discussion for a more detailed analysis of how this works). If a crossover cable is used to connect the stateful failover interfaces, a failure of the failover interface does not force a failover of the PIX, because the failover interfaces on both boxes go down.

• show failover—This command can be used to check the status of the primary or secondary device. This command provides information on which PIX is in active mode and which is in standby mode.

Figure 8-13 shows the network topology for this case study.

Figure 8-13 Network Topology for This Case Study

PMT Global


Static Global PIX Firewall

Primary Unit outside

PIX Firewall Secondary Unit

Web Server

PIX Firewall Secondary Unit

Web Server

In the configuration of the primary PIX device shown in Example 8-2, the commands related to failover are described in detail. The preceding case study describes the rest of the commands.

Example 8-2 Configuration of the Primary PIX Device

pixfirewall#wr t

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 failover security10

nameif ethernet3 unused security20

enable password xxx encrypted

passwd xxx encrypted

hostname pixfirewall

fixup protocol ftp 21

fixup protocol http 80

fixup protocol smtp 25

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol sqlnet 1521


pager lines 20

no logging timestamp

no logging standby

logging console errors

no logging monitor

no logging buffered

no logging trap

logging facility 20

logging queue 512

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 100full

interface ethernet3 10baset

mtu outside 1500

mtu inside 1500

mtu failover 1500

mtu unused 1500

ip address outside

ip address inside

ip address failover

ip address unused

!The failover command turns on failover functionality


!The failover IP address commands below are used to define the IP

addresses for the

!interfaces on the secondary unit so that when the write standby

command is

!executed, these addresses get assigned to the interfaces on the

secondary PIX.

failover ip address outside failover ip address inside

Example 8-2 Configuration of the Primary PIX Device (Continued)

failover ip address failover failover ip address unused

!The failover link command specifies which interface will be used to carry the !state information to the standby PIX in case of a failover failover link failover failover poll 15

arp timeout 14400

global (outside) 1 netmask nat (inside) 1 0 0

static (inside,outside) netmask 0 0 access-list acl_out permit tcp any eq 80 access-list acl_out permit icmp any any access-group acl_out in interface outside no rip outside passive no rip outside default no rip inside passive no rip inside default no rip failover passive no rip failover default route outside 1 timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00

sip 0:30:00 sip_media 0:02:00 telnet timeout 5 terminal width 80

0 0

Post a comment