RE: Failover internet connections, and implementation...

Thanks to all who have replied. I've gotten a lot of great suggestions. The
network in question has a pix 506e at its perimeter, and is an endpoint to a
vpn with another pix, so I think I'll have to go the ASA route.

Off to do some research. Thanks again!

-----Original Message-----
From: c0unter14 [mailto:c0unter14@xxxxxxxxx]
Sent: Wednesday, October 24, 2007 9:06 AM
To: jam@xxxxxxxxxxxxxxxxxxxx
Cc: David Gillett; Dan Denton; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Failover internet connections, and implementation...

As evident from earlier replies, the inbound traffic provisioning will
need some work done to be useful in case of a failover. If you are
willing to spend, there are third party solutions that will do this
for you as a lot of people have sent you the links. If not, you can
also do some tricks with your existing firewalls to get it to work.
for e.g. Checkpoint has an inbuilt option for ISP redundancy. In case
of Juniper, you can use a combination of 2 (or more) default routes
with different weights and "track-ip" options to make a failover ISP
redundant system, however in both cases provisions will be needed for
inbound traffic due to routing issues. Some of the third party
solutions mentioned above work very well, and should be preferred if
you have the money (which usually nobody has). However, if you want to
get it done with your existing infrastructure, it is entirely possible
but will again depend on what devices you have.

My 0.02$

On 10/23/07, jam@xxxxxxxxxxxxxxxxxxxx <jam@xxxxxxxxxxxxxxxxxxxx> wrote:
On Tue, Oct 23, 2007 at 02:05:44PM -0700, David Gillett wrote:
Neither of these will work if you host the company's Internet-
facing servers (web, email) on the network, because DNS entries
(cached all over the place) will still be pointing at your primary
addresses.


you can change the zone file so that it has a much shorter timeout-- that
way if there is an outage and you need to change the zone you can do it
with
minimal delay... change it from 3 days down to 30 minutes, for example,
and
your changes should propagate much quicker.


David Gillett



regards,
J
--
http://zoidtechnologies.com/ -- software that sucks less


Relevant Pages

  • Re: Created trust with 2nd domain but i can not see the other domain in network places
    ... do you have WINS connectivity between the ... * PLEASE post all messages and replies in the newsgroups ... > pix to pix to create the vpn. ... > When i browse my network places under entire network i only see the ...
    (microsoft.public.win2000.networking)
  • Re: Upgrading a PIX failover pair
    ... >> There used to be lengthy instructions in the PIX documentation about the ... >> Cisco-blessed way to upgrade a PIX failover pair, ... If the application is as downtime sensitive as the use of a failover ... so network connections than it is to wait for it to boot up. ...
    (comp.dcom.sys.cisco)
  • Re: There is an IP address conflict...
    ... router, purchased in 5/05 needed an update. ... * PLEASE post all messages and replies in the newsgroups ... easy to fix - just make sure that every computer on the network is set up ... connection and selecting Properties, then find the TCP/IP protocol in the ...
    (microsoft.public.windowsxp.network_web)
  • PIX 515E dropping existing TCP connections
    ... I recently took over administration of a PIX 515E. ... network, and VPN to the PIX to access a private network. ... When the VPN is connected, I can SSH to hosts on the private network. ... PIX drops the connection after transferring just a few kilobytes. ...
    (comp.dcom.sys.cisco)
  • RE: ICMP (Ping)
    ... To go straight to running a vuln scan against a box that isn't up ... Not seemingly from all the replies that I have seen. ... dictates that most do that and that is why many people block pings. ... - Precisely Define and Implement Network Security ...
    (Security-Basics)