Re: HSRP with load balancing on a Cisco IOS based firewall

["Dina Kamal" <dina () synergyct com>]

Hi,
Well, if you mean by IOS based firewall a router with a firewall/Ipsec
feature set then in this case you use the common HSRP config or cisco
routers
Here is a qote from cisco web site:
"All firewall states are internal to a single router, and there is no
provision for redundant firewall routers. Therefore if a router running
CBAC dies or is routed around, the CBAC conversations are lost.

Configurations with asymmetric routing, where only one direction of each
session passes through the firewall router, do not work.

Although the Cisco IOS Firewall doesn't support router redundancy, it does
support interface redundancy and load sharing. When CBAC creates a new
channel, it installs the temporary access list entries on the interfaces
used for the initial packet. The same access lists may be installed on
backup interfaces that provide additional paths to the same destinations.
It is possible to use CBAC with load sharing, as long as all the parallel
interfaces are configured identically. If you configure the same access
lists and inspection parameters on two interfaces that are alternate paths
to the same destination, things should work more or less as expected.

Note: You must use the same access lists (with the same access list
numbers) on both interfaces"

If you have a PIX firewall, in this case HSRP is not supported and for load
balancing we use 4840G switch to provide what we call SLB (Server Load
Balancing)
 

Hope that helps

Dina

> Hi there,
>
> Has anyone implemented HSRP with load balancing on a Cisco IOS based
> firewall.
>
> I have come across vague references to HSRP on IOS firewalls, though I
> have'nt managed to locate a configuration document as such. I am not so
sure
> on the possibility of load balancing though.
>
> Any ideas ?
>
> Thanks in advance.
>
> Regards
>
> CP
---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
> October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
> technical IT security event.  Modeled after the famous Black Hat event in 
> Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
> Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
>
----------------------------------------------------------------------------
>


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------