How about adding a third interface to each PIX. Use that for the DMZ and
connect both PIXes for failover.
Internet---Router1--switch---PIX1-----------switch---Router2
| | |
| switch--DMZ |
| | |
|-------PIX2------------|
> -----Original Message-----
> From: Christian Purnomo [mailto:[EMAIL PROTECTED]
> Sent: Sunday, June 08, 2003 9:38 AM
> To: [EMAIL PROTECTED]
> Subject: design issues, suggestions please. [7:70337]
>
>
> Hi all
>
> I have 3 x 2621 routers and 2 x 515 pixes. The setup I am
> currently running
> is as follow:
>
> Internet --- Router1 --- PIX1 --- DMZ --- PIX2 --- Router2 --- LAN
>
> Both routers and both PIXes are both running full
> access-list to protect
> inside interface.
>
> I have another design in mind which is:
>
> Internet --- Router1 --- PIX1 --- Router2 --- LAN
> |
> |
> Router3
> |
> |
> DMZ
>
>
> I prefer this design which I can use the other pix for
> failover and also, I
> still can run access-list on both Router2 and Router3.
>
> Is the second one a better design? I can't see much point
> running 2 pixes
> with the same model on the first diagram. I would more agree
> to have dual
> firewall in diagram 1 if the second firewall is a different
> firewall product.
>
> Does anyone have any comment on this?
>
> Thanks.
>
> Christian.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70361&t=70337
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
